[ISN] New Trojan masquerades as Windows XP update

From: InfoSec News (isn@private)
Date: Mon Jan 12 2004 - 00:14:22 PST

  • Next message: InfoSec News: "[ISN] Kazaa Delivers More Than Tunes"

    http://www.computerworld.com/securitytopics/security/story/0,10801,88940,00.html
    
    Story by Paul Roberts
    JANUARY 09, 2004 
    IDG NEWS SERVICE 
    
    Security companies are warning Internet users about a new Trojan horse
    program spreading via spam e-mail and masquerading as a Windows XP
    software update from Microsoft Corp.
    
    The program, known as Xombe or Dloader-L, arrives as an executable
    attachment in spam e-mail messages purporting to come from
    windowsupdate@private and installs itself on victim's computers
    when users open the attachment.
    
    Once installed, Xombe connects to a Web site, then downloads and
    installs another program, called Mssvc-A, which is a Trojan horse
    program that conscripts victim computers in distributed
    denial-of-service attacks against Web pages, according to antivirus
    company Sophos PLC.
    
    Xombe is considered a low risk by most antivirus companies, including
    Sophos, Computer Associates International Inc. and Symantec Corp. The
    program is not a worm or virus and can't make copies of itself.  
    Instead, it is distributed via spam.
    
    The spam messages read in part, "Window [sic] Update has determined
    that you are running a beta version of Windows XP Service Pack 2. To
    help improve the stability of your computer, Microsoft recommends that
    you remove the beta version of Windows XP SP1."
    
    Recipients are told to "run the file winxp_sp1.exe in attach [sic] and
    make sure to restart your PC after installation," according to CA,
    Sophos and others.
    
    Sophos said it has received several reports of the Xombe Trojan
    program from customers.
    
    Antivirus companies offered updated virus definitions to spot Xombe
    today and provided instructions on removing Trojan programs from
    infected computers.
    
    Microsoft frequently distributes security bulletins using e-mail but
    never includes software updates as attachments, according to the
    company's Web site.
    
    Most Microsoft software updates are made available through the Windows
    Update, Microsoft Office Update or the Microsoft Download Center, the
    company said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Jan 12 2004 - 02:49:47 PST