Thursday, March 29, 2007 6:29 PM
cmosby
SANS Internet Storm Center - IE7.0.exe
IE7.0.exe
Published: 2007-03-29,
Last Updated: 2007-03-29 22:53:38 UTC
by Swa Frantzen (Version: 1)
We've received a number of reports of spam appearing to come from "admin@microsoft.com" containing links to a file called IE7.0.exe
This is what VirusTotal has to say about it:
| Antivirus | Version | Update | Result |
| AhnLab-V3 | 2007.3.30.0 | 20070329 | - |
| AntiVir | 7.3.1.46 | 20070329 | TR/Proxy.Agent.CL |
| Authentium | 4.93.8 | 20070329 | - |
| Avast | 4.7.936.0 | 20070329 | - |
| AVG | 7.5.0.447 | 20070329 | - |
| BitDefender | 7.2 | 20070329 | - |
| CAT-QuickHeal | 9.00 | 20070329 | (Suspicious) - DNAScan |
| ClamAV | devel-20070312 | 20070329 | - |
| DrWeb | 4.33 | 20070329 | - |
| eSafe | 7.0.15.0 | 20070329 | - |
| eTrust-Vet | 30.6.3522 | 20070329 | - |
| Ewido | 4.0 | 20070329 | - |
| F-Prot | 4.3.1.45 | 20070328 | - |
| F-Secure | 6.70.13030.0 | 20070329 | Virus.Win32.Grum.a |
| FileAdvisor | 1 | 20070330 | - |
| Fortinet | 2.85.0.0 | 20070329 | suspicious |
| Ikarus | T3.1.1.3 | 20070329 | - |
| Kaspersky | 4.0.2.24 | 20070329 | Virus.Win32.Grum.a |
| McAfee | 4995 | 20070329 | - |
| Microsoft | 1.2306 | 20070329 | - |
| NOD32v2 | 2154 | 20070329 | - |
| Norman | 5.80.02 | 20070329 | - |
| Panda | 9.0.0.4 | 20070329 | Suspicious file |
| Prevx1 | V2 | 20070330 | Covert.Sys.Exec |
| Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=c9a385855469 |
| Sophos | 4.16.0 | 20070329 | - |
| Sunbelt | 2.2.907.0 | 20070329 | VIPRE.Suspicious |
| Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics. |
| Symantec | 10 | 20070330 | Trojan Horse |
| TheHacker | 6.1.6.080 | 20070323 | - |
| UNA | 1.83 | 20070316 | - |
| VBA32 | 3.11.3 | 20070329 | suspected of Trojan-PSW.Pinch.1 (paranoid heuristics) |
| VirusBuster | 4.3.7:9 | 20070329 | - |
| Webwasher-Gateway | 6.0.1 | 20070329 | Trojan.Proxy.Agent.CL |
File:
| Name | IE7.0.exe |
| Size | 33280 |
| md5 | 8e12a8281a6c6ebdbd75c26a93e69437 |
| sha1 | de94c34d51e8c04df174e27bc04eed134aca57d7 |
| Date scanned | 03/30/2007 00:22:04 (CET) |
Norman Sandbox doesn't detect it and it seems to not want to run in certain virtual machines either.
Check your logs on proxy servers etc. for IE7.0.exe, it's being hosted in multiple places around the world.
Thanks to Dan, Brian, Sean and many other readers.
--
Swa Frantzen --- NET2S
Filed under: Security and Anti-Virus, AntiVirus Information, Internet Hacks