And here comes yet another fake Windows update. This one claims to be an update for Outlook/Outlook Express, but nope, it's not. Rather predictably, it's the Zbot infection (Forgot to disable NOD32 when grabbing a sample, and it flagged it as Kryptic.ATQ).URL in the e-mail points to;
hxxp://update.microsoft.com.bbttyak.org.uk/microsoftofficeupdate/KB910737/default.aspx?ln=en-us&email=zerozen@it-mate.co.uk&id=3198874196220775938740383354831368636415974466091534304135864466128
Initial DNS lookup for *.bbttyak.org.uk showed (bearing in mind this domain is part of a botnet, so these IP's will be a small subset of the results you'll see);
IP: 95.132.96.84 [84-96-132-95.pool.ukrtel.net]
IP: 91.82.242.134 [91.82.242.134.pool.invitel.hu]
IP: 85.250.78.233 [85-250-78-233.bb.netvision.net.il]
IP: 85.202.49.44 [cb44.osiedle.net.pl]
IP: 77.105.21.55 [77-105-21-55.adsl-3.sezampro.yu]
IP: 61.33.234.142 [Failed resolution]
IP: 201.87.56.117 [Failed resolution]
IP: 190.231.10.249 [host249.190-231-10.telecom.net.ar]
IP: 190.193.100.240 [240-100-193-190.cab.prima.net.ar]
IP: 190.82.41.38 [190-82-41-38.adsl.tie.cl]
IP: 125.185.123.95 [Failed resolution]
IP: 121.183.6.137 [Failed resolution]
IP: 121.177.11.106 [Failed resolution]
IP: 118.219.109.104 [Failed resolution]
IP: 115.22.11.185 [Failed resolution]
VT results:
http://www.virustotal.com/analisis/2629e94703bb29e6eb91582020ffec832f48b1b21d8be5a98aef5751d9bcba5d-1256291029
Ref:
http://hosts-file.net/?s=update.microsoft.com.bbttyak.org.uk
Posts
2 comments:
So what is one supposed to do (other than running Spybot - Serach & Destroy) after mistakenly loading this malware bot?
Sorry for not mentioning that.
VT shows detection for this is pretty good, so your AV should've already caught it. If it hasn't, then I'd advise downloading either NOD32 or Kaspersky as both of these detect the Zbot infections.
Post a Comment