Published: October 26 2009, 08:57 PM
by Satyendra Kumar

A new spam campaign, notifying recipients about a new “Microsoft Outlook Update”, is a fake. The following email message shows how spammers are trying to trick users into clicking on a link to install the fake outlook update (Figure 1).

(Figure 1)

 The spam email has a brief description about the update and there is a link to update.microsoft.com. This is just another phishing attempt, as clicking on the link will direct the browser to a different webpage, http://update.microsoft.com.<removed>daz.eu, which hosts the fake update with file name “officexp-KB910737-FullFile-ENU.exe”.

The following other alternative websites also host the same fake update

•     hxxp://update.microsoft.com.<Removed>der1l.me.uk/microsoftofficeupdate/
•     hxxp://update.microsoft.com.<Removed>f1akz.eu/microsoftofficeupdate/
•     hxxp://update.microsoft.com.<Removed>liow.co.uk/microsoftofficeupdate/
•     hxxp://update.microsoft.com.<Removed>tyak.org.uk/microsoftofficeupdate/
•     hxxp://update.microsoft.com.<Removed>12qwf.eu/microsoftofficeupdate/
•     hxxp://update.microsoft.com.<Removed>f1akz.eu/microsoftofficeupdate/
•     hxxp://update.microsoft.com.<Removed>lokr.co.uk/microsoftofficeupdate/
•     hxxp://update.microsoft.com.<Removed>sasq.eu/microsoftofficeupdate/
•     hxxp://update.microsoft.com.<Removed>ll.com/microsoftofficeupdate/

Upon downloading the apparent Microsoft update, pointed to by the link shown in the webpage below (figure 2), it aroused my suspicions as I noticed the file size is less than 100 kb.

(Figure 2)

Well there is no KB910737, and the downloaded binary is in fact a Trojan that steals sensitive information from the compromised user, identified by CA Antivirus solutions as Win32/Zbot.N.
 
Remember, don’t always trust an email that asks you to click on a link, and make sure you always download the latest Windows updates and keep your CA Antivirus signatures up to date.

Share this post:  Email

Share