The folks at the SANS Internet Storm Center are warning of a fake Microsoft security bulletin that’s making the rounds. Here’s what it looks like:
Microsoft Security Bulletin MS06-4
Cumulative Security Update for Internet Explorer (113742734)
Published: June 3, 2007
Who should read this document: Customers who use Microsoft Windows
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should apply the update immediately.
“Of course,” storm center handler Lenny Zeltser said, “the proper format for the bulletin number would be MS06-004, not MS06-4. Second, the number of a bulletin released in 2007 would start with MS07, not MS06.”
He said the scheme is what people would expect: The message includes a link to what, it claims, is a patch that is supposed to address the issue. The file, hosted on a remote server, is called “updatems06.exe.” It is a UPX-packed executable that is recognized as being malicious by half of the antivirus engines available to VirusTotal.
“The executable installs a malicious browser add-on (BHO) ‘down.dll’ on the victim’s system in C:\WINDOWS\system32,” he said. “Antivirus engines that recognize the BHO as malware identify it as Agent.avk (see the VirusTotal report). This seems to be a downloader that is also capable of spying on the user’s interactions with certain sites.”