Bogus IE7 Being Spammed Out

Here's a screenshot of one of several odd e-mails I started to receive yesterday.



If you click on the graphic in the real e-mail, or hover over it you will see a link to what appears to be a file called 'IE7.0.exe'. Like I'm going to click on that and let it run, no way!

It appears, from the many IE7 e-mails I have received this executable appears to be hosted on a number of sites round the world.

Here are the from and subject lines for the ones I have seen so far:

Subject: Explorer 7
From: admin@windows.com

Subject: Internet Explorer 7 Downloads
From: admin@microsoft.com

The first samples of this I saw, I downloaded the linked file and found that at that time was not an executable, but an HTML file carrying out click fraud and a click counter. However, this morning I found one of the new ones I had received at 07:45 was linked to a real executable file, details below:

FileName: IE7.0.exe
FileDateTime: 30/03/2007 08:09:09
Filesize: 33280
MD5: 8e12a8281a6c6ebdbd75c26a93e69437
CRC32: 95BCDAFB
File Type: PE Executable
It appears to be Packed using PE Pack 1.0

The Norman Sandbox failed to run it, probably because it is using anti-sandbox or anti-emulation tricks.

I also sent it off to be scanned by over 30 anti-malware tools, here are the results:

Scan report of: IE7.0.exe.4

@Proventia-VPS -
AntiVir TR/Proxy.Agent.CL
Avast! -
AVG -
BitDefender -
ClamAV Trojan.Spy-3301
Command W32/Grum.A (exact)
Dr Web Win32.Grum
eSafe -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Virus.Win32.Grum.a
F-Secure (BETA) Virus.Win32.Grum.a
Fortinet W32/Grum.A
Fortinet (BETA) W32/Grum.A
Ikarus Virus.Win32.Grum.a
Kaspersky Virus.Win32.Grum.a
McAfee -
McAfee (BETA) -
Microsoft Trojan:Win32/Grum.A
Nod32 Win32/TrojanProxy.Skopa.B trojan
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Rising -
Sophos W32/Grum-A
Symantec -
Symantec (BETA) Trojan Horse
Trend Micro -
Trend Micro (BETA) TROJ_GRUM.I
UNA -
VBA32 -
VirusBuster -
WebWasher Trojan.Proxy.Agent.CL
YY_Spybot Smitfraud-C.,,Installer

As you can see detection is still somewhat patchy, as I write this entry. Even McAfee and Symantec are behind the likes of F-Secure and Kaspersky, even Microsoft detects it!

If you look at the raw ASCII of the e-mail itself, it is padded out with lots of text grabbed from numerous web pages, news stories, etc. This is added to try and allow the e-mail with its link to possibly malicious code to bypass anti-spam and anti-malware filters.

This case, yet again shows that the Bad Guys and Girls are using social engineering to get you to infect your own computer [or your companies ones]. I gave a presentation on the growing use of social engineering just yesterday morning. A very timely warning and wake-up to those that attended.

So, don't fall for it, and "Beware Microsoft Bearing Gifts" - Microsoft don't send you software and just because an e-mail says it comes from Microsoft doesn't mean that it really does. It is very easy to forge the e-mail address - you have been warned.

Oh, by the way I will post the answer to my last challenge on Monday the 2nd of April, so for those of you that still want to take a crack at solving the case, you have until then.