News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
May 19, 2013, 01:26:10
linktree cexx.org - Support Forums  >  Everything Else  >  General Discussion
linktree Topic: Fake MS patch email -> Fake Spyware Doctor!
Pages: [1]   Go Down
« previous next »
  Print  
Topic: Fake MS patch email -> Fake Spyware Doctor!  (Read 1374 times)
0 Members and 1 Guest are viewing this topic.
« on: June 26, 2007, 18:05:43 »
AplusWebMaster Offline
Global Moderator WWW
Karma: 501
Posts: 7314
FYI...

- http://isc.sans.org/diary.html?storyid=3054
Last Updated: 2007-06-26 22:46:51 UTC ...(Version: 3)
"Several of our readers reported an email that lead to a fake Microsoft patch being spammed on the net today. The email had their full names and in one case the company they worked for included in the body of the email. So far I have seen 4 different urls. We are working on getting the systems hosting the malware cleaned or shutdown. We have submitted the malware itself to most of the AV vendors so detection should improve but currently it is not detected... You can see in the body of the email... that the spelling is bad and the license key is not in the right format for XP nor Outlook. Microsoft pointed us to a couple of web pages they maintain that should help you recognize fraudulent email...

> http://www.microsoft.com/protect/yourself/phishing/msemail.mspx

> http://www.microsoft.com/canada/athome/security/email/ms_genuine_mail.mspx

=====================================
From Norman Sandbox:
MSOUTRC2007Update-KB863892.exe : INFECTED with W32/Malware (Signature: NO_VIRUS)
 [ DetectionInfo ]
    * Sandbox name: W32/Malware
    * Signature name: NO_VIRUS
 [ General information ]
    * Drops files in %WINSYS% folder.
    * File length:        20480 bytes.
    * MD5 hash: c7a8bde380043b5d8d7229e82db1c2fc.
 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM32\sdoctor.exe.
    * Creates file C:\france.html.
    * Deletes file c:\france.html.
 [ Changes to registry ]
    * Creates value "SpywareDoctor"="C:\WINDOWS\SYSTEM32\sdoctor.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
 [ Process/window information ]
    * Will automatically restart after boot (I'll be back...).
    * Attemps to NULL C:\COMMAND.COM /c del c:\sample.exe >> NUL.
    * Modifies other process memory.
    * Creates a remote thread.
[ Signature Scanning ]
    * C:\WINDOWS\SYSTEM32\sdoctor.exe (20480 bytes) : no signature detection...

We notified one of the support teams at a hosting provider that a virus was found on one of there customers systems. Their auto responder responded within a minute. A support person removed the malware and responded within 30 minutes. When I tried to verify that I found the malware was still there or back. When I notified the hosting provider that the malware was back the support person analysised logs, determined it was being uploaded via ftp and immediately disabled the ftp account involved."


 Shocked
Logged
This machine has no brain.
....... Use your own.
Browser check for updates here.
.
 
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by SMF 1.1.18 | SMF © 2013, Simple Machines Page created in 0.325 seconds with 20 queries.