This morning we have seen an e-mail that was supposed to contain a Windows update for the vulnerability in the Kodak image viewer, which could allow arbitrary code to be remotely executed.

The e-mail seems to come from Microsoft Corp, though the domain from which it was created has no relation with this company:


The email subject is “Boletнn de seguridad de Microsoft MS07-055 – Crнtico”, though it is possible that there are more e-mails referring to different updates. The message contains real information about the security bulletin called MS07-055. However, the links included in the text lead to a different website, which is almost the same as Microsoft’s.
This is the website to which we are redirected. If we don’t pay much attention to the web address, we will be downloading a backdoor detected as Bck/Bandok.BO:

A really curious thing is that this malware is in fact installing the real MS update, plus a free backdoor to open your system to the bad guys. This is what you see when you run it:

Microsoft Official Update
MS07-055  WindowsXP-KB923810-x86-ENU.exe
MD5: a2d27a703f93c860e842af732ff3d93f

Fake Microsoft Update
MS07-055   WindowsXP-KB923810-x86-ENU.exe
MD5: b59d788bc907d9aecb15375abe09c606

Thanks to Fernando de la Cuadra and Xabier Francisco for this one!