By Andrew Brandt
Hot on the heels of the spam campaigns involving emails which purport to come from the IRS, HMRC, and from your IT department comes another round of fake “notification” spam emails — this time, warning users to download and install a patch for the Outlook and Outlook Express email clients.
Like the previous rounds, the file a victim is prompted to download and (hopefully, won’t) install is the prolific, widely-disseminated keylogger we call Progdav (aka “Zbot”). The faux Web page which hosts the malicious file is dressed up to look like a Microsoft Update page, titled “Update for Microsoft Outlook / Outlook Express (KB910737).” In an attempt to legitimize the payload, the page states “This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.”
Uh huh. Highest levels like a fox!
The “update” file/Trojan installer is named officexp-KB910737-FullFile-ENU.exe and comes in at just under 100KB, which puts it in the welterweight class of Stupid Malware Trickery. A cursory glance at the Microsoft Knowledge Base Web site reveals the hardly-surprising fact that, no, there is no Knowledge Base article 910737.
Like virtually all the Progdav samples we’re seeing in recent months, this information-stealing Trojan is a universal data thief. It steals login passwords for Web sites, both as you enter them and from the Protected Storage area, where the browser keeps your “saved” passwords; stored Web browser cookies; FTP account details; POP3 email usernames and passwords; and it keeps track of the Web sites you visit. It disables the Internet Explorer anti-phishing filter, and monitors the contents of the Clipboard, so passwords you copy from one location and paste into another location aren’t safe, even if you never actually type them into a login page from an infected PC.
Our standard advice remains in place here: Avoid following links sent via email regarding updates to standard Windows components. Microsoft doesn’t email its customers about updates, and has other mechanisms, including Automatic Updates, to ensure that the folks who need them will get updates. Don’t download patches or updates to Microsoft products from anywhere other than Microsoft.com, and if you’re really concerned, double-check the Knowledge Base “KB” number to make sure you’re getting what you expect.
And when an untrustworthy link leads you to an untrustworthy page which begs you to “Please download and install the file…” please, don’t.
Webroot Threat Blog - Internet Security Threat Updates from Around the World 
Hi, Andrew, thanks for the blog. How to get rid of this keylogger in XP?
Sweep with our latest product and up-to-date definitions. We can easily delete Progdav.
How can I help in getting rid of these people.
Pingback: Fake Zbot Site Poses as H1N1 Flu Vaccine Info « Webroot Threat Blog
Pingback: Fake Zbot Site Poses As CDC H1N1 Flu Vaccine Info | Business Computing World
Pingback: Facebook Phishing Campaign Wants Your Passwords « Webroot Threat Blog
Pingback: A Look Back at the Worst Infections of 2009 « Webroot Threat Blog
Pingback: A Look Back At The Worst Infections Of 2009 | Business Computing World
Pingback: Zbot Desperately Seeking AIM Users « Webroot Threat Blog
Pingback: Zbot Fakes ABA Banking Site, Seeks a Stimulus Package « Webroot Threat Blog
Pingback: Cover Your Assets on Data Privacy Day « Webroot Threat Blog
I can’t download the Microsoft Outlook-express update that you recommend to do–can you please e-mail me instructions that will work?
Thank you
Scott — this blog item does not describe a legitimate Microsoft Outlook patch update. It is a scam that installs a keylogger on your computer. Do NOT install any update to Outlook that comes from anywhere other than http://update.microsoft.com
If you have already downloaded and attempted to run such an update, you may already be infected. Scan your computer immediately, and use a different, uninfected computer to change any passwords that may have been used, or are stored, on the infected computer.