|
|
Fake Microsoft Security Bulletin |
|
Date: 21 September 2007 Original URL: http://www.auscert.org.au/render.html?cid=7066&it=8114 A new malicious email is making its way around inboxes on the internet today. It is an email purporting to be a Microsoft Security Bulletin. These fake bulletins are trying to entice users to download a Trojan. Interestingly, this file downloaded actually contains a legitimate Microsoft Update as well as a bad bit of software which extracts a Browser Helper Object and registers it. Examples seen so far of the subject line are: Microsoft Security Bulletin Administrators should consider setting the kill bit [1] on the following GUID which is the unique identifier for the BHO: {3F6D54BB-34EE-4469-B094-86B09E53BCF8} Domains hosting the malware include the following: hxxp :// affordableprinter,com hxxp :// ajfc,com hxxp :// alphieandthealphabets,com hxxp :// bazratner,com hxxp :// cemoffice,com hxxp :// danhart,net hxxp :// definedart,com hxxp :// fiz6qed,org hxxp :// generationd,us hxxp :// jefffrankel,com hxxp :// jimcullendesign,com hxxp :// jordanville,org hxxp :// kindrafehr,com hxxp :// lanirichards,com hxxp :// lionjim,com hxxp :// oskyindians,com hxxp :// sanddollarconsulting,com hxxp :// stnicholasstratford,org hxxp :// www,a1trails,com hxxp :// www,an,co,yu Some of you may notice that these domains look familiar. Well you'd be right. A lot of these domains have been used in the Fathers Day spam[2][3]. These same sites have been used in a Flash card spam in early June and another spam run in July. Although the domains have the malicious software removed they are recompromised later with more bad software. We'll keep you updated on this. Regards, Zane References: [1] How to stop an ActiveX control from running in Internet Explorer http://support.microsoft.com/kb/240797 [2] AL-2007.0110 - "Fathers Day" Malicious Emails https://www.auscert.org.au/render.html?it=8073 [3] Father's Day Email Follow-up https://www.auscert.org.au/render.html?it=8093 |