IT Management Begins With Security
SecurityProNews > News > Security News > Microsoft Update Or Trojan Virus?
Search:
[ news_security_news ]

Microsoft Update Or Trojan Virus?



John Stith
Staff Writer
2005-12-12

SecurityProNews: News RSS Feed Security News RSS Feed


In yet another annoying move, virus writers have done something new. They've created a new Trojan virus looking incredibly like a spammed Microsoft Security update email. It goes through the motions of the standard update and the great thing is, on the initial run, only a few of the virus scanners picked it up.

A hat tip goes to Alex Eckelberry over at the SunbeltBlog for giving a nice analysis of the virus. He picked it up from the Codefish. They printed the listing of shows up in the message. The researchers over at Sunbelt went through the process and opened the email. It even has a EULA screen that comes up and the user has to agree with the terms and conditions.

Here's what you get if you have the email:

IP(s)/Domains(s): 66.49.184.119 (No WHOIS available)
URL(s): http://66.49.184.119/Windows-KB899588-x86-ENU.exe
Recommend Block?: Yes - For the time being

Description

Our first trojan write-up since we've been gone. This trojan uses a "Windows Update" spam as its lure. The email sent out reads:

Subject: Critical security update available

Microsoft Security Bulletin MS05-039
Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)
Summary:
Who should receive this document: Customers who use Microsoft Windows
Impact of Vulnerability: Remote Code Execution and Local Elevation of Privilege
Maximum Severity Rating: CRITICAL
Recommendation: Customers should apply the update immediately.
Security Update Replacement: None
Caveats: None
Tested Software and Security Update Download Locations:

Affected Software:

• Microsoft Windows 2000 Service Pack 4 - Download the update
• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 - Download the update
• Microsoft Windows XP Professional x64 Edition - Download the update
• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 - Download the update
• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems - Download the update
• Microsoft Windows Server 2003 x64 Edition - Download the update

Non-Affected Software:

• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

Executive Summary:

This update resolves a newly discovered, privately reported vulnerability. A remote code execution vulnerability exists in Plug and Play (PnP) that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Conclusion: We recommend that customers apply the update immediately.

© 2005 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement


Now there really is MS05-039 Windows patch. It really is exactly what this email outlines. However two things:

1) Microsoft doesn't spam out emails telling people about patches. It does send them to people who have signed onto their security list however

2) The email links the "downloads" directly to:

-http://66.49.184.119/Windows-KB899588-x86-ENU.exe-

Codefish pointed out on their sight that Microsoft never links to executable files. That should be the first clue. Also note Codefish's comments. This actually is the patch from Microsoft but the virus folks included some naughty bits as well.

This is yet another attack to be aware and and also reiterates basic advice and that is not to open unknown files from ANYONE, not even Microsoft.





About the Author:
John is a staff writer for SecurityProNews covering cyber security.

More news_security_news Articles

SecurityProNews: News RSS Feed Security News RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Contact Us | Advertise | Newsletter Archive | Sitemap | Submit an Article | News Feeds
SecurityProNews is an iEntry, Inc.® publication - 1998-2008 All Rights Reserved | Privacy Policy and Legal		 Join the WebProWorld Forums: Click Here
Virus Warnings

Subscribe to
SecurityProNews FREE!


[ more newsletters ]

Featured On:
article resources
Search Articles:
[advanced search]

WebProWorld.com
Get in-touch with industry experts and leaders
Post your site for review by expert and peers
Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com
SecurityProNews.com | Breaking eBusiness News Get Your IT Questions Answered - Click Here SecurityProNews News Feeds