FAKE Microsoft patch email -> Fake Spyware Doctor!

Published: 2007-06-26. Last Updated: 2007-06-28 20:03:11 UTC
by donald smith (Version: 4)
0 comment(s)

Several of our readers reported an email that lead to a fake Microsoft patch being spammed on the net today. The email had their full names and in one case the company they worked for included in the body of the email. So far I have seen 4 different urls. We are working on getting the systems hosting the malware cleaned or shutdown. We have submitted the malware itself to most of the AV vendors so detection should improve but currently it is not detected.

Thanks go out to PatrickC, TroyP, NathanM, BruceD and CalebC.

You can see in the body of the email below that the spelling is bad and the license key is not in the right format for XP nor Outlook.

Microsoft pointed us to a couple of web pages they maintain that should help you recognize fraudulent email here and here

One of the submitters “PatrickC” provided the following email for a fake Microsoft patch and malware site.  

“The following email I received is new to me. The URL points to
hxxp://fake.microsoft.site./
MSOUTRC2007Update-KB863892.exe
Bye.”
==Sanitized email header==============
X-Envelope-To: <patrick >
<SNIP to protect Patrick >
Date: Tue, 26 Jun 2007 14:51:39 +0200
Precedence: bulk
To: Patrick 
Subject: Microsoft Security Bulletin MS07-0065 - Critical Update
From: "Microsoft Corp." <update@microsoft.com>
Content-Type: text/html; charset=iso-8859-1
Message-Id: <E1I3AWB-00010F-00@s137553944.websitehome.co.uk>
X-Antivirus: avast! (VPS 000752-0, 2007-06-25), Inbound message
X-Antivirus-Status: Clean 
Microsoft.com Home |
| Windows Family | Windows Marketplace | Office Family | Microsoft Update  
Dear Patrick

You are receiving this message because you are using Genuine Microsoft Software and your e-mail address has been subscribed to the Microsoft Windows Update mailing list.

A new 0-day vulnerability has appeared in the wild and was reported for the first time Monday, June 18th. The vulnerability affects machines running MICROSOFT OUTLOOK and allows an attacker to take full control of the vulnerable computer if the exploitation process is succesfull.

Since then, more than 100,000 machines have been reported as exploited and used to promote spammy pharmacy products such as viagra and cialis.

An update has been released to fix this issue and can be downloaded from the following link :

http://windowsupdate.microsoft.com/outlook/upd ate-0-day/download.aspx?id=63852

Quick Details
File Name: MSOUTRC2007Update-KB863892.exe
Version: 3.1.1023
Date Published: 06/25/2007
Download Size: 20 Kb
Estimated Download Time: 1 sec

It's urgent to download and install the update as soon as possible in order to decrease the number of succesfull attacks that occure each day. The update is only available for Genuine Versions of Microsoft Outllok. 
Instructions :  
1. Click the link above to start the download
2. Save the update in your WINDOWS directory and run it from there.If you want to start the installation immediately click Run in the download box, after you click the link.
3. After you run it, the update will download the security packages required to patch Microsoft Outlook.The entire process will take around 10-15 minutes, and you'll receive a confirmation message once the update process is completed.

Your Microsoft Windows Licence Information is :

REG ISTERED TO : Patrick
Licence KEY : XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Thank you

Microsoft Corp.

=====================================

From Norman Sandbox:

MSOUTRC2007Update-KB863892.exe : INFECTED with W32/Malware (Signature: NO_VIRUS)

 [ DetectionInfo ]
    * Sandbox name: W32/Malware
    * Signature name: NO_VIRUS
 [ General information ]
    * Drops files in %WINSYS% folder.
    * File length:        20480 bytes.
    * MD5 hash: c7a8bde380043b5d8d7229e82db1c2fc.
 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM32\sdoctor.exe.
    * Creates file C:\france.html.
    * Deletes file c:\france.html.
 [ Changes to registry ]
    * Creates value "SpywareDoctor"="C:\WINDOWS\SYSTEM32\sdoctor.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
 [ Process/window information ]
    * Will automatically restart after boot (I'll be back...).
    * Attemps to NULL C:\COMMAND.COM /c del c:\sample.exe >> NUL.
    * Modifies other process memory.
    * Creates a remote thread.
[ Signature Scanning ]
    * C:\WINDOWS\SYSTEM32\sdoctor.exe (20480 bytes) : no signature detection.

We notified one of the support teams at a hosting provider that a virus was found on one of their customers systems.

Their auto responder responded within a minute.
A support person removed the malware and responded within 30 minutes.
When I tried to verify that I found the malware was still there or back.
When I notified the hosting provider that the malware was back the support person analysised logs, determined it was being uploaded via ftp and immediately disabled the ftp account involved.

 

One of our readers provided this detection list.

AntiVir             HEUR/Crypted
Avast!              --
AVG                 Downloader.Agent.MPF
A-Squared           --
Bitdefender         Trojan.Downloader.Small.AABU
ClamAV              --
Command AV          W32/Warezov.gen3!W32DL
Dr Web              Trojan.DownLoader.24763
eSafe               --
eTrust              Win32/Smynoc
Ewido               --
F-Prot              W32/Warezov.gen3!W32DL
F-Secure            Trojan-Downloader.Win32.Agent.bvy
Fortinet            W32/Agent.BVY!tr.dldr
Ikarus              --
Kaspersky           Trojan-Downloader.Win32.Agent.bvy
McAfee              Generic Downloader.ak trojan
Microsoft           Trojan:Win32/Agent.gen!C
Nod32               Win32/TrojanDownloader.Agent.ACS
Norman              W32/Malware (Sandbox)
Panda               Suspicious file
QuickHeal           --
Rising AV           --
Sophos              Mal/Behav-112
Spybot S&D          Smitfraud-C.,,Installer
Symantec            -- (BETA: Downloader)
Trend Micro         -- (BETA: TROJ_AGENT.VII)
VBA32               --
VirusBuster         --
WebWasher           Heuristic.Crypted

 

UPDATE:
 Several users have reported that this is only being sent to IT accounts and mostly highlevel IT accounts.

There is a new version of the binary.

MD5 = 0b4a130e2f124e780947fc4a36e0a556

They changed the name of the binary and registry entries.

systemmechanic.exe
SystemMechanic

Keywords:
0 comment(s)

Comments


Diary Archives