Microsoft Plug and Play Scam/Trojan Horse

Discussion in 'news, general information and FAQs' started by NICK ADSL UK, Nov 10, 2005.

Thread Status:
Not open for further replies.
  1. NICK ADSL UK

    NICK ADSL UK Administrator

    Joined:
    May 13, 2003
    Posts:
    9,217
    Location:
    UK
    Websense® Security Labs™ has received reports of a new email scam disguised as a Microsoft Security Update for the recent Plug and Play vulnerability. Users receive a spoofed message requesting that they download a critical patch for MS-05-479 in order to be protected from hackers and viruses.

    Upon clicking the included URL they are directed to a fraudulent website hosted in Canada, which was up and running at the time of this alert. The site uses screenshots of the real Microsoft security update site. Included is a link to the patch which is a program called "plugandplayfix.exe". The website URL is hosted on a machine which appears to have been compromised and simply has an IP address followed by

    http://<IP-address-removed>/update.microsoft.com/windowsupdate/v6/plugandplayfix.exe

    Upon execution the Trojan Horse opens a backdoor on the machine, connects to an IRC channel, and modifies several system variables.
    http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=330
     
Thread Status:
Not open for further replies.