Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

IE7.0.exe

Published: 2007-03-29
Last Updated: 2007-03-29 23:29:59 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

We've received a number of reports of spam appearing to come from "admin@microsoft.com" containing a link to a file called IE7.0.exe .

This is what VirusTotal has to say about it:

Antivirus Version Update Result
AhnLab-V3 2007.3.30.0 20070329 -
AntiVir 7.3.1.46 20070329 TR/Proxy.Agent.CL
Authentium 4.93.8 20070329 -
Avast 4.7.936.0 20070329 -
AVG 7.5.0.447 20070329 -
BitDefender 7.2 20070329 -
CAT-QuickHeal 9.00 20070329 (Suspicious) - DNAScan
ClamAV devel-20070312 20070329 -
DrWeb 4.33 20070329 -
eSafe 7.0.15.0 20070329 -
eTrust-Vet 30.6.3522 20070329 -
Ewido 4.0 20070329 -
F-Prot 4.3.1.45 20070328 -
F-Secure 6.70.13030.0 20070329 Virus.Win32.Grum.a
FileAdvisor 1 20070330 -
Fortinet 2.85.0.0 20070329 suspicious
Ikarus T3.1.1.3 20070329 -
Kaspersky 4.0.2.24 20070329 Virus.Win32.Grum.a
McAfee 4995 20070329 -
Microsoft 1.2306 20070329 -
NOD32v2 2154 20070329 -
Norman 5.80.02 20070329 -
Panda 9.0.0.4 20070329 Suspicious file
Prevx1 V2 20070330 Covert.Sys.Exec
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=c9a385855469
Sophos 4.16.0 20070329 -
Sunbelt 2.2.907.0 20070329 VIPRE.Suspicious
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
Symantec 10 20070330 Trojan Horse
TheHacker 6.1.6.080 20070323 -
UNA 1.83 20070316 -
VBA32 3.11.3 20070329 suspected of Trojan-PSW.Pinch.1 (paranoid heuristics)
VirusBuster 4.3.7:9 20070329 -
Webwasher-Gateway 6.0.1 20070329 Trojan.Proxy.Agent.CL

File:
Name IE7.0.exe
Size 33280
md5 8e12a8281a6c6ebdbd75c26a93e69437
sha1 de94c34d51e8c04df174e27bc04eed134aca57d7
Date scanned 03/30/2007 00:22:04 (CET)

Norman Sandbox doesn't detect it and it seems to not want to run in certain virtual machines either.

Check your logs on proxy servers etc. for IE7.0.exe, it's being hosted in multiple places around the world.

Thanks to Dan, Brian, Sean, Richard and many other readers.

--
Swa Frantzen --- NET2S
Keywords:
0 comment(s)
Diary Archives