"Internet Explorer 7 Downloads" - IE7.0.exe

Another bit of malware this time masquerading as a terse email message to encourage the downloading of a fake version of IE7. It's a simple graphic pointing to an executable called IE7.0.exe - it looks like the graphic and executable are hosted on compromised Apache servers.

VirusTotal indicates that detection is a bit thin at the moment.

Antivirus	Version	Update	Result
AhnLab-V3	2007.3.30.0	03.29.2007	no virus found
AntiVir	7.3.1.46	03.29.2007	TR/Proxy.Agent.CL
Authentium	4.93.8	03.29.2007	no virus found
Avast	4.7.936.0	03.29.2007	no virus found
AVG	7.5.0.447	03.29.2007	no virus found
BitDefender	7.2	03.29.2007	no virus found
CAT-QuickHeal	9.00	03.29.2007	(Suspicious) - DNAScan
ClamAV	devel-20070312	03.29.2007	no virus found
DrWeb	4.33	03.29.2007	no virus found
eSafe	7.0.15.0	03.29.2007	no virus found
eTrust-Vet	30.6.3522	03.29.2007	no virus found
Ewido	4.0	03.29.2007	no virus found
FileAdvisor	1	03.29.2007	no virus found
Fortinet	2.85.0.0	03.29.2007	suspicious
F-Prot	4.3.1.45	03.28.2007	no virus found
F-Secure	6.70.13030.0	03.29.2007	Virus.Win32.Grum.a
Ikarus	T3.1.1.3	03.29.2007	no virus found
Kaspersky	4.0.2.24	03.29.2007	Virus.Win32.Grum.a
McAfee	4995	03.29.2007	no virus found
Microsoft	1.2306	03.29.2007	no virus found
NOD32v2	2154	03.29.2007	no virus found
Norman	5.80.02	03.29.2007	no virus found
Panda	9.0.0.4	03.29.2007	Suspicious file
Prevx1	V2	03.29.2007	Covert.Sys.Exec
Sophos	4.16.0	03.29.2007	no virus found
Sunbelt	2.2.907.0	03.29.2007	VIPRE.Suspicious
Symantec	10	03.29.2007	Trojan Horse
TheHacker	6.1.6.080	03.23.2007	no virus found
UNA	1.83	03.16.2007	no virus found
VBA32	3.11.3	03.29.2007	suspected of Trojan-PSW.Pinch.1 (paranoid heuristics)
VirusBuster	4.3.7:9	03.29.2007	no virus found
Webwasher-Gateway	6.0.1	03.29.2007	Trojan.Proxy.Agent.CL

"The system is not fully installed": Windows XP, WMP 11 and Sysprep

Kudos to lizardking009 for this post at the 2cpu.com forums.

After using Sysprep to prepare a new Windows XP build for distribution to some Dell laptops, I got the a message saying The system is not fully installed when trying to restart the machine.

It turns out that this is due to the presence of Windows Media Player 11 which screws up the Sysprep process somehow. I can't say that I'm a big fan of this DRM-laded stuff, but generally speaking you always load the latest version of everything before resealing the machine to take an image from it.

Microsoft have this knowledgebase article showing how to recover from the problem, although I discovered that this does not work very well on machines that have already been built from a Sysprep (such as Dells). If you're working in a reasonably well equipped environment with another XP machine and a suitable external USB drive enclosure then it's probably easier to edit the registry on the affected PC's hard disk by plugging it into the USB port of another machine, i.e.:

• Load REGEDIT
• Select HKEY_USERS
• Go into File.. Load Hive..
• Browse to the \WINDOWS\System32\Config\System file on the USB connected drive
  
• Name the hive "system" or whatever you like
• Find the Setup key on the newly loaded hive and locate SystemSetupInProgress.
• Change the data from 1 to 0.
• Unload the Hive

Then, once the hard disk is reinserted into the original machine, bring it up in Safe Mode, deinstall Windows Media Player 11 and reboot. This should start the setup process (you can choose to take an image at this point, if you wish).

Fake "BlueMountains Greetings" message with a trojan

Fake greetings cards are a common way of spreading trojans, and this latest Fake Bluemountain.com Email is a case in point.

