Fake Microsoft Internet Explorer 7.0 Update

August 6, 2008

A few minutes ago we discovered another spam campaign this time offering an update to Microsoft Internet Explorer 7.0. What’s interesting about this particular message is it appears to be in exactly the same format as to what was used to distribute the get_flash_update.exe as seen in some attacks. The message comes from the address admin@microsoft.comor so it appears to be. When you click on the link an executable with the filename update.exe is downloaded (this is a downloader Trojan).


File size: 139776 bytes
MD5…: 6b50dc99f2ca5e90ef6ecef9a25c6157
SHA1..: 464d7f2e540eafc2162293ad11b28ba8b91dd21b
SHA256: 9083a161e7e9fb25bd99d814cfafa953881b1249ad079040c5faf158a3b7f203
SHA512: 1c70fe117fb7a757807484bad7ab7400427433e0b9e1cceb05c72b194cb22e7d
PEiD..: –
PEInfo: PE Structure information( base data )
entrypointaddress.: 0x40254a
timedatestamp…..: 0x4898440b Tue Aug 05 12:14:03 2008
machinetype…….: 0x14c (I386)( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x33d2c 0x4a00 4.01 320f92325281cf38056300846e33e293
DATA 0x35000 0x1b020 0x1ae00 8.00 b2da8ac3f7624aaec4e58820ca98f3d1
.rsrc 0x51000 0x1000 0x600 6.54 5a86ae6138955d3b751ed9ef76093acd