David Baxter PhD
Late Founder
Outlook Malware from Last Week Comes Back for a Visit
11 June 2009
It looks like the Outlook Reconfiguration Malware from last week has returned for another round, this time claiming that other user mail clients are in need of reconfiguration.
This one is fairly interesting because it seems to be rather confused as to which mail client is supposed to be reconfigured. Many of the samples that I have reviewed use different mail client names between the message subject and the body. A couple of examples:
These messages have an attachment of client_update.zip and has an md5 checksum of a50838afddd97a744804bdb6b153b101.
Virustotal reports (as of the time of this writing) that only about 60% of the antivirus engines are detecting this malware, which is better than we typically see in the early stages of a new attack. This lends itself to the theory that this new malware is close enough to the one seen last week where the old signatures might still be catching it.
Either way, be on the lookout for this respin of last week's news.
11 June 2009
It looks like the Outlook Reconfiguration Malware from last week has returned for another round, this time claiming that other user mail clients are in need of reconfiguration.
This one is fairly interesting because it seems to be rather confused as to which mail client is supposed to be reconfigured. Many of the samples that I have reviewed use different mail client names between the message subject and the body. A couple of examples:
Message Subject: Microsoft Outlook Setup Notification
Message Body:
You have (6) message from Outlook Express.
Please re-configure your Microsoft Outlook again.
Download attached setup file and install.
Message Body:
You have (6) message from Outlook Express.
Please re-configure your Microsoft Outlook again.
Download attached setup file and install.
Message Subject: TheBat Setup Notification
Message Body:
You have (9) message from Microsoft Outlook.
Please re-configure your TheBat again.
Download attached setup file and install.
Notice that between the message subject and the first and second sentence of the message it might tell you that you are receiving a setup notification for TheBat (a legitimate mail client frequently spoofed in spam), tell you that you have X messages from Microsoft Outlook, and tell you that you need to reconfigure TheBat again. I am not sure if this is intentional or not (it is sloppy work on the part of the spammer if it is) or if it is just a piece of broken spamware.Message Body:
You have (9) message from Microsoft Outlook.
Please re-configure your TheBat again.
Download attached setup file and install.
These messages have an attachment of client_update.zip and has an md5 checksum of a50838afddd97a744804bdb6b153b101.
Virustotal reports (as of the time of this writing) that only about 60% of the antivirus engines are detecting this malware, which is better than we typically see in the early stages of a new attack. This lends itself to the theory that this new malware is close enough to the one seen last week where the old signatures might still be catching it.
Either way, be on the lookout for this respin of last week's news.