The message looks similar to the following one:

From:
BlueMountains Greetings <greetings@BlueMountain.com>
Subject:
You just received an Electronic Greeting.

Hello,
you just received an electronic greeting from a
friend !

To view your eCard, please click
on the following link :

http://www.bluemountain.com/view.pd?i=164213761&m=2435&rr=z&source=bma999

(Your postcard will be available for 60 days.)

If you
have any comments or questions, please visit http://www.bluemountain.com/customer/emailus.pd?source=bma999

Thanks
for using BlueMountain.com.

In fact, the links actually lead to bluemountains.kokocards.com (do not visit this site). A more detailed writeup can be found here.

There's very little need to accept this type of "greetings card" into corporate environments, and this seems to be a common vector for malware attacks.

If you use Postini, you can create a custom content filter:

• Select Match Any
• Sender | contains | bluemountain.com
• Body | contains | kokocards.com
• Body | contains | bluemountain.com
• Set message disposition to Quarantine Redirect
• Don't forget to copy it to sub-orgs if you need to!
  

Lunar Eclipse

Clear skies and not too chilly, and the best lunar eclipse in years. This one taken at about about 2230 GMT (click the image to enlarge).

Frozen Roadster II

Big fat tyres + only 800kg in weight = no traction.

Couldn't even get the Roadie out of the drive this morning on the snow! Fortunately, Mrs Dynamoo's rather heavier Rover 25 did.

Still, it's funny seeing all those people who've spend a fortune on BMW X5s and X3s to discover that they've got all the offroad capabilities of a milk float in this weather. :)

Snow... brrrr...

As the country grinds to a halt under a few inches of snow (that have been predicted for a couple of days), here are some pictures of Elstow Village in Bedfordshire. Snow.. in winter.. who would have guessed it?

Frozen Roadster

A chilly minus eight degrees overnight.. and a tricky problem for my Smart Roadster. After opening the passenger door, the darned thing just wouldn't shut properly.

Now, the Roadster has a design fault in the door where (I understand) there is a pin holding in part of the mechanism which is basically mounted upside down, and this drops out which means that the door cannot be opened from the inside. Smart's first fix for this was to glue to pin in.. but of course, the pin will still work loose eventually and has a tendency to drop out again. I mention this because Smart's measly 2 year warranty would mean that this might end up as an expensive repair.

The problem was simpler than that - it looks like the very cold weather had frozen the mechanism in place after it opened. About three buckets of warm water over the door unfroze the mechanism and it started working properly. This led to another problem.. a clean bit of the car. So, the Roadster ended up with an early morning bath (as pictured).

The next problem is how to deal with the threatened six inches of snow in a car with only about four inches of ground clearance..

One Invalid Recipient..

In my opinion, one of the great underappreciated Microsoft Knowledgebase articles is KB147093 which explains one of those mysteries you see with Exchange servers from time-to-time.

The symptom is this - a remote sender transmits a message to multiple recipients on your Exchange server, but one or more of the recipients is incorrect. This causes the mail transaction to fail and NO recipients get the message.

Although KB147093 refers to X400, in fact this is the behaviour that you'll see on an Exchange 5.5 Internet Mail Connector, and it works with other SMTP-based mail servers too.

The problem is this - when sending to multiple recipients at one remote domain, the software at the sender's end will make a single connection to the remote mail servers.. and it's an all-or-nothing proposition.

The problem is compounded if you suppress NDRs (nondelivery reports) to the internet, because a remote sender will never receive a bounce message to say that the mail transaction failed. In these circumstances, it can take some time to work out that there's a problem at all.. but in this case you need to carefully check the recipient list for invalid users and remove them.

Now, if you have NDRs enabled, the problem will probably be spotted much sooner. But these days a lot of organisations turn them off, especially if they are the targets of mass spamming or directory harvesting attacks. It's one of those cases where the current levels of spam have unexpected adverse impacts on infrastructure.

Travelocity Template Spam

A couple of days ago, we saw a pump and dump spam using an Incredimail template to bypass spam filters. We pointed out that Incredimail messages could be scored as being somewhat spammy.

