After last weeks outbreak of spam mails with malware with alleged settings for mail software (which still is ongoing, we still receive a lot of those mails) our analysts see a new bunch of emails which contain a trojan as attachment. These mails come with subjects like “Conflicker.B Infection Alert” and seem to stem from someone called “Microsoft Windows Agent”.

Fig. 1: The email claims to carry a Conficker removal tool.

The mail claims that the network where the PC is located is infected with Conficker.B and that the ISP has informed Microsoft about that. The attached tool allegedly offers a free system scan.

The attachment is a FakeAV solution though; also Microsoft would never send out an executable attachment without former consent via email. Do not execute the malware in the zip file from the mail! Avira detects it as TR/Vilsel.ior with the VDF 7.01.06.127.

Dirk Knop
Technical Editor

Our spam traps received a lot of spam emails during the last night which claim to lead to or to include a new settings file for Outlook Web Access (OWA). The mails seem to be sent by the technical staff of the domain and are made up quite well. Thus they are targeted for the organisation they are sent to.

Fig. 1: The spammed emails contain malware.

Different malware emails have been sent around: Some directly include the malware as attachment, others link to a web site where the malware can be downloaded (spear phishing). The Avira Risk Level indicates the phishing level 4 which acknowledges increased phishing activities.

Fig. 2: Another wave of emails is pointing to a fake web site.

While in the html email the malware link is shown as leading to the real domain, the link really points to an URL of the following form: http://EMAIL_DOMAIN.BADHOST.COM/owa/service_directory/settings.php?email=USER@EMAIL_DOMAIN&from=EMAIL_DOMAIN&fromname=USER . If the receiver of the mail is in a rush he might thus believe he is on the real OWA web site.

Fig. 3: The web site where the mail points too looks convincing, too.

While Avira Antispam detects the emails as spam and the URLs are being blacklisted, the virus lab released detections for the malware with a VDF update. The malware is detected as TR/Vilsel.iop and as TR/Spy.ZBot.9164.1, respectively, with the VDF file 7.01.06.111. The Vilsel trojan is yet another incarnation of the FakeAV plague while the ZBot is stealing information.

Anyway do not open these attachments or download the alleged setting files! They can lead to an infection of your system and put it under control of the malware authors!

Dirk Knop
Technical Editor

Sorin Mustaca
Manager International Software Development