Trojan Masquerades as Microsoft Security Update

By Ryan Naraine  |  Posted 2005-04-11 Print this article Print

An anti-virus vendor raises the alarm for a new malicious Trojan posing as a critical security patch from Microsoft.

Anti-virus vendors have raised the alarm for a malicious new Trojan masquerading as a critical Microsoft security patch.

The e-mail-borne attack comes just days ahead of Microsofts scheduled patch day and highlights a growing trend of using social engineering tactics to dupe users into downloading malicious files.

According to an advisory from anti-virus specialist Sophos Inc., the attackers are using a coordinated e-mail campaign to direct users to download the bogus Microsoft patches from a malicious Web site.

Even though Microsoft never sends out updates or security alerts via e-mail, Sophos senior technology consultant Graham Cluley said the publics rising paranoia about the security of Windows computers plays into the hands of the attackers.

The e-mail includes the Microsoft Windows logo and is disguised under one of the following subject lines: "Update your Windows machine," "Urgent Windows Update" and "Important Windows Update."

It purports to come from "Windows Update" ( and includes links pointing to an "Express Install: High Priority Updates For Your Computer."

If users follow the link in the e-mail and attempt to download the fake patch, a Trojan Horse is installed instead, allowing the attacker to hijack the computer remotely.

Sophos has identified the file as Troj/DSNX-05, a backdoor Trojan that runs in the background as a server process allowing a remote user (using a client program) to gain access and control over the machine.

When first run, the Trojan copies itself to the Windows System directory using the name of a randomly chosen DLL file and a .exe extension. Sophos warned that the Trojan then creates a registry entry to run the file automatically each time the infected machine is rebooted.

Read more here about security experts warnings of new worms.

"This criminal campaign exploits the publics rising paranoia about the security of their Windows computers. If users fall for it, they may put themselves at risk of being spied upon or having their credit card and online banking details stolen," Cluley said.

He recommended that users keep up to date with the latest security patches from Microsoft, but stressed that users must be very careful to avoid downloading files received in e-mails. "[They must make sure] they are going to the official update Web sites, rather than just following links in e-mails which have been sent by hackers," he said.

"Microsoft does not issue security warnings in this way—so users should be on their guard whenever they receive an e-mail like this," he added.

Sophos has posted disinfection instructions for the Trojan.

Its not the first time a bogus Microsoft security patch was used to trigger a worm attack. Click here to read more about a worm that masqueraded as a patch to defend MyDoom. Back in 1994, a patch promising to protect users from the MyDoom worm turned out to be a malicious virus targeting Windows machines throughout Europe and parts of North America.

That attack was also e-mail borne and arrived with a subject line of "Microsoft Alert: Please Read!"

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel