We’ve received numurous spams about the subject of Internet Explorer 7 Downloads today. These spams look like from Microsoft, and a file “IE7.0.exe” will be downloaded. This is not real Internet Explorer 7, it’s Virus.Win32.Grum.a. If you meet the same spam, please delete it at once.

We have received some different downloaded urls, they are include:

http://cincinnatifeet.com/<removed>.exe
http://cincinnatifeet.com/<removed>.jpg
http://jpcommunications.net/images/<removed>.exe
http://jpcommunications.net/images/<removed>.jpg
http://tvz-archive.com/<removed>.exe
http://tvz-archive.com/<removed>.jpg
http://66.98.149.237/<removed>.jpg
http://arrestingphotography.com/<removed>.exe
http://arrestingphotography.com/<removed>.jpg
http://manualshop.com.ar/<removed>.jpg
http://abnoba.net/<removed>.exe
http://abnoba.net/<removed>.jpg
http://nottyweb.com/images/<removed>.jpg
http://gc-music.com/<removed>.exe
http://cyberbutt.com/<removed>.jpg
http://kcmancandy.com/<removed>.jpg

Some of them has been closed now, some are still active. We hope everyone can block these domains.

The size is 33,792 bytes, packed with TLPack, MD5 hash is 0423541c811fd0dba2a6e804320dd613
Upon execution, it copy itself as the following path:

%temp%\winlogon.exe

Adds the following auto start registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Firewall auto setup = %temp%\winlogon.exe