http://www.computerworld.com/securitytopics/security/story/0,10801,88940,00.html Story by Paul Roberts JANUARY 09, 2004 IDG NEWS SERVICE Security companies are warning Internet users about a new Trojan horse program spreading via spam e-mail and masquerading as a Windows XP software update from Microsoft Corp. The program, known as Xombe or Dloader-L, arrives as an executable attachment in spam e-mail messages purporting to come from windowsupdate@private and installs itself on victim's computers when users open the attachment. Once installed, Xombe connects to a Web site, then downloads and installs another program, called Mssvc-A, which is a Trojan horse program that conscripts victim computers in distributed denial-of-service attacks against Web pages, according to antivirus company Sophos PLC. Xombe is considered a low risk by most antivirus companies, including Sophos, Computer Associates International Inc. and Symantec Corp. The program is not a worm or virus and can't make copies of itself. Instead, it is distributed via spam. The spam messages read in part, "Window [sic] Update has determined that you are running a beta version of Windows XP Service Pack 2. To help improve the stability of your computer, Microsoft recommends that you remove the beta version of Windows XP SP1." Recipients are told to "run the file winxp_sp1.exe in attach [sic] and make sure to restart your PC after installation," according to CA, Sophos and others. Sophos said it has received several reports of the Xombe Trojan program from customers. Antivirus companies offered updated virus definitions to spot Xombe today and provided instructions on removing Trojan programs from infected computers. Microsoft frequently distributes security bulletins using e-mail but never includes software updates as attachments, according to the company's Web site. Most Microsoft software updates are made available through the Windows Update, Microsoft Office Update or the Microsoft Download Center, the company said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Jan 12 2004 - 02:49:47 PST