Trojan masquerades as IE 7 downloads

March 30th, 2007

Trojan masquerades as IE 7 downloads

Posted by Ryan Naraine @ 6:53 am

Categories: Patch Watch, Hackers, Zero-day attacks, Microsoft, Browsers, Rootkits, Vulnerability research, Responsible disclosure, Spam and Phishing, Spyware and Adware, Botnets, Exploit code, Data theft, Mozilla, Firefox, McAfee, Privacy

+0
2 votes Worthwhile?

Spammers are using fake Internet Explorer 7 (Beta 2) downloads to lure Windows users into downloading a nasty backdoor Trojan.

The fake downloads are part of a massive spam run that includes an official-looking graphic (see image below) linked to Web sites that auto-launch an executable named "ie7.exe."

A copy of this spam that landed in my GMail inbox arrived from "admin@microsoft.com" with the subject line "Internet Explorer 7 Downloads."  Anti-virus vendors tracking the threat say the sender address and download locations are constantly changing as this spam run picks up steam.

    As fast as these domains appear, get spammed, and get killed, they re-appear. If you run a network stream, you can easily look for /IE7.0.exe with a tool like ngrep or flowgrep and look at the download sites. This one is aggressive and is going to get a lot of play. AV detection was poor earlier in the day, and its not much better. Names like Agent.CL and Grum are being used, but even 12 hours later the detection for it is pretty weak. Its got an unrecognized packer and some methods that seem uncommon.