Thursday, 29 March 2007

"Internet Explorer 7 Downloads" - IE7.0.exe


Another bit of malware this time masquerading as a terse email message to encourage the downloading of a fake version of IE7. It's a simple graphic pointing to an executable called IE7.0.exe - it looks like the graphic and executable are hosted on compromised Apache servers.

VirusTotal indicates that detection is a bit thin at the moment.



AntivirusVersionUpdateResult
AhnLab-V32007.3.30.003.29.2007no virus found
AntiVir7.3.1.4603.29.2007TR/Proxy.Agent.CL
Authentium4.93.803.29.2007no virus found
Avast4.7.936.003.29.2007no virus found
AVG7.5.0.44703.29.2007no virus found
BitDefender7.203.29.2007no virus found
CAT-QuickHeal9.0003.29.2007(Suspicious) - DNAScan
ClamAVdevel-2007031203.29.2007no virus found
DrWeb4.3303.29.2007no virus found
eSafe7.0.15.003.29.2007no virus found
eTrust-Vet30.6.352203.29.2007no virus found
Ewido4.003.29.2007no virus found
FileAdvisor103.29.2007no virus found
Fortinet2.85.0.003.29.2007suspicious
F-Prot4.3.1.4503.28.2007no virus found
F-Secure6.70.13030.003.29.2007Virus.Win32.Grum.a
IkarusT3.1.1.303.29.2007no virus found
Kaspersky4.0.2.2403.29.2007Virus.Win32.Grum.a
McAfee499503.29.2007no virus found
Microsoft1.230603.29.2007no virus found
NOD32v2215403.29.2007no virus found
Norman5.80.0203.29.2007no virus found
Panda9.0.0.403.29.2007Suspicious file
Prevx1V203.29.2007Covert.Sys.Exec
Sophos4.16.003.29.2007no virus found
Sunbelt2.2.907.003.29.2007VIPRE.Suspicious
Symantec1003.29.2007Trojan Horse
TheHacker6.1.6.08003.23.2007no virus found
UNA1.8303.16.2007no virus found
VBA323.11.303.29.2007suspected of Trojan-PSW.Pinch.1 (paranoid heuristics)
VirusBuster4.3.7:903.29.2007no virus found
Webwasher-Gateway6.0.103.29.2007Trojan.Proxy.Agent.CL

Wednesday, 28 March 2007

"The system is not fully installed": Windows XP, WMP 11 and Sysprep


Kudos to lizardking009 for this post at the 2cpu.com forums.

After using Sysprep to prepare a new Windows XP build for distribution to some Dell laptops, I got the a message saying The system is not fully installed when trying to restart the machine.

It turns out that this is due to the presence of Windows Media Player 11 which screws up the Sysprep process somehow. I can't say that I'm a big fan of this DRM-laded stuff, but generally speaking you always load the latest version of everything before resealing the machine to take an image from it.

Microsoft have this knowledgebase article showing how to recover from the problem, although I discovered that this does not work very well on machines that have already been built from a Sysprep (such as Dells). If you're working in a reasonably well equipped environment with another XP machine and a suitable external USB drive enclosure then it's probably easier to edit the registry on the affected PC's hard disk by plugging it into the USB port of another machine, i.e.:

  • Load REGEDIT
  • Select HKEY_USERS
  • Go into File.. Load Hive..
  • Browse to the \WINDOWS\System32\Config\System file on the USB connected drive
  • Name the hive "system" or whatever you like
  • Find the Setup key on the newly loaded hive and locate SystemSetupInProgress.
  • Change the data from 1 to 0.
  • Unload the Hive
Then, once the hard disk is reinserted into the original machine, bring it up in Safe Mode, deinstall Windows Media Player 11 and reboot. This should start the setup process (you can choose to take an image at this point, if you wish).

Monday, 26 March 2007

Fake "BlueMountains Greetings" message with a trojan


Fake greetings cards are a common way of spreading trojans, and this latest Fake Bluemountain.com Email is a case in point.

The message looks similar to the following one:

From:
BlueMountains Greetings <greetings@BlueMountain.com>
Subject:
You just received an Electronic Greeting.

Hello,
you just received an electronic greeting from a
friend !

To view your eCard, please click
on the following link :

http://www.bluemountain.com/view.pd?i=164213761&m=2435&rr=z&source=bma999

(Your postcard will be available for 60 days.)

If you
have any comments or questions, please visit http://www.bluemountain.com/customer/emailus.pd?source=bma999

Thanks
for using BlueMountain.com.


In fact, the links actually lead to bluemountains.kokocards.com (do not visit this site). A more detailed writeup can be found here.

There's very little need to accept this type of "greetings card" into corporate environments, and this seems to be a common vector for malware attacks.

If you use Postini, you can create a custom content filter:
  • Select Match Any
  • Sender | contains | bluemountain.com
  • Body | contains | kokocards.com
  • Body | contains | bluemountain.com
  • Set message disposition to Quarantine Redirect
  • Don't forget to copy it to sub-orgs if you need to!

Saturday, 3 March 2007

Lunar Eclipse



Clear skies and not too chilly, and the best lunar eclipse in years. This one taken at about about 2230 GMT (click the image to enlarge).