Email, which masquerades as an automated ISP message, claims the recipient must install an attached security patch to stop a worm from spreading
False – The attachment contains a worm.
A new malware attack that uses a very similar message to the one shown below began hitting inboxes in July, 2007. Go to the write-up about this new version
Yet another email based malware attack is currently hitting inboxes. The emails masquerade as automated service messages from the recipient’s Internet Service Provider (ISP). The messages claim that abnormal activity related to an email worm epidemic has been detected and instructs the recipient to install a patch to deal with the problem.
The bogus patch is included in a password protected zip archive attached to the email. The message also provides the password required to access the archive. The “password protection” ruse is apparently designed to make the claims in the message seem more legitimate.
When the user opens the attachment, a rootkit is installed and the malware attempts to connect to a peer-to-peer network. Once connected, it can upload sensitive information from the compromised computer and download other malware components. It will also search for email addresses on the infected machine and send copies of itself to addresses that it finds.
The malware attempts to protect itself by interfering with the normal functioning of anti-virus scanners.
The infected machine ultimately becomes a zombie computer connected to a botnet that can be used to send spam and spread other malware.
The worm is very similar in intent to the Iran Missile Attack worm, which has also been spreading via email.
Malware distributors have often used the “security patch” ruse to try to trick unwary recipients into installing their malicious software. Software companies or ISP’s are extremely unlikely to distribute security patches via unsolicited email. Security updates should only be installed via the software vendor’s official update facilities. Users should always be very cautious of opening email attachments, including those that claim to be security updates. Users should also ensure that they have up-to-date anti-virus software installed and use an Internet firewall.
Last updated: 14th April 2007
First published: 14th April 2007
By Brett M. Christensen