By Andrew Brandt
Hot on the heels of the spam campaigns involving emails which purport to come from the IRS, HMRC, and from your IT department comes another round of fake “notification” spam emails — this time, warning users to download and install a patch for the Outlook and Outlook Express email clients.
Like the previous rounds, the file a victim is prompted to download and (hopefully, won’t) install is the prolific, widely-disseminated keylogger we call Progdav (aka “Zbot”). The faux Web page which hosts the malicious file is dressed up to look like a Microsoft Update page, titled “Update for Microsoft Outlook / Outlook Express (KB910737).” In an attempt to legitimize the payload, the page states “This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.”
Uh huh. Highest levels like a fox!
The “update” file/Trojan installer is named officexp-KB910737-FullFile-ENU.exe and comes in at just under 100KB, which puts it in the welterweight class of Stupid Malware Trickery. A cursory glance at the Microsoft Knowledge Base Web site reveals the hardly-surprising fact that, no, there is no Knowledge Base article 910737.
Like virtually all the Progdav samples we’re seeing in recent months, this information-stealing Trojan is a universal data thief. It steals login passwords for Web sites, both as you enter them and from the Protected Storage area, where the browser keeps your “saved” passwords; stored Web browser cookies; FTP account details; POP3 email usernames and passwords; and it keeps track of the Web sites you visit. It disables the Internet Explorer anti-phishing filter, and monitors the contents of the Clipboard, so passwords you copy from one location and paste into another location aren’t safe, even if you never actually type them into a login page from an infected PC.
Our standard advice remains in place here: Avoid following links sent via email regarding updates to standard Windows components. Microsoft doesn’t email its customers about updates, and has other mechanisms, including Automatic Updates, to ensure that the folks who need them will get updates. Don’t download patches or updates to Microsoft products from anywhere other than Microsoft.com, and if you’re really concerned, double-check the Knowledge Base “KB” number to make sure you’re getting what you expect.
And when an untrustworthy link leads you to an untrustworthy page which begs you to “Please download and install the file…” please, don’t.
5 Comments
Hi, Andrew, thanks for the blog. How to get rid of this keylogger in XP?
Sweep with our latest product and up-to-date definitions. We can easily delete Progdav.
How can I help in getting rid of these people.
I can’t download the Microsoft Outlook-express update that you recommend to do–can you please e-mail me instructions that will work?
Thank you
Scott — this blog item does not describe a legitimate Microsoft Outlook patch update. It is a scam that installs a keylogger on your computer. Do NOT install any update to Outlook that comes from anywhere other than http://update.microsoft.com
If you have already downloaded and attempted to run such an update, you may already be infected. Scan your computer immediately, and use a different, uninfected computer to change any passwords that may have been used, or are stored, on the infected computer.
8 Trackbacks/Pingbacks
[...] newest victim of the faux-Web-sites-posing-as-government-pages scam is the Centers for Disease Control and Prevention. In the same vein [...]
[...] newest victim of the faux-Web-sites-posing-as-government-pages scam is the Centers for Disease Control and Prevention. In the same vein [...]
[...] mail comes from a legitimate source, such as the FDIC, IRS, HMRC (the UK’s tax authority), your IT department, or any of several well-known [...]
[...] organizations (both in the US and elsewhere), trade groups, or financial institutions, or even Microsoft itself. The A-list organizations spoofed by these campaigns read like a Fortune 100 who’s who [...]
[...] organizations (both in the US and elsewhere), trade groups, or financial institutions, or even Microsoft itself. The A-list organizations spoofed by these campaigns read like a Fortune 100 who’s who [...]
[...] as those targeting the IRS, CDC, Visa, and other organizations, as well as software programs like Microsoft Outlook, or Web sites such as Facebook), the URL contains the email address to which the original message [...]
[...] as the IRS, CDC, Visa, and other organizations, or software programs like AOL Instant Messenger and Microsoft Outlook, or Web sites such as [...]
[...] The people who distribute Trojan applications like Trojan-Backdoor-Zbot, in the guise of a wide variety of frauds, make no distinction between your credit card or email password. The Trojan simply takes [...]