Note, I found and filtered a few of these today that used ordinary links rather than numbered ones. I'm guessing the variants are already out.
_M On Monday, April 11, 2005, 6:01:24 PM, Greg wrote: GL> Here's some background info on this pest (from another list). GL> Greg Little GL> -------- Original Message -------- Subject: [AVS] GL> (Fwd) 'Update your windows machine' fraudulent email Date: GL> Fri, 08 Apr 2005 09:27:43 -0700 From: Angus Scott-Fleming GL> <[EMAIL PROTECTED]> Reply-To: Network Security Managers GL> List <[EMAIL PROTECTED]> Organization: GeoApps To: GL> [EMAIL PROTECTED] GL> ------- Forwarded message follows ------- GL> From:[EMAIL PROTECTED] sent: Fri, 8 Apr 2005 02:28:14 UT GL> To:[EMAIL PROTECTED]: GL> [NATIONAL-ALERTS] (AUSCERT AL-2005.007) 'Update your windows GL> machine' fraudulent email GL> Send reply to:[EMAIL PROTECTED] PGP SIGNED MESSAGE----- GL> Hash: SHA1 GL> =========================================================================== A GL> U S C E R T A L E R T GL> AL-2005.007 -- AUSCERT ALERT GL> 'Update your windows machine' fraudulent email GL> 8 April 2005 GL> =========================================================================== GL> OVERVIEW GL> AusCERT would like to advise that a fraudulent email with a subject line of GL> 'Update your windows machine' is currently circulating, with a claimed sender GL> of [EMAIL PROTECTED] This email links to a site which fraudulently GL> presents itself as the Microsoft Windows Update web site. When clicking on GL> links on the site claiming to apply an 'Express Install' or 'Custom GL> Install', a malicious executable will attempt to run on the user's machine. GL> This executable will attempt to connect to an IRC chat server, allowing a GL> malicious user to take control of the user's machine and potentially involve GL> it in other malicious activity. GL> VULNERABILITY GL> The web site involved in this instance does not exploit any software GL> vulnerabilities. Instead, it uses a social engineering trick to entice a GL> user to run malicious code. GL> MITIGATION GL> This exploit requires user interaction - deleting these emails as they GL> arrive and not clicking on any links they contain is a safe mitigation GL> strategy. GL> Users should, as ever, remain aware of the danger of clicking on links in GL> unsolicited emails. GL> EXPLOIT DETAILS GL> The current email used to entice people to visit the malicious site looks GL> like: GL> ------- GL> Subject: Update your windows machine GL> From: Windows Update <[EMAIL PROTECTED]>To: Auscert GL> <[EMAIL PROTECTED]>Welcome to Windows Update GL> Get the latest updates available for your computer's operating system, GL> software, and hardware. GL> Windows Update scans your computer and provides you with a GL> selection of updates tailored just for you. GL> Express Install : High Priority Updates for Your Computer GL> -------- GL> This includes links to go to one of the following IP addresses: GL> 64.71.77.76 GL> 221.151.249.236 GL> Other IP addresses or domain names may be used in future variants of this GL> email. GL> If the malicious code is downloaded and run, the malware will install itself GL> on the user's system as MFC42.exe, and will configure itself to run on GL> startup. It will then attempt to connect to an IRC chat server, which GL> allows an attacker to execute commands on infected hosts. This may include GL> involving infected hosts in Distributed Denial of Service (DDOS) attacks on GL> other Internet hosts. This collection of GL> attacker-controlled machines is GL> also known as a 'botnet'. GL> This is detected by the following anti-virus products as: GL> Kapersky: Backdoor.Win32.DSNX.05.a GL> Panda: Bck/DSNX.05 GL> AusCERT has made every effort to ensure that the information contained GL> in this document is accurate. However, the decision to use the information GL> described is the responsibility of each user or organisation. The decision to GL> follow or act on information or advice contained in this security bulletin is GL> the responsibility of each user or organisation, and should be considered in GL> accordance with your organisation's site policies and procedures. AusCERT GL> takes no responsibility for consequences which may arise from following or GL> acting on information or advice contained in this security bulletin. GL> If you believe that your computer system has been compromised or attacked in GL> any way, we encourage you to let us know by completing the secure National IT GL> Incident Reporting Form at: GL> http://www.auscert.org.au/render.html?it=3192=========================================================================== GL> Australian Computer Emergency Response Team The University of Queensland GL> Brisbane Qld 4072 GL> Internet Email: [EMAIL PROTECTED]: (07) 3365 7031 GL> Telephone: (07) 3365 4417 (International: +61 7 3365 4417) GL> AusCERT personnel answer during Queensland business hours GL> which are GMT+10:00 (AEST). On call after hours for member GL> emergencies only. GL> =========================================================================== GL> -----BEGIN PGP SIGNATURE----- GL> Comment: GL> http://www.auscert.org.au/render.html?it=1967iQCVAwUBQlXsKih9+71yA2DNAQIu/gP/U4FS8KDewljJvZt3IwE2Fi42kVkLpNSU GL> st59k/U5eJdbZT1/kmWXiSgrO5vYCIqWRY5EoOM78mnK3Rz0PSTYn+Mk6CLZa6BL GL> AyDOQtfaCeaUjdyB08Q5tdhNPM9vdSbiQzLcKJaIso32bkgDhxI7AGMjjgDXkDlE GL> 5jC4Sc56tWY= GL> =DTSP GL> -----END PGP SIGNATURE----- GL> AusCERT is the national computer emergency response team for Australia. We GL> monitor various sources around the globe and provide reliable and independent GL> information about serious computer network threats and vulnerabilities. GL> AusCERT, which is a not-for-profit organisation, operates a cost-recovery GL> service for its members and a smaller free security bulletin service to GL> subscribers of the National Alerts Service. GL> In the interests of protecting your information systems and keeping up to date GL> with relevant information to protect your information systems, you should be GL> aware that not all security bulletins published or distributed by AusCERT are GL> included in the National Alert Service. AusCERT may publish and distribute GL> bulletins to its members which contain information about serious computer GL> network threats and vulnerabilities that could affect your information GL> systems. Many of these security bulletins are publicly accessible from our web GL> site. GL> AusCERT maintains the mailing list for access to National Alerts Service GL> security bulletins. If you are subscribed to the National Alerts Service and GL> wish to cancel your subscription to this service, please follow the GL> instructions at: GL> http://www.auscert.org.au/msubmit.html?it=3058Previous security GL> bulletins published or distributed as part of the National GL> Alerts Service can be retrieved from: GL> http://national.auscert.org.au/render.html?cid=2998Previous GL> security bulletins published or distributed by AusCERT can be GL> retrieved from: http://www.auscert.org.au/render.html?cid=1If GL> you believe that your computer system has been compromised or GL> attacked in GL> any way, we encourage you to let us know by completing the secure National IT GL> Incident Reporting Form at: GL> http://national.auscert.org.au/render.html?it=3192------- End of GL> forwarded message ------- GL> -- GL> Angus Scott-Fleming GL> _______________________________________________ GL> Network Security Managers mailing GL> [EMAIL PROTECTED]://geoapps.com/mailman/listinfo/mcafee_geoapps.com GL> --- [This E-mail scanned for viruses by Findlay Internet] GL> --- This E-mail came from the Declude.Virus mailing list. To GL> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type GL> "unsubscribe Declude.Virus". The archives can be found at GL> http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.