As most of you know, Microsoft doesn't distribute it's software updates via e-mail. Although this recently received bogus message would try to convince us differently. It claims to be from Steve Lipner who actually is a Director of Microsoft's security engineering team. It even explains that the reason for the update being delivered via e-mail is to help prevent malicious software and that this is a new experimental feature. This is a malicious application so delete it immediately!
Perhaps it's just a coincidence but it popped up the same day as Microsoft's official advance notification for the October security bulletin. From a social engineering viewpoint it could help lend credibility to the attack. If a person used a search engine they could easily find the announcement of an upcoming update. On the other hand they may just find our blog and warning. I should point out that this isn't the first time we've seen messages with malicious attachments pretending to be from Microsoft - they've been around a long time.
The message has a fake PGP signature to try and gain credibility. The file attached has a naming convention such as KB123456.exe and the number can change. Running it in a Sandbox environment shows it makes a HTTP request to ulm-haafeulm-haa.com and social-bos.biz to download additional files. It modifies the registry, deletes cookies and listens on ports 6051 and 6052.
From: Microsoft High-priority update
Subject: Security Update for OS Microsoft Windows
Dear Microsoft Customer,
Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.
Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.
Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.
As your computer is set to receive notifications when new updates are available, you have received this notice.
In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.
If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.
We apologize for any inconvenience this back order may be causing you.
Director of Security Assurance
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
-----END PGP SIGNATURE-----
While I'm on the subject of Malware -we've been seeing the "Statement of Fees" malware campaign since August. However, inn the past few hours there was a change to the payload being delivered so the latest variant is more likely to be missed by AV software and end up in your inbox. The Trojan Downloader installs AV XP 2008.
Subject: Statement of fees 2008/09
Please find attached a statement of fees as requested, this will be
The accommodation is dealt with by another section and I have passed
your request on to them today.