Bogus Hotmail virus update

This just happened.
While logged into my Hotmail account, this warning popped up... .
It looked as though I had been logged out of my account.
I downloaded the file (msupd271401.exe) to a SBIE sandbox...
then ran an MBAM scan on it, which said it was bad...
Jotti and VirusTotal also produced some hits, but surprisingly not more than a dozen total between the two services.
Although I have the executable sandboxed, I don't have the desire to try running it in there.
I knew the minute I saw it that it was fake.
Just wanted to give folks a heads up.

 

Yup this just happened to me right now. Didn't prompt me to download anything however.
I was in my main email and clicked to go to youtube (Not saying its what caused it, I could have slipped on clicking something) and then the prompt came up.

 

First encounter?

Mine was kind of attribulated actually! It was an exploit (a few years ago!), but AVG LinkScanner stopped it. I checked my system with a few anti-malware tools and one of them flagged something. I went nuts over it, even with a Live CD and would still detect it!

In the end, it turned out the anti-malware app. had a bug, resulting in the malware detections.

Yours doesn't look like an exploit, though. You were asked to download it, if I assume it correct?

Google SafeBrowsing would prevent access to that domain! SmartScreen filter didn't. No news here; nothing is 100% efficient.

SUPERAntispyware flags it. Have you switched to Norton DNS already? ClearCloud would most likely prevent access to it, considering VIPRE has detections for it. It's really a poor detection rate!

I dissected the domain and looks like it's also for phishing, obviously Hotmail accounts.

-edit-

A few days ago it seems that Hotmail ads were poiting to exploits. Now this situation.

 

Yea first encounter.

This could be completely different but yesterday I went to open my email. By right clicking my messenger tab and going to inbox. It automatically logs me usually. This time it was saying my password was incorrect. Thought that was weird because I didnt change my password.

 

I just had the same experience as Page42. Also AVG link scanner had flagged some things the last week or so. When I clicked for further information, AVG had nothing. I thought AVG made a mistake.

I decided to scan with MicroTrend as AVG is not finding and eliminating anything. The download stopped at 8%. The computer slowed to a snail's crawl. I restarted the computer. MicroTrend did eventually download and is now scanning.

What do you suggest I scan with to find and remove this?

Thanks for your help.

Fire_Fly

 

This is one of the reasons why I only allow access to the domains within *.live.com and a few others belonging to Microsoft, required to access and manage Hotmail/Live Mail.

My restrictions would stop any crap, because my web browser (the e-mail profile) can't access any other domains, other than those for hotmail.

 

You could use Live CDs, but, IMO, the best approach would be to visit one of the security forums specialized in cleaning infested systems. There are a few mentioned at this thread -http://www.wilderssecurity.com/showthread.php?t=42148

Security applications will never find every infection. If you suspect your system may be infected, I'd visit one of those mentioned forums.

 

Moon Blood,

Thanks for your prompt reply. I will check out the thread. I am not familiar with "Live CD." Would you explain that?

Thanks,
Fire_Fly

 

I was using Norton DNS (when the Hotmail issue happened), but just now switched back to ClearCloud and it still loads that Warning page. I'm going to install Vipre Premium tomorrow on one of my computers... really looking forward to it.

 

Some security vendors provide Live CDs (bootable CDs), which are basically a basic Linux CD with their antivirus/antimalware application, which loads to your computer memory. This is particularly useful to find threats like rootkits, which hide their presence while the Operating System (in this case Windows) is running.

When using such Live CDs, Windows isn't working, so nothing is loaded, and that gives a chance for antimalware applications to detect them, if they can, because rootkits aren't running either.

This application lets you create a bootable DVD/USB drive with all Live CD in a menu, so you can use them one by one https://www.wilderssecurity.com/showthread.php?t=292555

 

OK. Thanks for the confirmation regarding ClearCloud DNS! It makes sense, though, if GFI/Sunbelt still hadn't crawled that domain and if is new, which appears to be.

 

Hmm.. I just got this message as well. Is it something that's on my computer that could be causing it?

 

Hi spiffyeh... you ask a good question.

"Is it something that's on my computer that could be causing it?"
Maybe. Or maybe not.

AFAIK, these things will appear on well-protected machines. But their appearance can also indicate infection. Put it this way... it is a web site exploitation that caused this warning to appear in place of my Hotmail account page. And it is the security programs that I have in place that protect me. If the right security isn't present, then clicking on that link would cause infection.

A user can tighten things up, like m00nbl00d described, to preclude these fake warnings. Education is often key. Knowing about the existence of these erroneous warnings can make the difference in whether or not you click on the download. Recognizing them for what they are isn't too hard. Many times there are spelling errors in the fake warning, and that was the case in this one as well, as shown below. The spelling errors are always a good tip-off that the message is bogus. HTH

 

Could someone post the MD5 please?

 

Hi SweX

I don't have the executable on my HD any longer, so I can't help you, but you could go there yourself and download it... last I checked it was all still active, serving up the trojan.

 

Hi Page42.
I See, actually I was more interested in seeing the VT results by searching with the MD5

When you say "go there yourself", do you mean logging into Hotmail?
I did that last hour and I saw no trace of malware in there then hmmm...

 

See PM.

 

Got it Page42.
Now I got the info I need, and I did find the MD5 via a Google search

 

Lol @ the spelling mistakes, phishing mails in Dutch are abysmal and often funny because of that, but you'd think they would at least get it right in English. The warning is also a contradiction, it states that the email sent to you was quarantined and not delivered and then it asks you to clean your computer

 

Very good point about the warning contradiction. I agree, you'd think the "bad guys" would be smart enough to do things a little more efficiently and convincingly.

 

To deal with future problems. lol

 

Haha, so they do know how it should have been done anyway

 

Yeah, I scanned my computer with a couple antivirus/malware programs after it appeared and there was no trace of anything. I didn't download it since it was obviously fake. I just want to make sure it wasn't something on my computer causing it.

 

Parents got this while on their webmail before and someone posted that ads were causing this at hotmail here at Wilders not to long ago. I use an adblocker so I don't ever get them and I install an adblocker on every persons machine I work on just to keep them safe from these type of attacks.