Blog for hpHosts, and whatever else I feel like writing about ....

Friday 23 October 2009

WARNING: Update for Microsoft Outlook / Outlook Express (KB910737)

And here comes yet another fake Windows update. This one claims to be an update for Outlook/Outlook Express, but nope, it's not. Rather predictably, it's the Zbot infection (Forgot to disable NOD32 when grabbing a sample, and it flagged it as Kryptic.ATQ).

URL in the e-mail points to;

hxxp://update.microsoft.com.bbttyak.org.uk/microsoftofficeupdate/KB910737/default.aspx?ln=en-us&email=zerozen@it-mate.co.uk&id=3198874196220775938740383354831368636415974466091534304135864466128

Initial DNS lookup for *.bbttyak.org.uk showed (bearing in mind this domain is part of a botnet, so these IP's will be a small subset of the results you'll see);

IP: 95.132.96.84 [84-96-132-95.pool.ukrtel.net]
IP: 91.82.242.134 [91.82.242.134.pool.invitel.hu]
IP: 85.250.78.233 [85-250-78-233.bb.netvision.net.il]
IP: 85.202.49.44 [cb44.osiedle.net.pl]
IP: 77.105.21.55 [77-105-21-55.adsl-3.sezampro.yu]
IP: 61.33.234.142 [Failed resolution]
IP: 201.87.56.117 [Failed resolution]
IP: 190.231.10.249 [host249.190-231-10.telecom.net.ar]
IP: 190.193.100.240 [240-100-193-190.cab.prima.net.ar]
IP: 190.82.41.38 [190-82-41-38.adsl.tie.cl]
IP: 125.185.123.95 [Failed resolution]
IP: 121.183.6.137 [Failed resolution]
IP: 121.177.11.106 [Failed resolution]
IP: 118.219.109.104 [Failed resolution]
IP: 115.22.11.185 [Failed resolution]

VT results:
http://www.virustotal.com/analisis/2629e94703bb29e6eb91582020ffec832f48b1b21d8be5a98aef5751d9bcba5d-1256291029

Ref:
http://hosts-file.net/?s=update.microsoft.com.bbttyak.org.uk

2 comments:

Ron Kunce said...

So what is one supposed to do (other than running Spybot - Serach & Destroy) after mistakenly loading this malware bot?

MysteryFCM said...

Sorry for not mentioning that.

VT shows detection for this is pretty good, so your AV should've already caught it. If it hasn't, then I'd advise downloading either NOD32 or Kaspersky as both of these detect the Zbot infections.