Security Watch

Keeping Track of patches and hacks in the IT security world.

Worm Posing as IE Beta Download

A widespread malicious attack is posing as a convincing invitation from Microsoft to download a beta version of Internet Explorer 7.0, security company Sophos reported.

The e-mails appear to come from The subject line is "Internet Explorer 7 Downloads." The e-mail contains an image inviting users to download Beta 2 of IE 7. Those who click on the image will download a file called ie7.0, which carries the W32Grum-A worm.

"Worms like this are only succeeding in spreading because so many people have still not learned to be suspicious of unsolicited e-mails, even if they claim to come from well-known companies like Microsoft," said Graham Cluley, senior technology consultant for Sophos, in a posting on Sophos' site. "The problem is that to the casual observer the e-mail looks genuine, and the image displayed looks near-identical to the imagery that Microsoft is using on its Web site to promote Internet Explorer 7.0. Clicking on the image, however, doesn't download the real beta - but malicious code straight from the hackers."

Sophos says that the Grum worm is an appender virus—a virus that inserts a copy of its code at the end of its victim file. This virus infects executable files referenced by Run keys in the Windows Registry. When run, it copies itself to \winlogon.exe and makes changes to the Registry. It also edits the HOSTS file, injecting a thread into system.dll, and attempts to patch the system files ntdll.dll and kernel32.dll.

Sophos points out that this isn't the first time malware has posed as Microsoft communications. One example comes from two years ago, when the Swen—also known as Gibe-F—mass-mailing virus masqueraded as a security patch message from Microsoft.

Sophos is advising companies to automatically update their corporate virus protection.