Posted by: Barracuda Labs
Yesterday, a Purewire employee received an email claiming to offer an update to his Microsoft Outlook configuration:
From: < redacted >
Date: Thursday, October 15, 2009 2:12 PM
To: < redacted >@purewire.com
Subject: Microsoft Outlook Notification for the < redacted >@purewire.comYou have (6) New Message from Outlook Microsoft
– Please re-configure your Microsoft Outlook Again.
– Download attached setup file and install.
The email was accompanied by a zip file that contained an executable with a business-looking smart phone icon.
Instead of a configuration update, the file was actually a malware downloader. When executed, it downloads and installs additional malicious software from the following URL:
AV detections for the second-stage executable are poor. In this case, the second-stage malware is a brand of Rogue AV software called Antivirus Pro 2010; a screenshot with examples of the different types of bogus alerts it generates.
Antivirus Pro 2010
This brand of fraudware is particularly aggressive; its tactics include the production of fake errors (about every 30 minutes) that require the user to either purchase the full version of the software or reboot their system.
Users of the PWSS are protected from this threat.