Bogus Hotmail virus update

Discussion in 'malware problems & news' started by Page42, Mar 13, 2011.

Thread Status:
Not open for further replies.
  1. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    This just happened.
    While logged into my Hotmail account, this warning popped up... Hotmail virus message.jpg .
    It looked as though I had been logged out of my account.
    I downloaded the file (msupd271401.exe) to a SBIE sandbox... Hot mail virus message II.jpg
    then ran an MBAM scan on it, which said it was bad... Hotmail virus message III.jpg
    Jotti and VirusTotal also produced some hits, but surprisingly not more than a dozen total between the two services.
    Although I have the executable sandboxed, I don't have the desire to try running it in there. :cool:
    I knew the minute I saw it that it was fake.
    Just wanted to give folks a heads up.
     
  2. Telixion

    Telixion Registered Member

    Joined:
    Mar 13, 2011
    Posts:
    2
    Yup this just happened to me right now. Didn't prompt me to download anything however.
    I was in my main email and clicked to go to youtube (Not saying its what caused it, I could have slipped on clicking something) and then the prompt came up.
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    First encounter?

    Mine was kind of attribulated actually! It was an exploit (a few years ago!), but AVG LinkScanner stopped it. I checked my system with a few anti-malware tools and one of them flagged something. I went nuts over it, even with a Live CD and would still detect it!

    In the end, it turned out the anti-malware app. had a bug, resulting in the malware detections. :D

    Yours doesn't look like an exploit, though. You were asked to download it, if I assume it correct?

    Google SafeBrowsing would prevent access to that domain! SmartScreen filter didn't. No news here; nothing is 100% efficient.

    SUPERAntispyware flags it. Have you switched to Norton DNS already? ClearCloud would most likely prevent access to it, considering VIPRE has detections for it. It's really a poor detection rate!

    I dissected the domain and looks like it's also for phishing, obviously Hotmail accounts.

    -edit-

    A few days ago it seems that Hotmail ads were poiting to exploits. Now this situation.
     
  4. Telixion

    Telixion Registered Member

    Joined:
    Mar 13, 2011
    Posts:
    2
    Yea first encounter.

    This could be completely different but yesterday I went to open my email. By right clicking my messenger tab and going to inbox. It automatically logs me usually. This time it was saying my password was incorrect. Thought that was weird because I didnt change my password.
     
  5. fire_fly

    fire_fly Registered Member

    Joined:
    Mar 13, 2011
    Posts:
    6
    I just had the same experience as Page42. Also AVG link scanner had flagged some things the last week or so. When I clicked for further information, AVG had nothing. I thought AVG made a mistake.

    I decided to scan with MicroTrend as AVG is not finding and eliminating anything. The download stopped at 8%. The computer slowed to a snail's crawl. I restarted the computer. MicroTrend did eventually download and is now scanning.

    What do you suggest I scan with to find and remove this?

    Thanks for your help.

    Fire_Fly
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    This is one of the reasons why I only allow access to the domains within *.live.com and a few others belonging to Microsoft, required to access and manage Hotmail/Live Mail.

    My restrictions would stop any crap, because my web browser (the e-mail profile) can't access any other domains, other than those for hotmail.
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You could use Live CDs, but, IMO, the best approach would be to visit one of the security forums specialized in cleaning infested systems. There are a few mentioned at this thread -http://www.wilderssecurity.com/showthread.php?t=42148

    Security applications will never find every infection. If you suspect your system may be infected, I'd visit one of those mentioned forums.
     
  8. fire_fly

    fire_fly Registered Member

    Joined:
    Mar 13, 2011
    Posts:
    6
    Moon Blood,

    Thanks for your prompt reply. I will check out the thread. I am not familiar with "Live CD." Would you explain that?

