News Stay informed about the latest enterprise technology news and product updates.

Fake Microsoft security bulletin circulating

The folks at the SANS Internet Storm Center are warning of a fake Microsoft security bulletin that’s making the rounds. Here’s what it looks like:

Microsoft Security Bulletin MS06-4
Cumulative Security Update for Internet Explorer (113742734)
Published: June 3, 2007
Version: 1.0


Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.

“Of course,” storm center handler Lenny Zeltser said, “the proper format for the bulletin number would be MS06-004, not MS06-4. Second, the number of a bulletin released in 2007 would start with MS07, not MS06.”

He said the scheme is what people would expect: The message includes a link to what, it claims, is a patch that is supposed to address the issue. The file, hosted on a remote server, is called “updatems06.exe.” It is a UPX-packed executable that is recognized as being malicious by half of the antivirus engines available to VirusTotal.

“The executable installs a malicious browser add-on (BHO)  ‘down.dll’ on the victim’s system in C:\WINDOWS\system32,” he said. “Antivirus engines that recognize the BHO as malware identify it as Agent.avk (see the VirusTotal report). This seems to be a downloader that is also capable of spying on the user’s interactions with certain sites.”

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.