Home > Security News > Trojan wrapped in phony XP service pack
Security News:
EMAIL THIS

Trojan wrapped in phony XP service pack

By Edward Hurley, News Writer
09 Jan 2004 | SearchSecurity.com

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

You may have arrived at work this morning to find in your inbox a suspicious looking e-mail purporting to be a service pack for Windows XP. It is in fact a new Trojan called Xombe.

The Trojan, which McAfee Security is calling "Downloader GJ," is attached to an HTML e-mail and, if executed, it downloads another downloading program that retrieves an executable. The executable then tries to launch a denial-of-service attack against a Russian site that hosts discussion forums.

Network and e-mail administrators have several workarounds at their disposal, including filtering for the subject line or attachment name, or stripping .exes at the gateway. There is no destructive payload, experts said.

Xombe cannot spread by itself like a worm, but it seems to have been spammed to many people, experts said.

"We have had a lot more calls than we usually do with Trojans that are spammed," said Mikko Hypponen, manager of antivirus research for Finland-based F-Secure Corp.

The threat posed by Xombe is limited as the Canada-based Web site gamemaniacs.org that it uses to download another component is no longer up.

The attached executable, called winxp_sp1.exe, downloads and installs another downloader, msvchost.exe, in the system directory. This file can download files and install them on the system. Currently, it downloads an HTTP client, http_f.dll, which seems to be used for a denial-of-service attack against a Russian discussion forum.

The Trojan's sender seems to have borrowed some techniques from worm writers. The accompanying message is quite legit looking.

"We are seeing attackers spending more time glossing up their attacks," said Ken Dunham, director of malicious code at iDefense Inc.

The message has a spoofed sender address, so it appears to come from windowsupdate@microsoft.com. It has the subject line "Windows XP Service Pack 1 (Express) - Critical Update".

"We got a lot of calls from people who were almost fooled by it," Hypponen said. "They called us just to be safe."

FEEDBACK: Are your users likely to open a malicious e-mail purporting to come from Microsoft?
Send your feedback to the SearchSecurity.com news team.



Tags: Securing the Internet and E-CommerceInfrastructure and Network SecurityCommon Vulnerabilities and Prevention TipsSecuring the DesktopSecuring your Products/PlatformsVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   




More Tips to Secure Your Network
Focused on Channel Security?
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts