Server Upgrade spam

SophosLabs are currently seeing a malware campaign being spammed out. The spams have a message body of:

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour. The changes will concern security, reliability and performance of mail service and the system as a whole. For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure. This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That’s all.

Server upgrade spam

The interesting thing is the way that the URL is formatted. If the spam was being sent to john.doe@unknown.net then an example URL would be:

http://updates.unknown.net.secure.baddomain.tld/core/id=76711838821-john.doe@unknown.net-patch29116.asp

The baddomain.tld is registered in Russia (Russian name servers). The WHOIS for IP hosting the name server claims it is Malaysian.

The EXE downloaded is currently called patch.exe (SHA1:8e5a89146db59ff871ee80c9e11f20578560ac82) and will be detected by Sophos as Troj/Zbot-IV. Sophos gateway products have already been updated to detect the spam and block the malicious sites/executable.