Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - More IE7 Beta spam/malware InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

More IE7 Beta spam/malware

Published: 2007-05-07
Last Updated: 2007-05-07 15:01:20 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
A new wave of "Internet Explorer 7.0 Beta" spam is currently being reported. All links to an "update.exe" file, which is hosted on various URLs. The e-mail message is adopting spam methods by "hiding" the image link among chunks of text copied from web sites.

Characteristics:
From: admin@microsoft.com
Subject: Internet Explorer 7.0 Beta

URL:
we have seen these so far (but there are likely many more):
httx://xoozee. cd/update.exe
httx://merzingo. cd/update.exe
httx://endfriends. cd/update.exe
httx://netdesks. cd/update.exe
httx://pleasedostock. hk/update.exe
httx://wordcasts. cd/update.exe
httx://abyssrecycling. co.uk/images/update.exe
httx://accentstaffing. com/images/update.exe
httx://bcweblist. com/images/update.exe
httx://actorsandactresses. co.uk/images/update.exe
httx://mikelike .cd/update.exe

It doesn't look like a feasable idea to block all these sites. However, you probably should filter e-mail from 'admin@microsoft.com' (that particular "From" address has been used in the past).

update.exe itself is a downloader which will install a second stage binary upon execution.
Keywords:
0 comment(s)
Diary Archives