This morning we have seen an e-mail that was supposed to contain a Windows update for the vulnerability in the Kodak image viewer, which could allow arbitrary code to be remotely executed.
The e-mail seems to come from Microsoft Corp, though the domain from which it was created has no relation with this company:
The email subject is “BoletÐ½n de seguridad de Microsoft MS07-055 – CrÐ½tico”, though it is possible that there are more e-mails referring to different updates. The message contains real information about the security bulletin called MS07-055. However, the links included in the text lead to a different website, which is almost the same as Microsoft’s.
This is the website to which we are redirected. If we don’t pay much attention to the web address, we will be downloading a backdoor detected as Bck/Bandok.BO:
A really curious thing is that this malware is in fact installing the real MS update, plus a free backdoor to open your system to the bad guys. This is what you see when you run it:
Microsoft Official Update
Fake Microsoft Update
Thanks to Fernando de la Cuadra and Xabier Francisco for this one!