[FARC] Just in Time for Halloween - Another Windows Worm

[Bob Moroney]

OK Scott, thanks for filling us in.  I think that Backdoor/Haxdoor virus 
has been around for a few years, so if the info you sent is current, it 
sounds like someone is recycling it. 

The one I was referring to is a few weeks old, and I'm not sure what 
it's called.  The MS patch KB958644 apparently plugs a hole in a server 
port that has been the target of a number of different attacks, so there 
may not be a single name for the virus yet. 

Anyway, it's always good to be wary of emails containing executables, as 
your attachment says, unless you know who they're coming from (perhaps 
even then).

73, Bob K9CMR
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scott Galbraith wrote:
> Bob, et al, I had to get another copy of the messae I was referring to 
> from my sister, who works in DHS. (I had deleted her original since 
> the few windoze machines I have cursed myself with are isolated from 
> the outside world.)
> Here's the warning:
> /*Subject:*/ Microsoft "Patch Tuesday" email is a hoax...and a trojan
>
> *Microsoft "Patch Tuesday" email is a hoax...and a trojan*_
> _/Windows 2000, Windows XP and Windows Vista 
> <http://thundercloud.net/infoave/answers/2008/patch-tuesday.htm>/
>
> Once again criminals and miscreants are banking on uninformed Windows 
> users to help spread a new Trojan by email. The email appears to be 
> from Microsoft, and even claims to be digitally signed by Microsoft. 
> This new email hoax includes a new twist - quoting a real Microsoft 
> employee, Steve Lipner, in an attempt to add credibility to it.
>
> Premium readers are reminded that Microsoft never sends patches by 
> email; they never have and they never will. In fact, no major company 
> will ever send out a mass mailing with executable files (files that 
> run when clicked) attached. If you receive an email that looks like it 
> came from Microsoft with an attached file, delete the email immediately.
>
> Sometimes, even though we know better, we get tired, or pre-occupied, 
> and don't think things though before we do things. So even the 
> well-informed can get stung by hoaxes like these. That's why it's 
> important that we remind you that this email is being sent by the 
> millions - so the likelihood that you'll see it soon is high.
>
> Here is more information from a Microsoft source:
>
> “We received some questions from customers about an e-mail that’s 
> circulating that claims to be a security 
> <http://thundercloud.net/infoave/answers/2008/patch-tuesday.htm> 
> e-mail from Microsoft. The e-mail comes with an attached executable, 
> which it claims is the latest security update 
> <http://thundercloud.net/infoave/answers/2008/patch-tuesday.htm>, and 
> encourages the recipient to run the attached executable so they can be 
> safe. While malicious e-mails posing as Microsoft security 
> notifications with attached malware aren’t new (we’ve seen this 
> problem for several years) this particular one is a bit different in 
> that it claims to be signed by our own Steve Lipner and has what 
> appears to be a PGP signature block attached to it. While those are 
> clever attempts to increase the credibility of the mail, I can tell 
> you categorically that this is not a legitimate e-mail: it is a piece 
> of malicious spam and the attachment is malware. Specifically, it 
> contains Backdoor:Win32/Haxdoor.
>
> Furthermore, this backdoor opens several TCP ports that allow remote 
> attackers to connect to the compromised PC and execute files, steal 
> information from it, or upload and download files. The attachment’s 
> file name varies, but uses the convention(al) KBxxxxxx.exe, where 
> xxxxxx is a random 6-digit number. Below are some of the file names 
> we’ve seen, and are being used:
>
> KB199250.exe
> KB246586.exe
> KB535548.exe
> KB572906.exe
> KB763412.exe..."
>
> Those file names are typical Microsoft "KILOBYTE" (KB) file names. It 
> does not matter of course; a file can be named anything the developer 
> wants to name it. This is a very well planned and executed hoax - and 
> one that is very dangerous to your computer - and your personal 
> information. Be on your toes and remember - Microsoft never sends 
> patches or executable files by email. Delete any email that appears to 
> be from Microsoft which contains an attachment. You can be sure, no 
> matter how authentic it may look, it is not from Microsoft.
>
> As we remind you almost every week - keep your anti-virus and 
> anti-spyware 
> <http://thundercloud.net/infoave/answers/2008/patch-tuesday.htm> 
> updated frequently. An outdated anti-virus or anti-spyware program 
> <http://thundercloud.net/infoave/answers/2008/patch-tuesday.htm> is 
> almost as bad as not having any anti-spyware or anti-virus protection 
> <http://thundercloud.net/infoave/answers/2008/patch-tuesday.htm>. Scan 
> your computer at least once a week using a good online anti-virus 
> scanner 
> <http://thundercloud.net/infoave/answers/2008/patch-tuesday.htm> to 
> ensure your anti-virus software is doing its job. Use common sense and 
> always carefully consider opening any attachments that come via email. 
> Unless you were expecting an attachments and you are 100% certain you 
> know who it is from, do n ot open it. Forewarned is forearmed.
>
>
>
> Bob Moroney wrote:
>> Kirk,
>> Yes, the KB958644 is the MS patch for the worm and variants that have 
>> been observed recently. Your anti virus program may also be looking 
>> for signs of the worm, but apparently MS had to plug the hole that 
>> the worm exploited to prevent an infection. Thus the patch.
>> I'm not sure what Scott was referring to, although there are plenty 
>> of hoaxes out there, as a visit to snopes.com will confirm, if you 
>> look under the "Computer" listing. There was a phishing hoax a few 
>> years back that looked like an official Microsoft email that sucked 
>> some folks in, similar to the ones you probably get every day from 
>> various banks and credit unions.
>> 73, Bob K9CMR
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Kirk Talbott wrote: