Better Business Bureau Fraud Emails (microsoft.dll / microsoft.exe)

August 28, 2007

There is a phishing attempt circulating that sends emails claiming to be from the Better Business Bureau.  The subject line is: “BBB Complaint for {Recipient Name} [Case id: #7dcd4491d93a6cd1f1ac30ad32b4d18d]”  The email that I’ve seen came from: “25153F@bbb.com” although I’m sure there are many.  The email body looks like this:

=================================================

Dear Mr./Mrs. {Recipient Name} ({Company Name})

You have received a complaint in regards to your business services. Use the link below to view the complaint details:

CLICK HERE TO DOWNLOAD AND VIEW DOCUMENTS FOR CASE #B48944

Complaint Case Number: B48944
Complaint Made by Consumer Mrs. Marcia E. Worthington
Complaint Registered Against: {Recipient Name} of {Company Name}

Date: 05/14/2007

Instructions on how to resolve this complaint as well as a copy of the original complaint can be obtained using the link below:

CLICK HERE TO DOWNLOAD AND VIEW DOCUMENTS FOR CASE #B48944

Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them:

• Claims based on product liability;
• Claims for personal injuries;
• Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the BBB.

The BBB offers its members a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.

© 2007 Council of Better Business Bureaus, Inc. All Rights Reserved.

=================================================

I apologize for not being able to provide the actual message header, the email message was deleted by the client. This email contains the following link, under the title: “CLICK HERE TO DOWNLOAD AND VIEW DOCUMENTS FOR CASE #B48944”

http://document-repository.com/redirect.htm?209696923c59b2a19753c85920ddbbb6=435509f28a129b997621ee35cf93402a&63cdd5074896eab1c730678c5c801d31=9e290c3ad8ccbce688f33cdd6073d0fe

This link directs the user to a webpage containing the BBB logo and a single hyperlink:

http://document-repository.com/Complaint_Details_363619942.doc.exe

Upon clicking on the link on this page, a file called “Complaint_Details_363619942.doc.exe” is executed and the following actions are performed:

Files Created:

C:\microsoft.exe (Virus!  For more details, click here)
C:\microsoft.dll

Registry Entries Created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: [Win32KernelStart] “C:\microsoft.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce: [Win32KernelStart] “C:\microsoft.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices: [Win32KernelStart] “C:\microsoft.exe”

Registry Keys Changed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\Magnifier\Application Path\ Changed “magnify.exe” to “C:\Microsoft.exe”

The files mentioned above can be removed by first deleting Microsoft.dll then Microsoft.exe using a program called Killbox. The registry keys can be deleted manually, but the last one mentioned above must be changed back to its original value of “magnify.exe.

Advertisements

NewDotNet Spyware

August 7, 2007

I’ve seen this piece of spyware a few times on client machines and its easy to remove with most spyware apps now.  Whats interesting is what the company actually uses it for.  A good read:

http://cexx.org/newnet.htm

WARNING: Sometimes when you remove this spyware, it can take your Winsock components with it, essentially disabling your network access.  If that happens, use this tool to fix it:

http://www.majorgeeks.com/WinSock_XP_Fix_d4372.html

EDIT:  Alternativly you can use functionality introduced by SP2 –

Windows XP Service Pack 2 – New Winsock NETSH commands

Two new Netsh commands are available in Windows XP Service Pack 2.

netsh winsock reset catalog

This command resets the Winsock catalog to the default configuration. This can be useful if a malformed LSP is installed that results in loss of network connectivity. While use of this command can restore network connectivity, it should be used with care because any previously-installed LSPs will need to be re-installed.

netsh winsock show catalog

This command displays the list of Winsock LSPs that are installed on the computer.

 To output the results to a file type this in Command Prompt (CMD.EXE)

netsh winsock show catalog >C:\lsp.txt

Click to view the sample file nowlsp.txt