Dailydave mailing list archives
Microsoft fix distribution opening up holes for spreading trojans?
From: Robert Wesley McGrew <wesleymcgrew () gmail com>
Date: Tue, 9 Aug 2005 14:04:15 -0500
I'm posting this to see if anybody has run into it before as part of dealing with Microsoft support, or can spot the malicious-ness in this process. I am not a windows expert, nor have I dealt with how communications with Microsoft support personnel usually go, so maybe someone else has some better insight. A friend working on a laptop computer to fix some DLL warnings, spyware, etc. found a printed email in the laptop bag that immediately raised some alarms. She showed it to me today when I dropped by for a visit to see what my take would be, and I almost immediately decided "scam!" and proceeded to read through and try to point out where things get suspicious/malicious. The thing is, we never could figure out what exactly the scam/malware would be if it was, in fact, not legitimate. It appears to be a response from a "Microsoft Windows Update Support Professional" recommending that user should go log into a yahoo email account apparently owned by the "Support Professional" to download a registry file to fix a problem with Windows Media Player. How weird is that? The email was no longer on the laptop, so I am typing this up from the printout found in the laptop bag (I wish it had headers :( ), obfuscating any identifying infromation as I go: ----begin weird email---- From: "Compass Rule Manager" <comprule () microsoft com> To: <xxxxx () xxxxx xxx> Sent: Monday, July 25, 2005 2:58 AM Subject: "Regarding Case Number SRXXXXXXXXXXXXX" FR: COMPMAIL () MICROSOFT COM ******* The following is an email for a support case from Microsoft Corp. ******* DO NOT REPLY TO THIS MESSAGE--your email will not be added to ******* the case if you do. Instead, FORWARD your response to the ******* email address COMPMAIL () MICROSOFT COM and place your text after ******* the keyword 'MESSAGE:'. Also, delete all other text above ******* and below the keywords 'CASE_ID_NUM: SRnnn' and 'MESSAGE:' ******* to ensure proper delivery of your email. Thank you. CASE_ID_NUM: SRXXXXXXXXXXXXX MESSAGE: ********************** The message for you follows ********************** Dear xxxxx, Thank you very much for your update. I appreciate you letting me know at what point you are experiencing difficulty. At this time, I have provided another method to resolve this issue. Here are the detailed steps: Step One: 1. Open Internet Explorer and go to the website http://mail.yahoo.com 2. Logon to the Yahoo mail system using the following account. Yahoo! ID: xxxxxx () yahoo com <mailto:xxxxxx () yahoo com> Password: 123456 3. Click "Check Mail" to find the only email. The subject is "Fix for KB828026". 4. Click this email for "Fix for KB828026". 5. You will see "Plain Text Attachment" and "Download File" 6. Click "Download File" to save this attachment to the desktop. Step Two: 1. Locate and right click on the downloaded file and choose Rename. Please the name 828026.reg and press Enter to rename the file to 828026.reg 2. Click on Start->click Run. Type in "regedit" (without quotation marks) and click OK 3. On the Menu bar, click on "Registry" and choose "Import Registry File.." 4. Please locate the "828026.reg" file and double click on it. After finishing the above steps, please check if this issue has been resolved. Please let me know the results at your earliest convenience. If anything in my email is unclear or you need further help, don't hesitate to let me know. I am looking forward to hearing from you. Best Regards, xxxxx xxxxx xxxxxx () mssupport microsoft com Microsoft Windows Update Support Professional ----end weird email---- The yahoo account is still active. The described email was sitting there, in the account, sent from the same account, with an originating ip that whois indicates belongs to "shanghai branch of China Netcom", which is strange (outsourced support, we guess?). The attached file "828026.re_" (guess you can't attach a .reg and get through filters), is as follows ----begin 828026.re_---- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Player\wm828026] "Description"="Windows Media Update 828026" "Locale"="ENU" "IsInstalled"=dword:00000001 "BuildDate"="09/17/03" "PlayerVersion"="9" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Player\wm828026\FileList] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Player\wm828026\FileList\File1] "FileName"="msdxm.ocx" "Version"="6.4.7.1128" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Player\wm828026\FileList\File2] "FileName"="wmp.dll" "Version"="9.0.0.3075" ----end 828026.re_---- Nothing seems to be unusual here, though I'm no registry guru. Just seems to be setting some version numbers for files that should already be on the system. Doesn't appear to be malicious in any way. Much scratching of heads... thought maybe once malicious code was downloaded from the email account, the evildoer might have gone back in and replaced it with the above "legit" .reg. That didn't make sense: we found the above reg on the laptop, so that's what they got from the account, likely, and the email containing the reg file was dated June 16th. The account's profile provided no information other than the date of last change (likely the date the account was created): March 16th. The only thing we can think of, is that someone in outsourced Microsoft support has taken it upon themselves to use a yahoo email account they have created as a file drop to distribute fixes to customers. I'm sure this isn't Microsoft's policy. It doesn't take a lot of imagination to see how someone malicious could use the same technique to get a user to download malware. Anybody else seen anything like this? Or other examples of tech support undoing user education/awareness? -- Robert Wesley McGrew http://cse.msstate.edu/~rwm8/ _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Microsoft fix distribution opening up holes for spreading trojans? Robert Wesley McGrew (Aug 09)
- Re: Microsoft fix distribution opening up holes for spreading trojans? Robert Wesley McGrew (Aug 11)