Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

New Trojan masquerades as Windows XP update

From: InfoSec News <isn () c4i org>
Date: Mon, 12 Jan 2004 02:14:22 -0600 (CST)
http://www.computerworld.com/securitytopics/security/story/0,10801,88940,00.html

Story by Paul Roberts
JANUARY 09, 2004 
IDG NEWS SERVICE 

Security companies are warning Internet users about a new Trojan horse
program spreading via spam e-mail and masquerading as a Windows XP
software update from Microsoft Corp.

The program, known as Xombe or Dloader-L, arrives as an executable
attachment in spam e-mail messages purporting to come from
windowsupdate () microsoft com and installs itself on victim's computers
when users open the attachment.

Once installed, Xombe connects to a Web site, then downloads and
installs another program, called Mssvc-A, which is a Trojan horse
program that conscripts victim computers in distributed
denial-of-service attacks against Web pages, according to antivirus
company Sophos PLC.

Xombe is considered a low risk by most antivirus companies, including
Sophos, Computer Associates International Inc. and Symantec Corp. The
program is not a worm or virus and can't make copies of itself.  
Instead, it is distributed via spam.

The spam messages read in part, "Window [sic] Update has determined
that you are running a beta version of Windows XP Service Pack 2. To
help improve the stability of your computer, Microsoft recommends that
you remove the beta version of Windows XP SP1."

Recipients are told to "run the file winxp_sp1.exe in attach [sic] and
make sure to restart your PC after installation," according to CA,
Sophos and others.

Sophos said it has received several reports of the Xombe Trojan
program from customers.

Antivirus companies offered updated virus definitions to spot Xombe
today and provided instructions on removing Trojan programs from
infected computers.

Microsoft frequently distributes security bulletins using e-mail but
never includes software updates as attachments, according to the
company's Web site.

Most Microsoft software updates are made available through the Windows
Update, Microsoft Office Update or the Microsoft Download Center, the
company said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: