Topic: MPEG2TuneRequest Exploit Leads to KILLAV Malware

Earlier today, TrendLabs has been alerted of a zero-day exploit in Microsoft Video streaming ActiveX control MsVidCtl (Advisory 972890). Around 967 Chinese websites are reported to be infected by a malicious script that leads users to successive redirections and lands them to download a JPG file containing the exploit. Trend Micro detects it as JS_DLOADER.BD.

Upon successful exploitation, the script downloads another malware detected as WORM_KILLAV.AI. This malware disables and terminates AV processes, and drops other malware on the affected system.

Affected Software
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems _______________________________________________________________________________

Recommended Action
· Update your AV products to current CPR 6.252.03 or higher

Trend Micro JS_DLOADER.BD and WORM_KILLAV.AI with current CPR 6.252.03 or higher:
Malicious URLs: are currently being block by WRS