IT Security Blog

Blog Home login

Categories

Child Pornography
Adobe Acrobat
Anti Spam
Anti Virus
Blog Spam
Botnets
Browser Security
Calendar Spam
CAN-SPAM
ClickJacking
Conficker
Data Security
Facebook
Fast Flux
Google Android
Google Spam
Government Scams
Hackers
Hacktivism
Identity Theft
Image Spam
Insider Threat
Internet Privacy
iPhone Hacks
Law Enforcement
Malware
McAfee
Mobile Spam
MX Logic
Network Security
Patch Tuesday
PDF Spam
Phishing
Physical Security
Ransomware
Risk Management
Rootkits
Rustock Botnet
Security Awareness
Security Buzz
SkyDrive Spam
SoBig Virus
Social Engineering
Social Networking
Spam
Spammer Arrests
SQL Injection
Srizbi Botnet
Storm Worm
Threat Forecast
Threat Stats
Trojans
Twitter
Vishing
Vulnerabilities
Waledac
Whaling

Search Blog

Outlook Malware from Last Week Comes Back for a Visit

My apologies for being a bit light on posting this week. I have been in Amsterdam for the 16th MAAWG Conference. It's been a great conference with some outstanding presentations, but I am looking forward to being home tomorrow!

It looks like the Outlook Reconfiguration Malware from last week has returned for another round, this time claiming that other user mail clients are in need of reconfiguration.

This one is fairly interesting because it seems to be rather confused as to which mail client is supposed to be reconfigured. Many of the samples that I have reviewed use different mail client names between the message subject and the body. A couple of examples:

Message Subject: Microsoft Outlook Setup Notification
Message Body:

You have (6) message from Outlook Express.

Please re-configure your Microsoft Outlook again.

Download attached setup file and install.

Message Subject: TheBat Setup Notification
Message Body:

You have (9) message from Microsoft Outlook.

Please re-configure your TheBat again.

Download attached setup file and install.

Notice that between the message subject and the first and second sentence of the message it might tell you that you are receiving a setup notification for TheBat (a legitimate mail client frequently spoofed in spam), tell you that you have X messages from Microsoft Outlook, and tell you that you need to reconfigure TheBat again. I am not sure if this is intentional or not (it is sloppy work on the part of the spammer if it is) or if it is just a piece of broken spamware.

These messages have an attachment of client_update.zip and has an md5 checksum of a50838afddd97a744804bdb6b153b101.

Virustotal reports (as of the time of this writing) that only about 60% of the antivirus engines are detecting this malware, which is better than we typically see in the early stages of a new attack. This lends itself to the theory that this new malware is close enough to the one seen last week where the old signatures might still be catching it.

Either way, be on the lookout for this respin of last week's news.

Categories: Anti Virus Botnets Social Engineering Malware Trojans Spam

Posted by smasiello at 3:48 PM | Link | 0 comments

Comments

No comments found.