Scan Engine version 9.0 is almost here!

Scan Engine 9.000 ActiveUpdate (AU) Upload
October 30, 2009

Details

On November 16, 2009 (US PST), Trend Micro will upload Scan Engine (VSAPI) 9.000 to the ActiveUpdate (AU) server.

Trend Micro will release VSAPI 9.000 on these products :

Ø OfficeScan
Ø Client Server Messaging Suite / Client Server Suite
Ø Worry Free Business Security
Ø ServerProtect for NT
Ø Trend Micro Control Manager

Scan Engine 9.000 includes the following enhancements / features :
Ø Support for the detection of files that contain known PDF exploits
Ø Support for shellcode detection
Ø Recognition of the following additional file types:
o Flash Video (FLV)
o Microsoft Document Imaging (MDI)
o Moving Picture Experts Group (MPEG)
o QuickTime (MOV)
o RIFF
o SITX
o ZIP64
Ø Support for the detection of exploits to Microsoft Office vulnerabilities

Recommended Action
Trend Micro recommends that you update your scan engine to provide protection against the latest threats.

For customers who want to test VSAPI 9.000 on selected clients, please download VSAPI 9.000

For 32-bit VSAPI at
http://officescan-p.pre-opr-au.trendmicro.com/activeupdate/engine/engv90kd.zip

For IA 64-bit VSAPI at
http://officescan-p.pre-opr-au.trendmicro.com/activeupdate/engine/engv90_ia64_ntkd.zip

For AMD 64-bit VSAPI at
http://officescan-p.pre-opr-au.trendmicro.com/activeupdate/engine/engv90_amd64_ntkd.zip

Manual instructions on how to apply the scan engine can be found at http://esupport.trendmicro.com/enterprise/default.aspx

Trend Micro Anti-Malware Ranked #1 in Real-World Online Testing

http://us.trendmicro.com/us/trendwatch/core-technologies/competitive-benchmarks/index.html

TREND MICRO MALWARE ADVISORY - Zero day security exploit in Microsoft Video streaming ActiveX control MsVidCtl

Topic: MPEG2TuneRequest Exploit Leads to KILLAV Malware


Details:
Earlier today, TrendLabs has been alerted of a zero-day exploit in Microsoft Video streaming ActiveX control MsVidCtl (Advisory 972890). Around 967 Chinese websites are reported to be infected by a malicious script that leads users to successive redirections and lands them to download a JPG file containing the exploit. Trend Micro detects it as JS_DLOADER.BD.

Upon successful exploitation, the script downloads another malware detected as WORM_KILLAV.AI. This malware disables and terminates AV processes, and drops other malware on the affected system.

Affected Software
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems _______________________________________________________________________________

Recommended Action
· Update your AV products to current CPR 6.252.03 or higher
_______________________________________________________________________________

Detection
Trend Micro JS_DLOADER.BD and WORM_KILLAV.AI with current CPR 6.252.03 or higher:
http://www.trendmicro.com/download/pattern-cpr.asp
Malicious URLs: are currently being block by WRS

Worm Neeris family exploits the same vulnerability MS08-067

If you haven't patched with MS08-067 which is KB958644, you better take the action now! Not only DOWNAD, you are also susceptible for attack by neeris family..

[Trend Micro Advisory] NEW WORM_DOWNAD.E/Conficker Variant

NEW WORM_DOWNAD.E/Conficker Variant
04/09/2009

Details

This is a pro-active notification that Trend Micro received a new sample of DOWNAD and named it as WORM_DOWNAD.E Trend Micro has flagged this worm as noteworthy due to the increased potential for damage, and propagation. Including its ability to propagate via the Server service vulnerability.

Please visit Trend Micro’s DOWNAD Information page for the latest information:
http://us.trendmicro.com/us/threats/conficker-worm/

Arrival
This worm may be downloaded unknowingly by a user when visiting malicious Web sites.

This worm executes only after meeting any of the following trigger condition:
Any day before May 3, 2009

Propagation Routine
This worm propagates by taking advantage of a vulnerability discovered in certain Microsoft operating systems that could allow remote code execution if an affected system received a specially crafted RPC request, which also contains a shellcode.

This worm also attempts to propagate via the same vulnerability through the internet using external IP addresses by checking if the system is directly connected to the internet.

Other Details
This worm creates the temporary file in %System%/0{Random}.tmp which is a SYS file and is detected by Trend Micro as TROJ_DOWNAD.E. It then creates a service using this temporary file, thus the malicious routines of this malware are also exhibited in the system. After creating the service, the temporary file is deleted.

It then patches %System%\drivers\tcpip.sys in memory to modify the limitation of TCP maximum half-connection attempts number. After doing this, the created driver service is unloaded and deleted, leaving no trace in the registry.

It creates a thread that opens a random port to communicate with a remote computer. This worm also creates the following mutex “Global\{Random}” to ensure that only one instance of itself is running in memory:

_________________________________________________________________________________

Trend Micro Solutions
·VSAPI Pattern - Since OPR 5.953.00
·Intellitrap pattern - detected as PAK_Generic.001
·Damage Cleanup Template - DCT OPR 1026
_________________________________________________________________________________

DOWNAD/Conficker Best Practices
1. Patch Windows systems with the MS08-067
2. Verify OfficeScan Client Edition is up to date and proper sttings
http://esupport.trendmicro.com/pages/How-to-configure-Trend-Micro-products-for-best-protection-against-malw.aspx
3. Follow recommended solutions and protection

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FDOWNAD%2EE&VSect=Sn
_________________________________________________________________________________

[Malware Advisory] WORM_Downad.KK - Activates on April Fool's Day

Dear All,

We would like to inform you that we have received new updates from our Global Update Center.

