Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that inform the recipient about a mail server upgrade process. The text in the e-mail messages instructs the recipient to run an SSI certificate update procedure by following a URL to download an .exe file. However, the URL contains a malicious .exe file that, if executed, attempts to infect the user's system with malicious code.
E-mail messages that are related to this threat (RuleID2499) may contain the following file: patch.exe
The patch.exe file has a file size of 90,112 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x9ABC553703F4E4FEDB3ED975502A2C7A
Another version of patch.exe, has a file size of 100,352 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x0EE4F395DD071F169E95E34454BBF446
Another version of patch.exe, has a file size of 105,984 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xC007F25D28EAF7D344591DF0F24D461E
The following text sections are samples of the e-mail messages associated with this threat outbreak:
Subject: Attention- Mail Server Upgrade
Message Body:
Attention!
On October 16, 2009 server upgrade will take place. Due to this system may be offline for approximately half an hour. The changes will concern security, reliability and performance of mail service and the system as a whole. For compatibility of your browsers and mail clients with upgraded server software you should run SSI certificates update procedure. This procedure is quite simple. All you have to do is just click the link provided, to save a patch file and then to run it from your computer location. That's all.
hxxp://updates.betterbricks.com.secure.upd01.net/mail/id=757383450630-89cfc4be@betterbricks.com-patch121.exe
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
System Administrator
And
Subject: Read carefully: Mail Server Upgrade
Message body:
Attention!
On October 22, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour. The changes will concern security, reliability and performance of mail service and the system as a whole. For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure. This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.
hxxp://updates.nospamweb.de.secure.mailserver-upd.com/ssl/id=725106264-greenthumb@nospamweb.de-patch10970.exe
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
System Administrator
And
Subject: Read Carefully - Important User Notification
Message body:
Attention!
On October 30, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour. The changes will concern security, reliability and performance of mail service and the system as a whole. For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure. This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.
hxxp://updates.nospamweb.de.secure.mailserver-upd.com/ssl/id=725106264-greenthumb@nospamweb.de-patch10970.exe
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
System Administrator
Malicious software installed by files that are distributed via these messages may be related to the Zbot family, which has rootkit functionality and the ability to steal online banking information. The trojan uses a keylogger to steal banking details and may open a back door on the infected system to communicate with a remote attacker. Additionally, the malicious code may attempt to make modifications to the system registry and files.
Cisco Security Intelligence Operations analysts examine real-world e-mail traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global e-mail security threats and trends. Cisco will continue to monitor this threat and automatically adapt IronPort systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.
Cisco IronPort Virus Outbreak Filters protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. E-mail that is managed by Cisco and end users who are protected by Cisco IronPort web security appliances will not be impacted by these attacks. Cisco IronPort appliances are automatically updated to prevent both spam e-mail and hostile web URLs from being passed to the end user.
Related Links
Cisco Security Intelligence Operations
Cisco Threat Operations Center
Cisco SenderBase Security Network