    Thanks,
    Fire_Fly
     
  9. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    I was using Norton DNS (when the Hotmail issue happened), but just now switched back to ClearCloud and it still loads that Warning page. I'm going to install Vipre Premium tomorrow on one of my computers... really looking forward to it. :)
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Some security vendors provide Live CDs (bootable CDs), which are basically a basic Linux CD with their antivirus/antimalware application, which loads to your computer memory. This is particularly useful to find threats like rootkits, which hide their presence while the Operating System (in this case Windows) is running.

    When using such Live CDs, Windows isn't working, so nothing is loaded, and that gives a chance for antimalware applications to detect them, if they can, because rootkits aren't running either.

    This application lets you create a bootable DVD/USB drive with all Live CD in a menu, so you can use them one by one https://www.wilderssecurity.com/showthread.php?t=292555
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    OK. Thanks for the confirmation regarding ClearCloud DNS! It makes sense, though, if GFI/Sunbelt still hadn't crawled that domain and if is new, which appears to be. :D
     
  12. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,910
    Location:
    U.S.A.
    fire_fly, first, welcome to Wilders!

    Not knowing the level of your computer expertise, perhaps you could first try the software that Page42 used: Malwarebytes' Anti-Malware. The Free Version should find the culprit as well.
     
  13. spiffyeh

    spiffyeh Registered Member

    Joined:
    Mar 14, 2011
    Posts:
    2
    Hmm.. I just got this message as well. Is it something that's on my computer that could be causing it?
     
  14. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Hi spiffyeh... you ask a good question.

    "Is it something that's on my computer that could be causing it?"
    Maybe. Or maybe not. :)

    AFAIK, these things will appear on well-protected machines. But their appearance can also indicate infection. Put it this way... it is a web site exploitation that caused this warning to appear in place of my Hotmail account page. And it is the security programs that I have in place that protect me. If the right security isn't present, then clicking on that link would cause infection.

    A user can tighten things up, like m00nbl00d described, to preclude these fake warnings. Education is often key. Knowing about the existence of these erroneous warnings can make the difference in whether or not you click on the download. Recognizing them for what they are isn't too hard. Many times there are spelling errors in the fake warning, and that was the case in this one as well, as shown below. The spelling errors are always a good tip-off that the message is bogus. HTH
    Hotmail virus message V.jpg
     
  15. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Could someone post the MD5 please?
     
  16. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Hi SweX

    I don't have the executable on my HD any longer, so I can't help you, but you could go there yourself and download it... last I checked it was all still active, serving up the trojan.
     
  17. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Hi Page42.
    I See, actually I was more interested in seeing the VT results by searching with the MD5 :D

    When you say "go there yourself", do you mean logging into Hotmail?
    I did that last hour and I saw no trace of malware in there then hmmm...
     
  18. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    See PM.
     
  19. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Got it Page42.
    Now I got the info I need, and I did find the MD5 via a Google search :thumb:
     
  20. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Lol @ the spelling mistakes, phishing mails in Dutch are abysmal and often funny because of that, but you'd think they would at least get it right in English. The warning is also a contradiction, it states that the email sent to you was quarantined and not delivered and then it asks you to clean your computer o_O
     
  21. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Very good point about the warning contradiction. I agree, you'd think the "bad guys" would be smart enough to do things a little more efficiently and convincingly.
     
  22. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    To deal with future problems. lol
     
  23. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Haha, so they do know how it should have been done anyway :rolleyes:
     
  24. spiffyeh

    spiffyeh Registered Member

    Joined:
    Mar 14, 2011
    Posts:
    2
    Yeah, I scanned my computer with a couple antivirus/malware programs after it appeared and there was no trace of anything. I didn't download it since it was obviously fake. I just want to make sure it wasn't something on my computer causing it.
     
  25. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    Parents got this while on their webmail before and someone posted that ads were causing this at hotmail here at Wilders not to long ago. I use an adblocker so I don't ever get them and I install an adblocker on every persons machine I work on just to keep them safe from these type of attacks.
     
Loading...
Thread Status:
Not open for further replies.