NEWS FROM THE LAB - Tuesday, May 30, 2006

No, Microsoft has not released a new patch Posted by Patrik @ 16:35 GMT

troj-qqpass-hoToday we have recieved samples of an e-mail that has been spammed out to lots of recipients looking like an e-mail from Microsoft, with a link to a patch that is supposed to be a patch for a new vulnerability in the Microsoft WinLogon Service. Of course it isn't and even though the link looks like it's going to www.microsoft.com it will take you to http://www.redcallao.com/[undisclosed]/winlogon_patchV1.12.exe instead which is a password stealing trojan that we detect as Trojan-PSW.Win32.QQPass.ho.

Using Microsoft and the "patch for a new vulnerability" theme is nothing new. Back in 2003 the e-mail worm Swen, which at the time was classified as F-Secure Radar 1, used the same social engineering vector but in an e-mail that looked like it actually could've come from Microsoft. The difference was that Swen had an EXE attached to the e-mail, something malware writers have stopped doing as most e-mail gateways and e-mail clients nowadays will block executable files as a preventation against new malware.