Malicious Website / Malicious Code: Microsoft Plug and Play Scam / Trojan Horse


Websense® Security Labs™ has received reports of a new email scam disguised as a Microsoft Security Update for the recent Plug and Play vulnerability. Users receive a spoofed message requesting that they download a critical patch for MS-05-479 in order to be protected from hackers and viruses.
Upon clicking the included URL they are directed to a fraudulent website hosted in Canada, which was up and running at the time of this alert. The site uses screenshots of the real Microsoft security update site. Included is a link to the patch which is a program called "plugandplayfix.exe". The website URL is hosted on a machine which appears to have been compromised and simply has an IP address followed by:

http://<IP address removed>/update.microsoft.com/windowsupdate/v6/plugandplayfix.exe

Upon execution the Trojan Horse opens a backdoor on the machine, connects to an IRC channel, and modifies several system variables. Websense® - Security Labs Alert: Microsoft Plug and Play Scam / Trojan Horse

Linked by shanmuga Monday, 7th November 2005 8:50PM