[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Wave of fake Official Microsoft Advisory

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Wave of fake Official Microsoft Advisory
From: Bruno Clermont <bruno@xxxxxxxx>
Date: 19 Sep 2003 10:57:01 -0400

Since this morning I start seeing tons of fake Microsoft Advisories by
mail. They contain a .exe attachment.

Running strings(1) on the file show it contain it's own HTML mail source
(and other version of the advisory), and many of the stuff it try to do:

- Increment a web counter "GET
http://ww2.fce.vutbr.cz/bin/counter.gif/link=bacillus&width=6&set=cnt006
HTTP/1.0"
- query a POP3 account at ww2.fce.vutbr.cz
- retrieve stuff from a newsgroup and post a message
- modify mIRC configuration
- alter some Kaaza registry keys
- probably more stuff in all the encoded content

The mail really look like an official Microsoft communication with all
those legal reference to microsoft.com website. At the rate those mail
are coming many users had already been fooled, and infection had just
started.

Some of the original mails (with .exe attachment) are available in mbox
format at http://www.gnome.ca/ms.mbox.

Follow-Ups:
- RE: Wave of fake Official Microsoft Advisory
  - From: Lee Evans

Prev by Date: Remote root vuln in lsh 1.4.x
Next by Date: uninitialized buffer in midnight commander
Previous by thread: Remote root vuln in lsh 1.4.x
Next by thread: RE: Wave of fake Official Microsoft Advisory
Index(es):
- Date
- Thread