The fake Microsoft Internet Explorer 7.0 spam campaign continues this morning with new messages and new malware binaries hidden behind links. The latest binary is ie7.0.exe which the infection is associated with AntivirusXP 2008, a rouge anti-virus application which is currently in wide spread circulation and accounts for a number of the infections we are seeing on a daily basis.
In fact this malware accounts for 1.68% of the PCs that are infected and is considered 3rd in the order of ranking of active viruses in the world at the moment.
Antivirus XP is an application that displays popups and other messages claiming the PC is infected, thus, enticing the user to purchase a fix. Symptoms include the browser being hi-jacked and replaced with a web page that appears to look like a very authenticate AV scanner, popup messages, system performance degradation. In addition the malware binary appears to be packed with an unknown packer (certainly a trend we are seeing right now is the cloaking of malcode through cryptors and custom packing as way to increase difficulty for malware analysts).
File size: 139264 bytes
PEInfo: PE Structure information
( base data )
timedatestamp…..: 0x4899bb4e (Wed Aug 06 14:55:10 2008)
machinetype…….: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.code 0x1000 0x33994 0x4800 4.11 00679324558732af6c893b011d7d0db3
DATA 0x35000 0x1bc70 0x1ae00 8.00 9cf75f7813add823fe3e17434810c5c2
.rsrc 0x51000 0x1000 0x600 7.19 6499d98dc4d5856dec43ffc292cce676