Topic: WORM_Downad.KK – Activates on April Fool’s Day

Advisory Release Date: March 18, 2009

Details

Worm_downad had infected more than 15 million computers, making it one of the widespread infections in recent times.

A new variant of worm_downad (aka Conficker) is expected to be launched on April Fool’s day.

Trend Micro detects this new variant as worm_downad.kk. More information can be found at http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOWNAD.KK&VSect=T. Trend Micro detects this malware starting with pattern file 5.885.00.

Compared to the old variants, worm_downad.kk is more sophisticated. Here are a few of the payloads :

· Connects to various time servers to determine the current date and time.

· Register itself as a system service to ensure auto execution every startup.

· Deletes a registry key to prevent system startup in safe mode.

· Terminates security-related processes (i.e. procexp, regmon, autoruns, gmer etc.)

· Blocks access to security and antivirus websites.

· Generates 50,000 malicious URLs and attempts to connect to around 500 random generated URLs at a time.

_______________________________________________________________________

Recommended Action

· Enable Web Reputation Service

· Make sure that you have the latest virus definitions (at least pattern file 5.885.00)

· Run a FULL system scan to ensure that malware does not exist on your PC

· Apply MS 08-067

· Ensure strong password practice

· Disable autorun.inf for removeable devices

· For file sharing server, don’t share to everyone.

Malware Advisory - [PE_VIRUX.A AWARENESS]

PE_VIRUX.A is a polymorphic file infector capable of infecting .exe and .scr files. This file infector may be downloaded unknowingly by a user when visiting malicious Web sites.

For more information about this malware, please see the following link:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_VIRUX.A

Solutions available:
I. Trend Micro strongly recommends updating your pattern file to the latest OPR (Official Pattern Release). OPR 5.821.00 already includes detection for PE_VIRUX.A.

II. If in case your network is already experiencing infections from this malware, the following product settings are recommended:

1. Set first product action to clean

2. Set second product action to pass
note: Use a specific action for each virus/malware type


You can consider applying the preventive measures below:

a. Download from trusted sites or sources only. Unknown sites will possibly direct the user’s browser to malicious websites to download scripts or executables that can infect machines.

b. Make sure that downloaded or copied files are scanned by Trend Micro antivirus first before executing them.

c. Ensure that OfficeScan Web Reputation Services is enabled and the security level is configured as “Medium”.

Top Infectors for Asian countries

I handled a number of cases for the past few months regarding the spread of autorun malware via thumb drive. Thank you Azril for the latest malware sample, :p

This statistic from Trend Micro researcher will give you some insights, do read it here.



If disabling the autorun feature is agreeable to the end users, you might want to consider deploying this tool.

JS_DLOAD.MD/IE7 0-day Exploit

Details On December 10, 2008 2:06pm (GMT +8) TrendLabs received a report stating that there is a zero day IE7 exploit discovered in a China forum. The said toolkit was being sold in China underground community. The exploit method used is a Heap Spray on SDHTML that affects the following platform : Internet Explorer 7.0 (7.0.5730.13) Windows XP / Windows 2003 The behavior of the malware after exploit is it will download/redirect to the following URL's wwwwyyyyy.cn and qqqqttrr.cn As of December 10, 2008 2:06PM (GMT +8) Microsoft does not have any patch on this exploit. Solution URL FILTERING: Domain cc4y7.cn {BLOCKED} wwwwyyyyy.cn {BLOCKED} qqqqttrr.cn {BLOCKED} www-onlinedown.com {BLOCKED} hxxp://wieyou.com/iiee/explore.exe {BLOCKED} hxxp://baidu.bbtu001.com {BLOCKED} sllwrnm5.cn {BLOCKED} VSAPI: December 10, 2008 12:13:29 PM OPR 5.699.00 has been released including the following detections: TROJ_GAMETHI.BPF TROJ_PATCH.KU OPR: 5.701.00 is already released JS_DLOAD.MD TSPY_ONLINEG.EJH TSPY_ONLINEG.EJG TSPY_ONLINEG.EJG TSPY_ONLINEG.HAV TSPY_ONLINEG.EJG TSPY_ONLINEG.ADR VIRUS REPORT: More detailed description of this malware can be found at the following link: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FDLOAD%2EMD

Subject: ENJOY The ALL-NEW, ALL-YOU M2U

A friend of mine forwarded this a while ago with a note that this could be another Maybank phishing scam. Thought of sharing this with all of you out there. Probably you have received this in another version, because as far as I know Maybank2u phishing scam has been in the round for quite sometimes.

Looking at the subject, this phishing scam takes the opportunity that Maybank now is promoting the M2u (Maybank2u) new look.

I looked at the full header of the email and thought it's rather fishy that the original sender was from an ISP company in India. The given URL in the email is pointing back to Maybank2u.com.my domain. It looks rather genuine. However, when I click on the link it leads to a dead page. My take, it is a phishing scam too. Probably the malicious component has been taken down.


click for larger image

Happy banking!

Beware of this ..

You might say this is lame. To some, they still fall for this kind of trick. For me, I always ignore if it looks fishy especially from someone unknown. BUT, it could be from someone close too!

The given link could take you to another malicious site/file and do all the wonders about web threat that you could imagine or beyond your imagination. :-) Please, educate your users.

Of course, if you enable Web Threat Protection you are somewhat protected. Happy Supporting Trend Micro products!

Trend Micro secures virtual environment

You can refer to this link for list of products can be installed on VMWare environment.

Feel free to feedback on your experience!