Alert: Yet more malicious Microsoft e-mails

[MysteryFCM]

Following on from the previous Microsoft e-mail botnet;

http://hphosts.blogspot.com/2009/08/yab-yet-another-botnet-microsoft.html

.. I'm now receiving several e-mails pointing to worm infections hosted on RapidShare, going through king.cd

http://hphosts.blogspot.com/2009/08/alert-malicious-microsoft-e-mail-using.html

[SysAdMini]

91.207.116.22 is located on a Rushkranian block, apparently owned by Rise-v Ltd, which was also the source of the exploit at kervinly.com.

Today we've seen more of these fake Microsoft e-mails. I have checked the file at the given url
hxxp://update.microsoft.com.vciii.net/microsoftofficeupdate/isapdl/de.aspx/officexp-KB910721-FullFile-ENU.exe

It downloads a Zbot trojan from domain shipal.eu at the known ip 91.207.116.22.
http://www.virustotal.com/analisis/20bdac97d430bcb74805f94faefdf5e6424b38f00bd61e97372c0fc17c5c6a8b-1250721169 17/41

Therefore I have checked what else can be found at this host.

Here is the list:

http://www.malwaredomainlist.com/mdl.php?search=91.207.116.22&colsearch=All&quantity=50

[MysteryFCM]

Nice one, cheers