More IE7 Beta spam/malware

Started by DAB Badboy, May 08, 2007, 06:53:21

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

DAB Badboy


Published: 2007-05-07,

Last Updated: 2007-05-07 15:01:20 UTC
by Johannes Ullrich (Version: 1)

A new wave of "Internet Explorer 7.0 Beta" spam is currently being reported. All links to an "update.exe" file, which is hosted on various URLs. The e-mail message is adopting spam methods by "hiding" the image link among chunks of text copied from web sites.

Characteristics:
From: admin@microsoft.com
Subject: Internet Explorer 7.0 Beta

URL:
we have seen these so far (but there are likely many more):
httx://xoozee. cd/update.exe
httx://merzingo. cd/update.exe
httx://endfriends. cd/update.exe
httx://netdesks. cd/update.exe
httx://pleasedostock. hk/update.exe
httx://wordcasts. cd/update.exe
httx://abyssrecycling. co.uk/images/update.exe
httx://accentstaffing. com/images/update.exe
httx://bcweblist. com/images/update.exe
httx://actorsandactresses. co.uk/images/update.exe
httx://mikelike .cd/update.exe

It doesn't look like a feasable idea to block all these sites. However, you probably should filter e-mail from 'admin@microsoft.com' (that particular "From" address has been used in the past).

update.exe itself is a downloader which will install a second stage binary upon execution.

http://isc.sans.org/diary.html?storyid=2768

Lance

Lance
_____

This post reflects my own views, opinions and experience, not those of IDNet.

psp83

Got loads of these emails through yesterday

AvengerUK

ive had one of these, deleted it instantly...even if it was from microsoft, i would never download it! - there almost as bad as the spam!