Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Link to 'a new Microsoft patch' being spammed SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Link to 'a new Microsoft patch' being spammed
We've received samples of an e-mail which is being actively spammed at the moment. The e-mail purports to be from Microsoft and it is notifying the recipient of "a new vulnerability [that] has been discovered in the Microsoft WinLogon Service". It further states that the vulnerability can allow an attacker access to the unpatched system.

Of course, the user is advised to install the patch which can be downloaded from the included link.

As the e-mail body is an HTML message, the displayed link ( is not where the user will really be sent:

http:// [REMOVED] / winlogon_patchV1.12.exe

At the time when this diary was written, the site was still up and serving malware. AV detection although a better then first time when we tried it, is still pretty bad. Only 8 products from VirusTotal detected this:

AntiVir   05.29.2006    Heuristic/Crypted.Modified
BitDefender 7.2         05.30.2006    Trojan.BeastPWS.C
Kaspersky    05.30.2006    Trojan-Spy.Win32.Delf.jq
NOD32v2     1.1566      05.30.2006    Win32/Spy.Delf.NBR
Panda     05.29.2006    Suspicious file
Sophos      4.05.0      05.30.2006    Troj/BeastPWS-C
Symantec    8.0         05.30.2006    Infostealer

Does all this sound familiar? Sure, it's (almost) the same story that the Swen worm (or Gibe.F) tried to "sell" to the users. Hopefully this one will not come close to doing what Swen did.

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Munich February 2022


400 Posts
ISC Handler
May 30th 2006

Sign Up for Free or Log In to start participating in the conversation!