NOW READ THIS
("Security Advisory")

Go Back

---

Submitted by: Bill Hickey
NCVA List Master

NRT-0115 Phony Internet Explorer download contains worm:

IT security firm Sophos has warned email users of a widespread malicious attack that poses as an invitation from Microsoft to download a beta version of Internet Explorer 7.0, according to an online Sophos press release. The emails, which claim to come from admin@microsoft.com and have the subject line "Internet Explorer 7 Downloads", display an image that invites users to download beta 2 of Internet Explorer 7. However, users who click on the image will download a file called IE7.0.exe which is infected by the W32/Grum-A worm.

"The problem is that to the casual observer, the email LOOKS genuine, and the image displayed looks near-identical to the imagery that Microsoft is using on its web site to promote Internet Explorer 7.0," said Sophos.

The Grum worm is an appender virus, which infects executable files referenced by Run keys in the Windows Registry, according to the report. When run it copies itself to <Temp>/winlogon.exe and makes changes to the Registry. It also edits the HOSTS file, injecting a thread into system.dll and attempts to patch the system files ntdll.dll and kernel32.dll.

"There have been many occasions when virus writers have coded attacks that have presented themselves as communications from Microsoft," said Sophos. "For instance, in 2003 the Gibe-F worm (also known as Swen) posed as a critical security update from the software giant, and two years ago hackers directed internet users to a bogus web site masquerading as Microsoft's update page."

(www.sophos.com 30MAR07)

Last Modified: Sunday, 08-Apr-2007 14:11:58 EDT