Outlook Trojan

Last week we saw a new malware campaign using a fake Microsoft Outlook update as the social engineering tactic de jour. This week has been much more of the same but with a new and improved twist. The second version of these messages also poses as an Outlook update but is new and improved. These appear to be from "Microsoft Customer Support". The new version of these messages that began surfacing late last week is now running full throttle but this one is much more believable and presumably more effective. In this campaign spammers attempt to coerce you to follow the link to an executable file that they have provided thus getting yourself infected. The link provided in the email even appears to be linked to Microsoft.com, however if you look closely you will find that actual base domain is ikl1l1.com. These messages also contain other links to Microsoft that when clicked actually will direct you to the Microsoft website. This feature certainly makes the message appear more believable.

This is the link contained in the message:

http;//update.microsoft.com.ikl1l1.com/microsoftofficeupdate/isapdl/default.aspx/index2.ph

To the untrained eye this link may appear safe and legitimate

Here is what this message looks like:


Following the link in the message takes you to an equally convincing web page that instructs you to download and install this file: officexp-KB910721-FullFile-ENU.exe. This file actually contains a backdoor banking Trojan which allows a remote user to access and steal sensitive data and provides an intruder with remote access to the compromised system.

Here is an example of the page:

Beware of these fake updates and if you ever find yourself about to install an update that was sent to you through email, stop. Instead of navigating through the link in the email, navigate yourself to the proper website and look for updates. We are currently blocking all known variants of this virus.