Re: [Declude.Virus] Windows Update!

[Greg Little]

Here's some background info on this pest (from another list). Greg Little -------- Original Message -------- Subject: [AVS] (Fwd) 'Update your windows machine' fraudulent email Date: Fri, 08 Apr 2005 09:27:43 -0700 From: Angus Scott-Fleming <[EMAIL PROTECTED]> Reply-To: Network Security Managers List <[EMAIL PROTECTED]> Organization: GeoApps To: [EMAIL PROTECTED] ------- Forwarded message follows ------- From: [EMAIL PROTECTED] Date sent: Fri, 8 Apr 2005 02:28:14 UT To: [EMAIL PROTECTED] Subject: [NATIONAL-ALERTS] (AUSCERT AL-2005.007) 'Update your windows machine' fraudulent email Send reply to: [EMAIL PROTECTED] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== A U S C E R T A L E R T AL-2005.007 -- AUSCERT ALERT 'Update your windows machine' fraudulent email 8 April 2005 =========================================================================== OVERVIEW AusCERT would like to advise that a fraudulent email with a subject line of 'Update your windows machine' is currently circulating, with a claimed sender of [EMAIL PROTECTED]. This email links to a site which fraudulently presents itself as the Microsoft Windows Update web site. When clicking on links on the site claiming to apply an 'Express Install' or 'Custom Install', a malicious executable will attempt to run on the user's machine. This executable will attempt to connect to an IRC chat server, allowing a malicious user to take control of the user's machine and potentially involve it in other malicious activity. VULNERABILITY The web site involved in this instance does not exploit any software vulnerabilities. Instead, it uses a social engineering trick to entice a user to run malicious code. MITIGATION This exploit requires user interaction - deleting these emails as they arrive and not clicking on any links they contain is a safe mitigation strategy. Users should, as ever, remain aware of the danger of clicking on links in unsolicited emails. EXPLOIT DETAILS The current email used to entice people to visit the malicious site looks like: ------- Subject: Update your windows machine From: Windows Update <[EMAIL PROTECTED]> To: Auscert <[EMAIL PROTECTED]> Welcome to Windows Update Get the latest updates available for your computer's operating system, software, and hardware. Windows Update scans your computer and provides you with a selection of updates tailored just for you. Express Install : High Priority Updates for Your Computer -------- This includes links to go to one of the following IP addresses: 64.71.77.76 221.151.249.236 Other IP addresses or domain names may be used in future variants of this email. If the malicious code is downloaded and run, the malware will install itself on the user's system as MFC42.exe, and will configure itself to run on startup. It will then attempt to connect to an IRC chat server, which allows an attacker to execute commands on infected hosts. This may include involving infected hosts in Distributed Denial of Service (DDOS) attacks on other Internet hosts. This collection of attacker-controlled machines is also known as a 'botnet'. This is detected by the following anti-virus products as: Kapersky: Backdoor.Win32.DSNX.05.a Panda: Bck/DSNX.05 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: [EMAIL PROTECTED] Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQlXsKih9+71yA2DNAQIu/gP/U4FS8KDewljJvZt3IwE2Fi42kVkLpNSU st59k/U5eJdbZT1/kmWXiSgrO5vYCIqWRY5EoOM78mnK3Rz0PSTYn+Mk6CLZa6BL AyDOQtfaCeaUjdyB08Q5tdhNPM9vdSbiQzLcKJaIso32bkgDhxI7AGMjjgDXkDlE 5jC4Sc56tWY= =DTSP -----END PGP SIGNATURE----- AusCERT is the national computer emergency response team for Australia. We monitor various sources around the globe and provide reliable and independent information about serious computer network threats and vulnerabilities. AusCERT, which is a not-for-profit organisation, operates a cost-recovery service for its members and a smaller free security bulletin service to subscribers of the National Alerts Service. In the interests of protecting your information systems and keeping up to date with relevant information to protect your information systems, you should be aware that not all security bulletins published or distributed by AusCERT are included in the National Alert Service. AusCERT may publish and distribute bulletins to its members which contain information about serious computer network threats and vulnerabilities that could affect your information systems. Many of these security bulletins are publicly accessible from our web site. AusCERT maintains the mailing list for access to National Alerts Service security bulletins. If you are subscribed to the National Alerts Service and wish to cancel your subscription to this service, please follow the instructions at: http://www.auscert.org.au/msubmit.html?it=3058 Previous security bulletins published or distributed as part of the National Alerts Service can be retrieved from: http://national.auscert.org.au/render.html?cid=2998 Previous security bulletins published or distributed by AusCERT can be retrieved from: http://www.auscert.org.au/render.html?cid=1 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://national.auscert.org.au/render.html?it=3192 ------- End of forwarded message ------- -- Angus Scott-Fleming _______________________________________________ Network Security Managers mailing list [EMAIL PROTECTED] http://geoapps.com/mailman/listinfo/mcafee_geoapps.com --- [This E-mail scanned for viruses by Findlay Internet] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.