Trojan wrapped in phony XP service pack |
 |
By Edward Hurley, News Writer
09 Jan 2004 | SearchSecurity.com |
|
|
You may have arrived at work this morning to find in your inbox a suspicious looking e-mail purporting to be a service pack for Windows XP. It is in fact a new Trojan called Xombe.
The Trojan, which McAfee Security is calling "Downloader GJ," is attached to an HTML e-mail and, if executed, it downloads another downloading program that retrieves an executable. The executable then tries to launch a denial-of-service attack against a Russian site that hosts discussion forums.
Network and e-mail administrators have several workarounds at their disposal, including filtering for the subject line or attachment name, or stripping .exes at the gateway. There is no destructive payload, experts said.
Xombe cannot spread by itself like a worm, but it seems to have been spammed to many people, experts said.
"We have had a lot more calls than we usually do with Trojans that are spammed," said Mikko Hypponen, manager of antivirus research for Finland-based F-Secure Corp.
The threat posed by Xombe is limited as the Canada-based Web site gamemaniacs.org that it uses to download another component is no longer up.
The attached executable, called winxp_sp1.exe, downloads and installs another downloader, msvchost.exe, in the system directory. This file can download files and install them on the system. Currently, it downloads an HTTP client, http_f.dll, which seems to be used for a denial-of-service attack against a Russian discussion forum.
The Trojan's sender seems to have borrowed some techniques from worm writers. The accompanying message is quite legit looking.
"We are seeing attackers spending more time glossing up their attacks," said Ken Dunham, director of malicious code at iDefense Inc.
The message has a spoofed sender address, so it appears to come from windowsupdate@microsoft.com. It has the subject line "Windows XP Service Pack 1 (Express) - Critical Update".
"We got a lot of calls from people who were almost fooled by it," Hypponen said. "They called us just to be safe."
FEEDBACK: Are your users likely to open a malicious e-mail purporting to come from Microsoft?
Send your feedback to the SearchSecurity.com news team.
|
|
|
|
