We recently encountered a malware posing as a legitimate font file. Detected as WORM_OTORUN.ASH, the worm is a .DLL file that uses .FON as extension name. To propagate, it drops copies of itself into shared folders in the infected system. While these routines are not entirely new, the occurrence of both instances in a single malware fits the exploit scenario described in the Microsoft OpenType Font Driver Vulnerability (MS10-091).
However, after further analysis, we found that the malware does not contain any exploit code for MS10-091. Instead, it exploits the Windows LNK vulnerability (MS10-046) using shortcut files as its autostart component. Let’s not forget that that particular vulnerability works on any .DLL file. In this case, even though WORM_OTORUN.ASH is disguised as a font file, it still functions as a .DLL file.
WORM_OTORUN.ASH creates two types of .LNK files—shortcut files that point to files saved in local folders (LNK_OTORUN.SM) and shortcut files that point to files saved in shared folders (EXPL_CPLNK.SM). The dropped .LNK files bear enticing file names such as myporno.avi.lnk and pornmovs.lnk to trick users into clicking them.
Successful exploits for MS10-091 and MS10-046 both result in remote code execution so users are strongly advised to patch their systems if they haven’t yet.
Trend Micro product users are protected from this threat through security solutions powered by the Trend Micro™ Smart Protection Network™, which detects and blocks all related malware and malicious URLs. Enterprise users are also protected from possible exploits via Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in.
Additional analysis provided by Alden Baleva and Kathleen Notario
Post from: TrendLabs | Malware Blog – by Trend Micro
Worm Poses as a Font File, Uses LNK Vulnerability to Propagate
Related Posts
- Trojan.Oficla uses office application file to hide itself and forms botnet
March 24, 2010
Doctor Web — the leading Russian anti-virus vendor — issues a warning for users as Trojan.Oficla programs spread widely over the Internet with the number of their detections per week ... - Backdoor Uses Ichitaro Vulnerability To Spread
Vulnerabilities (designated as CVE-2010-3915 and CVE-2010-3916) have been found in the popular Japanese-language word processor Ichitaro. If exploited, a specially crafted JTD document could be used t... - File Infector Uses Domain Generation Technique Like DOWNAD/Conficker
Trend Micro has received reports from users about a new, dangerous file infector. This threat, detected as PE_LICAT.A, uses a domain generation algorithm, a technique last seen in WORM_DOWNAD/Confick... - Stuxnet Before the .lnk File Vulnerability
Code to exploit the zero-day .lnk file vulnerability (BID 43073) used by Stuxnet was added to the threat around March 2010; we know this because the samples we observed before this date did not contai... - Unruy downloader uses CVE-2010-0094 Java vulnerability
Unruy is a family of trojan downloaders and unsolicited advertisement "providers" and although you might not have heard about it, it also is an infection vector for a rather prevalent family of rogues... - iPhone/iPad Jailbreak Web Site Uses an OSX Vulnerability
A web site which "jailbreaks" iPhones, iPads and iPod Touches does so by means of a PDF-based vulnerability in OS X, according to The H Online.
PDF parsing and rendering is a core feature of... - Isolated first worm using LNK vulnerability
It was just a matter of time, everyone here at Prevx was expecting this. Too much noise around the Microsoft 0-day flaw allowed malware writers to use it as another way to spread malware . First the ... - USB Worm Exploits Windows Shortcut Vulnerability
Just recently, reports were released about a new kind of malware propagating through removable drives. The said malware exploits a newly-discovered vulnerability in shortcut files, which allows random... - ePing Arbitrary File CreationCommand Execution Vulnerability
OS2A ID: OS2A_1001 Status Published: 08/04/2005
Updated : 08/05/2005
Patch Released
Class: File Creation/Command Execution
Severity: CRITICAL
Overview:
ePing is a ping utility plugin for e107... - Firefox 4 gets its first security update
Yesterday, five weeks after shipping Firefox 4, the Mozilla project published the new browser's first-ever security update. The Firefox version number bumps up to 4.0.1.The update fixes 50-odd bugs in...
Posted on 18 March 2011. Tags: File, Font, Poses, Propagate, uses, Vulnerability, worm
The above information is reprinted from and copyrighted © by Trend Micro.
