Posted by: Barracuda Labs
Yesterday, a Purewire employee received an email claiming to offer an update to his Microsoft Outlook configuration:
From: < redacted >
Date: Thursday, October 15, 2009 2:12 PM
To: < redacted >@purewire.com
Subject: Microsoft Outlook Notification for the < redacted >@purewire.comYou have (6) New Message from Outlook Microsoft– Please re-configure your Microsoft Outlook Again.
– Download attached setup file and install.
The email was accompanied by a zip file that contained an executable with a business-looking smart phone icon.
Install Icon
Instead of a configuration update, the file was actually a malware downloader. When executed, it downloads and installs additional malicious software from the following URL:
hxxp://uvgadferbotario.com/X1j0uHc5Htr8Lw0i4Wv6Jz7Ha
AV detections for the second-stage executable are poor. In this case, the second-stage malware is a brand of Rogue AV software called Antivirus Pro 2010; a screenshot with examples of the different types of bogus alerts it generates.
Antivirus Pro 2010
This brand of fraudware is particularly aggressive; its tactics include the production of fake errors (about every 30 minutes) that require the user to either purchase the full version of the software or reboot their system.
Users of the PWSS are protected from this threat.
