Fake Internet Explorer 7.0 update = Antivirus XP 2008

The fake Microsoft Internet Explorer 7.0 spam campaign continues this morning with new messages and new malware binaries hidden behind links. The latest binary is ie7.0.exe which the infection is associated with AntivirusXP 2008, a rouge anti-virus application which is currently in wide spread circulation and accounts for a number of the infections we are seeing on a daily basis.

In fact this malware accounts for 1.68% of the PCs that are infected and is considered 3rd in the order of ranking of active viruses in the world at the moment.

Antivirus XP is an application that displays popups and other messages claiming the PC is infected, thus, enticing the user to purchase a fix. Symptoms include the browser being hi-jacked and replaced with a web page that appears to look like a very authenticate AV scanner, popup messages, system performance degradation. In addition the malware binary appears to be packed with an unknown packer (certainly a trend we are seeing right now is the cloaking of malcode through cryptors and custom packing as way to increase difficulty for malware analysts).

File size: 139264 bytes
MD5…: ef99ebb8e1699733b3bd1de7de2a0da1
SHA1..: 4707f2372b087d68cb33e325df030046875bfc22
SHA256: 970580019c632f7e91a897b9abf5c3e678afb08dba434d98bc3e49543abe0a3c
SHA512: d819d6338b7752900e9977d523374e1faecb9fc5fac87eba9d40d94c7f46aa1e
b0f0eb6f646b7b6dd62bd82c939caa79fc7158d815c5a396ad6ab6e65654cf3f
PEiD..: –
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x402540
timedatestamp…..: 0x4899bb4e (Wed Aug 06 14:55:10 2008)
machinetype…….: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.code 0x1000 0x33994 0x4800 4.11 00679324558732af6c893b011d7d0db3
DATA 0x35000 0x1bc70 0x1ae00 8.00 9cf75f7813add823fe3e17434810c5c2
.rsrc 0x51000 0x1000 0x600 7.19 6499d98dc4d5856dec43ffc292cce676

Advertisements

One Response to Fake Internet Explorer 7.0 update = Antivirus XP 2008

  1. All day, I have been bombarded evry couple of minutes by continued requests to download & buy Microsoft Internet Explorer antivirus protection XP 2008! It occurs about every 2 minutes, what can I do to get rid of this. Please help

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: