Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: No microsoft patches are available at - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
No microsoft patches are available at
Erik van Straten reported receiving a spoofed email that led to a spoofed Microsoft site that downloaded a trojan with instructions to run it to patch your system. The site name is is NOT a Microsoft site.
This gets redirected to
mstasks.exe is identified by Symantec/Norton AntiVirus beta definitions as "Trojan.Etsur".

Repeat after me: Unless you subscribe to their email security notification service, Microsoft's policy is not to send notification of vulnerabilities. They never send patches in email to users.

A new polymorphic virus has been reported by Network Associates.
W32/Polybot.gen!irc a polymorphic variant of the w32/gaobot worm. It encrypts itself which may allow it to go undetected by antivirus software. Currently NA lists it as a low risk. It spreads through shares and can use vulnerabilities described in Microsoft Security Bulletins MS03-026, Ports 80, 135, 139, 445 or 593 are all possibly affected by that vulnerability. A new variant of this virus family has been discovered that uses the filename soundman.exe.

For Network Associates full writeup see:

We received one report of a virus using a picture file format (bmp) to provide the password. Several antivirus systems include the ability to pull passwords out of email text and decrypt the bagle.pwdzip zip file finding the virus a passworded zip. Using bitmap's or other image file formats will make it more difficult for antivirus vendors to extract the password. This password in a picture method has been used by other systems to prevent automated abuse.

206 Posts
Mar 17th 2004

Sign Up for Free or Log In to start participating in the conversation!