More IE7 Beta spam/malware

[DAB Badboy]

Published: 2007-05-07,

Last Updated: 2007-05-07 15:01:20 UTC
by Johannes Ullrich (Version: 1)

A new wave of "Internet Explorer 7.0 Beta" spam is currently being reported. All links to an "update.exe" file, which is hosted on various URLs. The e-mail message is adopting spam methods by "hiding" the image link among chunks of text copied from web sites.

Characteristics:
From: admin@microsoft.com
Subject: Internet Explorer 7.0 Beta

URL:
we have seen these so far (but there are likely many more):
httx://xoozee. cd/update.exe
httx://merzingo. cd/update.exe
httx://endfriends. cd/update.exe
httx://netdesks. cd/update.exe
httx://pleasedostock. hk/update.exe
httx://wordcasts. cd/update.exe
httx://abyssrecycling. co.uk/images/update.exe
httx://accentstaffing. com/images/update.exe
httx://bcweblist. com/images/update.exe
httx://actorsandactresses. co.uk/images/update.exe
httx://mikelike .cd/update.exe

It doesn't look like a feasable idea to block all these sites. However, you probably should filter e-mail from 'admin@microsoft.com' (that particular "From" address has been used in the past).

update.exe itself is a downloader which will install a second stage binary upon execution.

http://isc.sans.org/diary.html?storyid=2768

[Lance]

Thanks for the warning

[psp83]

Got loads of these emails through yesterday

[AvengerUK]

ive had one of these, deleted it instantly...even if it was from microsoft, i would never download it! - there almost as bad as the spam!