Updates

A compilation of the latest information about viruses and worms, security issues and patches to rectify the same.

Trend Micro reports WORM_SEMAIL.B

WORM_SEMAIL.B is a worm that arrives on a system as an attachment to an e-mail message. This worm propagates by sending copies of itself as mail attachments using its own Simple Mail Transfer Protocol (SMTP) engine. It gathers target addresses from the Windows Address Book. Using its own SMTP engine allows this worm to send out copies of itself without the use of mailing applications such as Microsoft Outlook.

Upon execution, it creates certain folders within Windows and Windows system folders. It then drops a copy of itself in one of these folders using the file name FOTO-MIE.EXE. It also drops files, one of which is also detected by Trend Micro as WORM_SEMAIL.B, in another folder that it creates. It modifies the system registry so that it is automatically executed every time the system starts up.

McAfee reports W32/Realor.worm

W32/Realor.worm scans the infected machine for existing RealMedia (*.rmvb) files and inserts a malicious external hyperlink. When these *.rmvb files are viewed, the user’s media player may load an external Web page containing an exploit using the pre-configured Web browser. A command-line utility (that is part of the Real Helix Producer software) is dropped and used by W32/Realor.worm for inserting a RealMedia event in *.rmvb files.

At the time of writing, these modified *.rmvb files open a Web page hosted on krv(hidden).com, and this Web site was hosting a variant of Exploit-MS06-014 which can install a copy of W32/Lewor.a on systems vulnerable to this exploit. To the user, this site may just be displaying a harmless error message, but it is silently loading the exploit in a hidden IFRAME object.

Symantec reports two vulnerabilities in Microsoft software

Microsoft XML Core Service is prone to a remote code execution vulnerability. An attacker can exploit this issue to execute arbitrary code within the affected application, facilitating the remote compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.

Symantec also reported Microsoft Word Mail Merge remote code execution vulnerability. An attacker could exploit this issue by enticing a victim to load a malicious Word file. If the vulnerability is successfully exploited, this could result in the execution of arbitrary code in the context of the currently logged-in user.

Panda Antivirus reports Briz.S

Briz.S is a password stealer-type trojan that consists of several components which are downloaded from the Internet.

Such components carry out the following actions: they obtain information from the computer such as IP address, name and geographic area; prevent users and installed programs from accessing Web sites belonging to certain anti-virus companies; and capture data entered in other Web sites that contain forms to obtain passwords for e-mail accounts, banking services etc. It will also use the affected computer as a gateway in order to connect to third-parties’ Telnet, SMTP, FTP and HTTP services anonymously.