Friday, September 19, 2003

Newest Network Pack

I've been getting a lot of fake "Microsoft Security Update" trojan/virus/worm/spam email this morning. I bet they fool a lot of people with this stuff. With the HTML (which contains images stolen from Microsoft) removed, the emails say:
X-Apparently-To: jeff_robertson@yahoo.com via 216.136.172.53; Fri, 19 Sep 2003 00:28:50 -0700
Return-Path: <inekeoosterdijk@energieservice.nl>
Received: from 194.109.127.141 (EHLO smtpzilla5.xs4all.nl) (194.109.127.141) by mta157.mail.sc5.yahoo.com with SMTP; Fri, 19 Sep 2003 00:28:48 -0700
Received: from vhmsnxro (213-84-168-101.adsl.xs4all.nl [213.84.168.101]) by smtpzilla5.xs4all.nl (8.12.9/8.12.9) with SMTP id h8J7SWAA014314; Fri, 19 Sep 2003 09:28:32 +0200 (CEST)
Date: Fri, 19 Sep 2003 09:28:32 +0200 (CEST)
Message-Id: <200309190728.h8J7SWAA014314@smtpzilla5.xs4all.nl>
From: "MS Technical Services" <fyfkgz_wmoxn@updates.ms.com
To: "Customer" <edwbhoj.wsoksjxt@updates.ms.com>
Subject: Newest Network Pack
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="ietmntfcqbebyzp"
Content-Length: 80081

Microsoft Customer

this is the latest version of security update, the "September 2003, Cumulative Patch" update which fixes all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three newly discovered vulnerabilities. Install now to protect your computer. This update includes the functionality of all previously released patches.

Microsoft Product Support Services and Knowledge Base articles can be found on the Microsoft Technical Support web site. http://support.microsoft.com/

For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site http://www.microsoft.com/security/

Thank you for using Microsoft products.

Please do not reply to this message. It was sent from an unmonitored e-mail address and we are unable to respond to any replies.

----------------------------------------------
The names of the actual companies and products mentioned herein are the trademarks of their respective owners.
Copyright 2003 Microsoft Corporation.
There is an attachment called "installXX.exe" where XX is a two-digit number. Notice the use of "ms.com" for the fake email addresses. This domain is actual registered by Morgan Stanley. I bet a lot of people whose computers are infected by this will (falsely) blame Morgan Stanley. OTOH not all of the messages use "ms.com", I've seen other domains too.

Comments: