Topic: MPEG2TuneRequest Exploit Leads to KILLAV Malware
Details:
Earlier today, TrendLabs has been alerted of a zero-day exploit in Microsoft Video streaming ActiveX control MsVidCtl (Advisory 972890). Around 967 Chinese websites are reported to be infected by a malicious script that leads users to successive redirections and lands them to download a JPG file containing the exploit. Trend Micro detects it as JS_DLOADER.BD.
Upon successful exploitation, the script downloads another malware detected as WORM_KILLAV.AI. This malware disables and terminates AV processes, and drops other malware on the affected system.
Affected Software
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems _______________________________________________________________________________
Recommended Action
· Update your AV products to current CPR 6.252.03 or higher
_______________________________________________________________________________
Detection
Trend Micro JS_DLOADER.BD and WORM_KILLAV.AI with current CPR 6.252.03 or higher:
http://www.trendmicro.com/download/pattern-cpr.asp
Malicious URLs: are currently being block by WRS