[FARC] Just in Time for Halloween - Another Windows Worm

Scott Galbraith scottg at n3ok.com
Thu Oct 30 09:52:41 EST 2008 

Bob, et al, I had to get another copy of the messae I was referring to 
from my sister, who works in DHS. (I had deleted her original since the 
few windoze machines I have cursed myself with are isolated from the 
outside world.)
Here's the warning:
/*Subject:*/ Microsoft "Patch Tuesday" email is a hoax...and a trojan

*Microsoft "Patch Tuesday" email is a hoax...and a trojan*_
_/Windows 2000, Windows XP and Windows Vista 
<http://thundercloud.net/infoave/answers/2008/patch-tuesday.htm>/

Once again criminals and miscreants are banking on uninformed Windows 
users to help spread a new Trojan by email. The email appears to be from 
Microsoft, and even claims to be digitally signed by Microsoft. This new 
email hoax includes a new twist - quoting a real Microsoft employee, 
Steve Lipner, in an attempt to add credibility to it.

Premium readers are reminded that Microsoft never sends patches by 
email; they never have and they never will. In fact, no major company 
will ever send out a mass mailing with executable files (files that run 
when clicked) attached. If you receive an email that looks like it came 
from Microsoft with an attached file, delete the email immediately.

Sometimes, even though we know better, we get tired, or pre-occupied, 
and don't think things though before we do things. So even the 
well-informed can get stung by hoaxes like these. That's why it's 
important that we remind you that this email is being sent by the 
millions - so the likelihood that you'll see it soon is high.

Here is more information from a Microsoft source:

“We received some questions from customers about an e-mail that’s 
circulating that claims to be a security 
<http://thundercloud.net/infoave/answers/2008/patch-tuesday.htm> e-mail 
from Microsoft. The e-mail comes with an attached executable, which it 
claims is the latest security update 
<http://thundercloud.net/infoave/answers/2008/patch-tuesday.htm>, and 
encourages the recipient to run the attached executable so they can be 
safe. While malicious e-mails posing as Microsoft security notifications 
with attached malware aren’t new (we’ve seen this problem for several 
years) this particular one is a bit different in that it claims to be 
signed by our own Steve Lipner and has what appears to be a PGP 
signature block attached to it. While those are clever attempts to 
increase the credibility of the mail, I can tell you categorically that 
this is not a legitimate e-mail: it is a piece of malicious spam and the 
attachment is malware. Specifically, it contains Backdoor:Win32/Haxdoor.

Furthermore, this backdoor opens several TCP ports that allow remote 
attackers to connect to the compromised PC and execute files, steal 
information from it, or upload and download files. The attachment’s file 
name varies, but uses the convention(al) KBxxxxxx.exe, where xxxxxx is a 
random 6-digit number. Below are some of the file names we’ve seen, and 
are being used:

KB199250.exe
KB246586.exe
KB535548.exe
KB572906.exe
KB763412.exe..."

Those file names are typical Microsoft "KILOBYTE" (KB) file names. It 
does not matter of course; a file can be named anything the developer 
wants to name it. This is a very well planned and executed hoax - and 
one that is very dangerous to your computer - and your personal 
information. Be on your toes and remember - Microsoft never sends 
patches or executable files by email. Delete any email that appears to 
be from Microsoft which contains an attachment. You can be sure, no 
matter how authentic it may look, it is not from Microsoft.

As we remind you almost every week - keep your anti-virus and 
anti-spyware 
<http://thundercloud.net/infoave/answers/2008/patch-tuesday.htm> updated 
frequently. An outdated anti-virus or anti-spyware program 
<http://thundercloud.net/infoave/answers/2008/patch-tuesday.htm> is 
almost as bad as not having any anti-spyware or anti-virus protection 
<http://thundercloud.net/infoave/answers/2008/patch-tuesday.htm>. Scan 
your computer at least once a week using a good online anti-virus 
scanner <http://thundercloud.net/infoave/answers/2008/patch-tuesday.htm> 
to ensure your anti-virus software is doing its job. Use common sense 
and always carefully consider opening any attachments that come via 
email. Unless you were expecting an attachments and you are 100% certain 
you know who it is from, do n ot open it. Forewarned is forearmed.



Bob Moroney wrote:
> Kirk,
> Yes, the KB958644 is the MS patch for the worm and variants that have 
> been observed recently. Your anti virus program may also be looking 
> for signs of the worm, but apparently MS had to plug the hole that the 
> worm exploited to prevent an infection. Thus the patch.
> I'm not sure what Scott was referring to, although there are plenty of 
> hoaxes out there, as a visit to snopes.com will confirm, if you look 
> under the "Computer" listing. There was a phishing hoax a few years 
> back that looked like an official Microsoft email that sucked some 
> folks in, similar to the ones you probably get every day from various 
> banks and credit unions.
> 73, Bob K9CMR
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Kirk Talbott wrote:

More information about the FARC mailing list