Download IE7 Spam-bot
No One at Texas Tech University or from Anywhere Else Should Ask For Your Password
An e-mail message allegedly containing a download for Internet Explorer 7 appears to be a spam-bot.
The "Download IE7" email copies IE7.0.exe to the user's TEMP directory as 'winlogon.exe', then deletes the IE7.0.exe. It creates a couple of batch files that it uses to create a registry key that will auto-execute when the user logs in:
HKLU\Software\Microsoft\Windows\CurrentVersion\Run\Firewall auto setup
A while later, the
program makes DNS lookups for several domains and tries to connect to the SMTP
It attempts to 'phone home' to 184.108.40.206 with HTTP and reports "SMTP = bad"
or SMTP = good".
Most anti-virus programs, including McAfee do not detect anything wrong with the IE7.0.exe file. The file has to be downloaded by clicking on the picture that came in the original message. It is not believed that it's executed unless the file IE7.0.exe is clicked on to run it.
If you have a machine you suspect may have been infected, look for the 'winlogon.exe' file in the TEMP directory and delete it.
For assistance, contact IT Help Central at 742-HELP (742-4357).