Like day follows night, a bogus "cumulative update" with a malicious attachment has followed Microsofts patch day.
In what has become a monthly staple, virus writers are taking advantage of the heightened public interest around Microsofts patching cycle to trick users into executing a malicious attachment.
The latest social engineering trick arrives via e-mail with an attachment that purports to be a "cumulative patch" for May 2005.
The claim is that the executable file contains patches for vulnerabilities in Internet Explorer, Microsoft Outlook and Outlook Express, three widely used products with a history of serious security bugs.
The file is actually an executable for a variant of W32.Pinfi, a memory-resident polymorphic virus capable of replicated via mapped drives and network shares.
The Pinfi virus, also known as Pate or Parite, has been programmed to infect every PE and SCR file on every drive and network share.
It targets users of Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me.
"This is a common scam," a Microsoft representative said Thursday. "Its important to remind customers that Microsoft will never attach software updates to security e-mail notifications."
She pointed out that most Microsoft software updates are provided through Microsoft Windows Update, Microsoft Office Update, or the Microsoft Download Center, adding that, as a best practice, "users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources."
Because the scam has become a monthly occurrence, Microsoft has provided guidance for customers to help identify genuine security messages.
The document, titled How to Tell If a Microsoft Security-Related Message Is Genuine, includes the following advice:
- Microsoft never sends notices about security updates or incidents until after information about them are published on the Microsoft.com domain.
If users are in doubt about the authenticity of security e-mail notification, they are urged to Security site on Microsoft.com to see if the information is listed there.
- If a customer suspects that an e-mail message is not legitimate, they should not click any hyperlinks within it. Those links may be spoofed so that they appear to be sending you to a trusted Web site when they are actually sending you to a malicious Web site. Always cut and paste the text of the link from the e-mail to the address bar on your browser; or better yet, type in the address of the site yourself.
- Microsoft and most commercial Web sites use certificates as part of a system for securing online transactions. Typing "https://" as opposed to the standard "http://" into the Web site address activates the certificate. Once you are on the secure site, Internet Explorer allows you to check the certificate. Double-click the lock icon on the status bar at the bottom of your browser. This displays the security certificate for the site.
- If you have not signed up for any security communications from Microsoft and you receive an unexpected message about a security update, you should treat the message with great caution. When in doubt, delete the message and immediately check the Microsoft.com home page for the same information.
Anti-virus vendor Sophos Inc. has provided step-by-step disinfection instructions for PE executables.