Today’s Other Malware Threat: IE7.0.exe

Lest you think that the ANI thing was the only thing going on today, you’d miss the other part of today’s entertainment. There’s a new Trojan spam going around trying to entice you to download MSFT IE7.0 Beta 2 (never mind that it’s been released). This is, in fact, a new Trojan (Grum) and appears to be entirely unrelated to the ANI threat. The emails have a shiny “download IE7” graphic in them:

ie7.0.exe download mail

If you dig into the source of the emails, you’ll see a bunch of text designed to possibly get past spam filters. It doesn’t show up in the HTML (just that shiny picture with a link to IE7.0.exe) does.

ie7.0.exe download source

This thing was a bear to reverse, by the way. It performs a lot of remote thread injection and defense itself nicely. It blocks IDA Pro, it kills OllyDbg, it blinds a bunch of processes, and the main process (%User%Local SettingTempwinlogon.exe) sleeps quietly if it’s being traced too much. This kept hosing up my XP analysis box. A pretty good sandbox analysis is on the Anubis project website. So far Anubis is the only sandbox that did anything useful with it. Here’s a list of domains we’ve seen used so far for this one (with many more missing from this list):

  • abnoba.net
  • 66.98.149.237
  • cincinnatifeet.com
  • cyberbutt.com
  • gc-music.com
  • arrestingphotography.com
  • kcmancandy.com
  • manualshop.com.ar
  • monella.net
  • tvz-archive.com
  • nottyweb.com

As fast as these domains appear, get spammed, and get killed, they re-appear. If you run a network stream, you can easily look for “/IE7.0.exe” with a tool like ngrep or flowgrep and look at the download sites. This one is aggressive and is going to get a lot of play. AV detection was poor earlier in the day, and it’s not much better. Names like Agent.CL and Grum are being used, but even 12 hours later the detection for it is pretty weak. It’s got an unrecognized packer and some methods that seem uncommon. All in all, one busy day.

8 Responses to “Today’s Other Malware Threat: IE7.0.exe”

March 30, 2007 at 12:36 pm, beforeyoukillyourcomputer.com » Blog Archive » IE7 Trojan on the loose said:

[…] Source […]

March 30, 2007 at 9:54 am, Liquidmatrix Security Digest » Your March 30th Morning Coffee said:

[…] Today’s Other Malware Threat: IE7.0.exe […]

March 30, 2007 at 10:16 am, BTT | Blog The Tech » Blog Archive » Today's Other Malware Threat: IE7.0.exe (Jose Nazario/Security to the Core) said:

[…] Today’s Other Malware Threat: IE7.0.exe  —  Lest you think that the ANI thing was the only thing going on today, you’d miss the other part of today’s entertainment.  There’s a new Trojan spam going around trying to entice you to download MSFT IE7.0 Beta 2 (never mind that it’s been released). Source:   Security to the Core | Arbor Networks Security Blog Author:   Jose Nazario Link:   /blog/asert/2007/03/todays-other… Techmeme permalink […]

March 30, 2007 at 10:19 am, zuneone said:

I got two of those e-mails and deleted them. Easy to spot as spam visually but they were not blocked by my filter. Good thing I already use IE7!

March 30, 2007 at 5:10 pm, The Grum Trojan Tips Dr.com said:

[…] abnoba.net 66.98.149.237 cincinnatifeet.com cyberbutt.com gc-music.com arrestingphotography.com kcmancandy.com manualshop.com.ar monella.net tvz-archive.com nottyweb.com Source: Today’s Other Malware Threat: IE7.0.exe […]

April 01, 2007 at 5:52 am, TRaef06 said:

Another case where relying on anti-virus signatures leaves you vulnerable.

Defense in depth is the way to go. If your SPAM filters don’t block it, which they should, then blocking executable downloads unless from a verified site, will keep this out – long before the anti-virus companies have created their signatures. Same thing with the Storm situation earlier in the year (2007).

April 02, 2007 at 2:04 pm, Best Posts from around the Web » Today’s Other Malware Threat: IE7.0.exe said:

[…] Original post by Jose Nazario […]

April 04, 2007 at 10:21 am, Free AntiRootkit Software · Security to the Core | Arbor Networks Security Blog said:

[…] As a complement to a recent post I made here with a list of free online AV scanners, I’d like to share with you a list of free AntiRootkit software for your PC. Especially in light of this past week’s ANI-related malware spate and the new Grum Trojan, you should make sure that you’re always on the lookout for threats. In the past few weeks we’ve seen even more malware that was simply not detected by AV. […]

Comments are closed.