NICK ADSL UK
November 10th, 2005, 12:00 PM
Websense® Security Labs™ has received reports of a new email scam disguised as a Microsoft Security Update for the recent Plug and Play vulnerability. Users receive a spoofed message requesting that they download a critical patch for MS-05-479 in order to be protected from hackers and viruses.
Upon clicking the included URL they are directed to a fraudulent website hosted in Canada, which was up and running at the time of this alert. The site uses screenshots of the real Microsoft security update site. Included is a link to the patch which is a program called "plugandplayfix.exe". The website URL is hosted on a machine which appears to have been compromised and simply has an IP address followed by
http://<IP-address-removed>/update.microsoft.com/windowsupdate/v6/plugandplayfix.exe
Upon execution the Trojan Horse opens a backdoor on the machine, connects to an IRC channel, and modifies several system variables.
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=330
Upon clicking the included URL they are directed to a fraudulent website hosted in Canada, which was up and running at the time of this alert. The site uses screenshots of the real Microsoft security update site. Included is a link to the patch which is a program called "plugandplayfix.exe". The website URL is hosted on a machine which appears to have been compromised and simply has an IP address followed by
http://<IP-address-removed>/update.microsoft.com/windowsupdate/v6/plugandplayfix.exe
Upon execution the Trojan Horse opens a backdoor on the machine, connects to an IRC channel, and modifies several system variables.
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=330