Better Business Bureau Fraud Emails (microsoft.dll / microsoft.exe)

There is a phishing attempt circulating that sends emails claiming to be from the Better Business Bureau.  The subject line is: “BBB Complaint for {Recipient Name} [Case id: #7dcd4491d93a6cd1f1ac30ad32b4d18d]”  The email that I’ve seen came from: “25153F@bbb.com” although I’m sure there are many.  The email body looks like this:

=================================================

Dear Mr./Mrs. {Recipient Name} ({Company Name})

You have received a complaint in regards to your business services. Use the link below to view the complaint details:

CLICK HERE TO DOWNLOAD AND VIEW DOCUMENTS FOR CASE #B48944

Complaint Case Number: B48944
Complaint Made by Consumer Mrs. Marcia E. Worthington
Complaint Registered Against: {Recipient Name} of {Company Name}

Date: 05/14/2007

Instructions on how to resolve this complaint as well as a copy of the original complaint can be obtained using the link below:

CLICK HERE TO DOWNLOAD AND VIEW DOCUMENTS FOR CASE #B48944

Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them:

• Claims based on product liability;
• Claims for personal injuries;
• Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the BBB.

The BBB offers its members a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.

© 2007 Council of Better Business Bureaus, Inc. All Rights Reserved.

=================================================

I apologize for not being able to provide the actual message header, the email message was deleted by the client. This email contains the following link, under the title: “CLICK HERE TO DOWNLOAD AND VIEW DOCUMENTS FOR CASE #B48944”

http://document-repository.com/redirect.htm?209696923c59b2a19753c85920ddbbb6=435509f28a129 …

This link directs the user to a webpage containing the BBB logo and a single hyperlink:

http://document-repository.com/Complaint_Details_363619942.doc.exe

Upon clicking on the link on this page, a file called “Complaint_Details_363619942.doc.exe” is executed and the following actions are performed:

Files Created:

C:microsoft.exe (Virus!  For more details, click here)
C:microsoft.dll

Registry Entries Created:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun: [Win32KernelStart] “C:microsoft.exe”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce: [Win32KernelStart] “C:microsoft.exe”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices: [Win32KernelStart] “C:microsoft.exe”

Registry Keys Changed:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionAccessibilityUtility ManagerMagnifierApplication Path Changed “magnify.exe” to “C:Microsoft.exe”

The files mentioned above can be removed by first deleting Microsoft.dll then Microsoft.exe using a program called Killbox. The registry keys can be deleted manually, but the last one mentioned above must be changed back to its original value of “magnify.exe.