Our spam traps received a lot of spam emails during the last night which claim to lead to or to include a new settings file for Outlook Web Access (OWA). The mails seem to be sent by the technical staff of the domain and are made up quite well. Thus they are targeted for the organisation they are sent to.
Different malware emails have been sent around: Some directly include the malware as attachment, others link to a web site where the malware can be downloaded (spear phishing). The Avira Risk Level indicates the phishing level 4 which acknowledges increased phishing activities.
While in the html email the malware link is shown as leading to the real domain, the link really points to an URL of the following form: http://EMAIL_DOMAIN.BADHOST.COM/owa/service_directory/settings.php?email=USER@EMAIL_DOMAIN&amp;from=EMAIL_DOMAIN&amp;fromname=USER . If the receiver of the mail is in a rush he might thus believe he is on the real OWA web site.
While Avira Antispam detects the emails as spam and the URLs are being blacklisted, the virus lab released detections for the malware with a VDF update. The malware is detected as TR/Vilsel.iop and as TR/Spy.ZBot.9164.1, respectively, with the VDF file 7.01.06.111. The Vilsel trojan is yet another incarnation of the FakeAV plague while the ZBot is stealing information.
Anyway do not open these attachments or download the alleged setting files! They can lead to an infection of your system and put it under control of the malware authors!
Manager International Software Development