MX Lab intercepted some messages with the subject line “Conflicker.B Infection Alert” coming from “Microsoft Windows Agent” but with a spoofed from address.

The virus is known as Trojan-Downloader:W32/Fakerean.AG (F-Secure, Microsoft), W32/FakeAlert.SYY!tr.dldr (Fortinet) or Mal/EncPk-KP (Sophos).

This is the body of the message:

Dear Microsoft Customer,

Starting 18/10/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

The message starts with a reminder of the Conficker worm and this alone will scare some people. But read a little bit further – “Microsoft has been advised by your Internet provider that your network is infected.” -  and you should see that this is clearly an attempt to fool computer users. Why on earth will your internet provider contact Microsoft to inform you regarding a virus infection on your computer? I don’t know, perhaps the ‘author’ has a good reason to suggest this.

This virus will, once installed, will create the following files %AppData%\lizkavd.exe, %AppData%\seres.exe , %AppData%\svcst.exe where %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

Other created files are %Temp%\tmpwr2, %Temp%\tmpwr3, %Temp%\tmpwr4, %Temp%\tmpwr5, %Temp%\tmpwr6 and %Temp%\tmpwr7.

The processes %AppData%\seres.exe and %AppData%\svcst.exe will be created and some Windows registry modifications are executed.

svcst.exe (%AppData%\svcst.exe) will use the UDP port 1050 on the system and connections to remote hosts on 64.237.55.39 and 66.79.188.115 on port 80 are established.

The data identified by the following URLs was then requested from the remote web server:

* hxxp://orav4abdustorabe.com/files/avp21_d_/_1_._d_
* hxxp://orav4abdustorabe.com/files/_AVE_._d_
* hxxp://orav4abdustorabe.com/files/_Add_._d_
* hxxp://orav4abdustorabe.com/files/_GUI_._d_
* hxxp://orav4abdustorabe.com/files/_SC_._d_
* hxxp://orav4abdustorabe.com/files/_Upd_._d_
* hxxp://ertanue5skayert.com/iM1ci0K5p8bj0KtZ4IKD7p/c3vM

Virus Total permlink and MD5:e6bc86359946024ea7547ae8e9915e61