Microsoft fix distribution opening up holes for spreading trojans?

[Robert Wesley McGrew <wesleymcgrew () gmail com>]

I'm posting this to see if anybody has run into it before as part of
dealing with Microsoft support, or can spot the malicious-ness in this
process.  I am not a windows expert, nor have I dealt with how
communications with Microsoft support personnel usually go, so maybe
someone else has some better insight.

A friend working on a laptop computer to fix some DLL warnings,
spyware, etc. found a printed email in the laptop bag that immediately
raised some alarms.  She showed it to me today when I dropped by for a
visit to see what my take would be, and I almost immediately decided
"scam!" and proceeded to read through and try to point out where
things get suspicious/malicious.  The thing is, we never could figure
out what exactly the scam/malware would be if it was, in fact, not
legitimate.

It appears to be a response from a "Microsoft Windows Update Support
Professional" recommending that user should go log into a yahoo email
account apparently owned by the "Support Professional" to download a
registry file to fix a problem with Windows Media Player.  How weird
is that?

The email was no longer on the laptop, so I am typing this up from the
printout found in the laptop bag (I wish it had headers :( ),
obfuscating any identifying infromation as I go:

----begin weird email----
From:    "Compass Rule Manager" <comprule () microsoft com>
To:        <xxxxx () xxxxx xxx>
Sent:     Monday, July 25, 2005  2:58 AM
Subject: "Regarding Case Number SRXXXXXXXXXXXXX"

FR: COMPMAIL () MICROSOFT COM

******* The following is an email for a support case from Microsoft Corp.
******* DO NOT REPLY TO THIS MESSAGE--your email will not be added to
******* the case if you do.  Instead, FORWARD your response to the
******* email address COMPMAIL () MICROSOFT COM and place your text after
******* the keyword 'MESSAGE:'.  Also, delete all other text above
******* and below the keywords 'CASE_ID_NUM: SRnnn' and 'MESSAGE:'
******* to ensure proper delivery of your email.  Thank you.

CASE_ID_NUM: SRXXXXXXXXXXXXX
MESSAGE:
********************** The message for you follows **********************

Dear xxxxx,

Thank you very much for your update.  I appreciate you letting me know
at what point you are experiencing difficulty.

At this time, I have provided another method to resolve this issue. 
Here are the detailed steps:

Step One:

1. Open Internet Explorer and go to the website http://mail.yahoo.com
2. Logon to the Yahoo mail system using the following account.

Yahoo! ID: xxxxxx () yahoo com <mailto:xxxxxx () yahoo com>
Password:  123456

3. Click "Check Mail" to find the only email.  The subject is "Fix for
KB828026".
4. Click this email for "Fix for KB828026".
5. You will see "Plain Text Attachment" and "Download File"
6. Click "Download File" to save this attachment to the desktop.

Step Two:

1. Locate and right click on the downloaded file and choose Rename. 
Please the name 828026.reg and press Enter to rename the file to
828026.reg
2. Click on Start->click Run.  Type in "regedit" (without quotation
marks) and click OK
3. On the Menu bar, click on "Registry" and choose "Import Registry File.."
4. Please locate the "828026.reg" file and double click on it.

After finishing the above steps, please check if this issue has been
resolved.  Please let me know the results at your earliest
convenience.  If anything in my email is unclear or you need further
help, don't hesitate to let me know.

I am looking forward to hearing from you.

Best Regards,

xxxxx xxxxx

xxxxxx () mssupport microsoft com
Microsoft Windows Update Support Professional
 
----end weird email----

The yahoo account is still active.  The described email was sitting
there, in the account, sent from the same account, with an originating
ip that whois indicates belongs to "shanghai branch of China Netcom",
which is strange (outsourced support, we guess?).  The attached file
"828026.re_" (guess you can't attach a .reg and get through filters),
is as follows

----begin 828026.re_----
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Player\wm828026]
"Description"="Windows Media Update 828026"
"Locale"="ENU"
"IsInstalled"=dword:00000001
"BuildDate"="09/17/03"
"PlayerVersion"="9"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media
Player\wm828026\FileList]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media
Player\wm828026\FileList\File1]
"FileName"="msdxm.ocx"
"Version"="6.4.7.1128"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media
Player\wm828026\FileList\File2]
"FileName"="wmp.dll"
"Version"="9.0.0.3075"
----end 828026.re_----

Nothing seems to be unusual here, though I'm no registry guru.  Just
seems to be setting some version numbers for files that should already
be on the system.  Doesn't appear to be malicious in any way.

Much scratching of heads...  thought maybe once malicious code was
downloaded from the email account, the evildoer might have gone back
in and replaced it with the above "legit" .reg.  That didn't make
sense: we found the above reg on the laptop, so that's what they got
from the account, likely, and the email containing the reg file was
dated June 16th.   The account's profile provided no information other
than the date of last change (likely the date the account was
created): March 16th.

The only thing we can think of, is that someone in outsourced
Microsoft support has taken it upon themselves to use a yahoo email
account they have created as a file drop to distribute fixes to
customers.  I'm sure this isn't Microsoft's policy.  It doesn't take a
lot of imagination to see how someone malicious could use the same
technique to get a user to download malware.

Anybody else seen anything like this?  Or other examples of tech
support undoing user education/awareness?

-- 
Robert Wesley McGrew
http://cse.msstate.edu/~rwm8/
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave