Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-03-16 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

No microsoft patches are available at www.NOT-A-Microsoft-security-site.com

Published: 2004-03-16
Last Updated: 2004-03-17 04:19:37 UTC
by donald smith (Version: 1)
0 comment(s)
Erik van Straten reported receiving a spoofed email that led to a spoofed Microsoft site that downloaded a trojan with instructions to run it to patch your system. The site name is www.microsoft-security-updates.com is NOT a Microsoft site.
This gets redirected to http://d558597.u25.surftown.com/mstasks.exe
mstasks.exe is identified by Symantec/Norton AntiVirus beta definitions as "Trojan.Etsur".

Repeat after me: Unless you subscribe to their email security notification service, Microsoft's policy is not to send notification of vulnerabilities. They never send patches in email to users.

A new polymorphic virus has been reported by Network Associates.
W32/Polybot.gen!irc a polymorphic variant of the w32/gaobot worm. It encrypts itself which may allow it to go undetected by antivirus software. Currently NA lists it as a low risk. It spreads through shares and can use vulnerabilities described in Microsoft Security Bulletins MS03-026, Ports 80, 135, 139, 445 or 593 are all possibly affected by that vulnerability. A new variant of this virus family has been discovered that uses the filename soundman.exe.

For Network Associates full writeup see:
http://vil.nai.com/vil/content/v_101100.htm

We received one report of a virus using a picture file format (bmp) to provide the password. Several antivirus systems include the ability to pull passwords out of email text and decrypt the bagle.pwdzip zip file finding the virus a passworded zip. Using bitmap's or other image file formats will make it more difficult for antivirus vendors to extract the password. This password in a picture method has been used by other systems to prevent automated abuse.
Keywords:
0 comment(s)
Diary Archives