| |
 |
 |
 |
|
|
|
|
Date: 21 September 2007
Click here for printable version
A new malicious email is making its way around inboxes on the internet today.
It is an email purporting to be a Microsoft Security Bulletin. These fake
bulletins are trying to entice users to download a Trojan. Interestingly, this
file downloaded actually contains a legitimate Microsoft Update as well as a
bad bit of software which extracts a Browser Helper Object and registers it.
Examples seen so far of the subject line are:
Microsoft Security Bulletin
Administrators should consider setting the kill bit [1] on the following
GUID which is the unique identifier for the BHO:
{3F6D54BB-34EE-4469-B094-86B09E53BCF8}
Domains hosting the malware include the following:
hxxp :// affordableprinter,com
hxxp :// ajfc,com
hxxp :// alphieandthealphabets,com
hxxp :// bazratner,com
hxxp :// cemoffice,com
hxxp :// danhart,net
hxxp :// definedart,com
hxxp :// fiz6qed,org
hxxp :// generationd,us
hxxp :// jefffrankel,com
hxxp :// jimcullendesign,com
hxxp :// jordanville,org
hxxp :// kindrafehr,com
hxxp :// lanirichards,com
hxxp :// lionjim,com
hxxp :// oskyindians,com
hxxp :// sanddollarconsulting,com
hxxp :// stnicholasstratford,org
hxxp :// www,a1trails,com
hxxp :// www,an,co,yu
Some of you may notice that these domains look familiar. Well you'd be right.
A lot of these domains have been used in the Fathers Day spam[2][3]. These
same sites have been used in a Flash card spam in early June and another spam
run in July.
Although the domains have the malicious software removed they are
recompromised later with more bad software.
We'll keep you updated on this.
Regards,
Zane
References:
[1] How to stop an ActiveX control from running in Internet Explorer
http://support.microsoft.com/kb/240797
[2] AL-2007.0110 - "Fathers Day" Malicious Emails
https://www.auscert.org.au/render.html?it=8073
[3] Father's Day Email Follow-up
https://www.auscert.org.au/render.html?it=8093
|
|
|
|
 |
|
 |
|
|