With a new twist, spammers are now using a Travelocity template [click image on right to enlarge] with an embedded image in the middle. Businesses are more likely to allow Travelocity mail than ones with Incredimail templates.

Clever.. but these messages don't come from a Travelocity email address, nor a Travelocity IP (whatever that might be). So, if you roll your own filters you can look for elements of the Travelocity template in messages that don't originate from Travelocity.

If you use Postini, add an inbound filter something like:

• Select "Match All"
  
• Body | contains | 1-888-709-5983
• Sender | does not contain | travelocity
• Set Message Disposition to "User Quarantine"

What's clear is that the spammers have found a new technique here and there's probably (sadly) quite a bit of mileage in it. Expect to see more variants of this soon.

"Incredimail" spam

A novel twist to the CBFE pump and dump spam that's been doing the rounds is a large scale run of spam messages using an Incredimail template to fool spam filters. [Click the image to enlarge]

The trick here is that Incredimail uses a lot of embedded images, as does the recent batch of P&D messages.. so if a filter has been "detuned" to let these templates through, then the spam can slip through on the back of it.

In this particular case, the CBFE spam is encoded with the Windows-1251 Cyrillic character set which makes it distinctive, although that will probably change.

If you roll your own filters, look for X-Mailer: IncrediMail in the headers, and charset="windows-1251" on each MIME boundary.

If you use Postini, you could create an inbound filter of Header | contains | X-Mailer: IncrediMail and set Message Disposition to "User Quarantine".

There's probably no harm for most people in scoring messages with Incredimail templates higher for spam as very little of it will be business related.

Patch Tuesday - January

A very small number of patches this month, none of which are critical for servers (assuming you don't read email, process office documents or surf the web on a server) and which may not even require a reboot on most client PCs. I've ordered these roughly in order of importance.

MS07-004 Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969)
http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx
This addresses an active exploit in IE and should be applied as soon as possible.
Client impact: high
Server impact: low

MS07-003 Vulnerabilities in Microsoft Outlook Could Allow Remote Code Execution (925938)
http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx
A series of potentially serious flaws that could lead to an exploit if the user opens a specially crafted email message. Outlook 2000 is vulnerable to this, but cannot be patched via WSUS so this would need to be applied manually where possible. Replaces MS06-055.
Client impact: high
Server impact: low

MS07-002 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (927198)
http://www.microsoft.com/technet/security/Bulletin/MS07-002.mspx
Similar to MS07-003, and Excel 2000 is similarly impacted with no WSUS remediation.
Client impact: high
Server impact: low

MS07-001 Vulnerability in Microsoft Office 2003 Brazilian Portuguese Grammar Checker Could Allow Remote Code Execution (921585)
http://www.microsoft.com/technet/security/Bulletin/MS07-001.mspx
This only impacts Office 2003 with the Brazilian Portuguese language pack. It should be a big problem for most users.
Client impact: low
Server impact: low

Braindead spam from eReplicaShop.com

eReplicaShop.com is a particularly persistent spammer, using image spam from zombie PCs and a large variety of domains. Most of these domains are registered to "Paul Gregoire" or a number of other aliases.. the smart money is that this is actually Alex Polyakov.

Unusually, the eReplicaShop servers are rented from fairly legitimate web hosts.. but bearing in mind that Polyakov is linked with phishing and money laundering scams it's quite likely that at least some of these services are being paid for by stolen credit cards.

Rule 3 of the Rules of Spam states that "Spammers are stupid". In this case, the eReplicaShop.com spam is particularly stupid as it often gets sent to abuse@ addresses. Most mail admins get really pissed off about abuse@ spam.. and this often leads to a satisfyingly short lifespan for the eReplicaShop mirrors.

If you do end up reporting one of these, it's always worthwhile to point out to the host that they might not be getting paid for the services they're providing. That normally gets a very quick response.

Welcome

Well.. alright, I've come to the blogging thing pretty late on, I know. But sometimes it's just too much work to break out the web editor and fiddle around, and at least this way I can get things to press more quickly.

Anyway, here's a completely gratuitous shot of a Compaq Portable II for you..