Trojan wrapped in phony XP service pack

Article

Trojan wrapped in phony XP service pack

You may have arrived at work this morning to find in your inbox a suspicious looking e-mail purporting to be a service pack for Windows XP. It is in fact a new Trojan called Xombe.

The Trojan,

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

which McAfee Security is calling "Downloader GJ," is attached to an HTML e-mail and, if executed, it downloads another downloading program that retrieves an executable. The executable then tries to launch a denial-of-service attack against a Russian site that hosts discussion forums.

Network and e-mail administrators have several workarounds at their disposal, including filtering for the subject line or attachment name, or stripping .exes at the gateway. There is no destructive payload, experts said.

Xombe cannot spread by itself like a worm, but it seems to have been spammed to many people, experts said.

"We have had a lot more calls than we usually do with Trojans that are spammed," said Mikko Hypponen, manager of antivirus research for Finland-based F-Secure Corp.

The threat posed by Xombe is limited as the Canada-based Web site gamemaniacs.org that it uses to download another component is no longer up.

The attached executable, called winxp_sp1.exe, downloads and installs another downloader, msvchost.exe, in the system directory. This file can download files and install them on the system. Currently, it downloads an HTTP client, http_f.dll, which seems to be used for a denial-of-service attack against a Russian discussion forum.

The Trojan's sender seems to have borrowed some techniques from worm writers. The accompanying message is quite legit looking.

"We are seeing attackers spending more time glossing up their attacks," said Ken Dunham, director of malicious code at iDefense Inc.

The message has a spoofed sender address, so it appears to come from windowsupdate@microsoft.com. It has the subject line "Windows XP Service Pack 1 (Express) - Critical Update".

"We got a lot of calls from people who were almost fooled by it," Hypponen said. "They called us just to be safe."

FEEDBACK: Are your users likely to open a malicious e-mail purporting to come from Microsoft?
Send your feedback to the SearchSecurity.com news team.