Win a Macbook Air and get the trojan Obfuscator for free

MX Lab intercepted emails with the subject “Congratulation!!”. The message informs you that you have won an Apple MacBook Air and for more details you will need to open the attached file.

Congratulations!! You have won todays Macbook Air.
Please open attached file and see details.

Seems tempting but by doing so you will in fact unleash the trojan VirTool:Win32/Obfuscator.HG (Microsoft) or Suspicious:W32/Malware!Online (F-Secure) on your system.

The attached file is named winner.zip, 45 kB large, and contains the 52 kB large executable winner.exe.

The trojan will create the following files:

%UserProfile%\reader_s.exe
%System%\reader_s.exe

New processes ware created:

%System%\reader_s.exe
%UserProfile%\reader_s.exe

Windows registry modifications are done to make sure that the services run when the Windows boots:

# [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
* reader_s = “%System%\reader_s.exe”
# [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
* reader_s = “%UserProfile%\reader_s.exe”

At the time of writing this article, only 8 of the 40 AV engines picked up the trojan when submitted to Virus Total so be carefull when receiving it. Virus Total permlink and MD5: 4ea90acf8a6427060f1a6d003dd3598f.

Email based update for Microsoft Outlook – Outlook Express contains trojan

MX Lab started to intercept messages with the subject “Update for Microsoft Outlook / Outlook Express (KB910721)”. These messages appear to come from the Microsoft Support department and contains instructions to install a new update for Microsoft Outlook / Outlook Express:

Brief Description
Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.

Instructions

* Install Update for Microsoft Outlook / Outlook Express (KB910721). To do this, follow these steps:
1. Run attached file officexp-KB910721-FullFile-ENU.exe
2. Restart Microsoft Outlook / Outlook Express

System Requirements

* Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista

* This update applies to the following product: Microsoft Outlook / Outlook Express

The email has the 12kB big ZIP archive named officexp-KB910721-FullFile-ENU.zip. The extracted file is the 24 kB big file officexp-KB910721-FullFile-ENU.exe.

This piece of malware is known as W32/SuspPack.BI.gen!Eldorado (F-Prot), W32/FakeAV.AM!genr (Norman) or Mal/FakeVirPk-A (Sophos).

It is generaly advised not to install software, updates or patches for Microsoft software or the operating system that is distributed by email. Microsoft will only offer updates and patches through the official Windows Update channel on the Windows system itself.

Virus Total permlink and MD5: 925ca736b931a745b064896927cf20bc