Security Bytes

Jun 8 2007   5:58AM GMT

Fake Microsoft security bulletin circulating

Leigha Leigha Cardwell Profile: Leigha

The folks at the SANS Internet Storm Center are warning of a fake Microsoft security bulletin that’s making the rounds. Here’s what it looks like:

Microsoft Security Bulletin MS06-4
Cumulative Security Update for Internet Explorer (113742734)
Published: June 3, 2007
Version: 1.0

Summary

Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.

“Of course,” storm center handler Lenny Zeltser said, “the proper format for the bulletin number would be MS06-004, not MS06-4. Second, the number of a bulletin released in 2007 would start with MS07, not MS06.”

He said the scheme is what people would expect: The message includes a link to what, it claims, is a patch that is supposed to address the issue. The file, hosted on a remote server, is called “updatems06.exe.” It is a UPX-packed executable that is recognized as being malicious by half of the antivirus engines available to VirusTotal.

“The executable installs a malicious browser add-on (BHO)  ‘down.dll’ on the victim’s system in C:\WINDOWS\system32,” he said. “Antivirus engines that recognize the BHO as malware identify it as Agent.avk (see the VirusTotal report). This seems to be a downloader that is also capable of spying on the user’s interactions with certain sites.”

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: