http://www.maximumpc.com/tags/fake_email used for category lists, takes arguments en http://www.maximumpc.com/article/news/fake_microsoft_security_update_email_includes_haxdoor_trojan <!--paging_filter--><div style="text-align: center"><img src="/files/u21826/header-Haxdoor-remove.png" alt="Haxdoor Trojan's again on the loose - thanks to a fake security email" width="410" height="179" /></div> <p>I know it, you know it, almost everybody that reads <strong>Maximum PC</strong> knows it - but that doesn't mean that your family, your co-workers, or your bosses know it. What's it? Simply this: <em>Microsoft never - repeat <strong>never</strong> - sends out security updates via email.</em></p> <p><strong>Cnet</strong> <a href="http://news.cnet.com/8301-1009_3-10066541-83.html">reports</a> that yet another fake security email purporting to be from Microsoft is busy delivering <a href="http://www.microsoft.com/security/portal/Entry.aspx?Name=Backdoor%3aWin32%2fHaxdoor">a nasty Trojan called Haxdoor</a> to unwary emailboxes near you.</p> <p>The email, ironically enough, claims that &quot;Since public distribution of this Update through the official website <a href="http://www.microsoft.com/">http://www.microsoft.com</a> would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.&quot; And, it's signed &quot;Steve Lipner, Directory of Security Assurance, Microsoft Corp.&quot; </p> <p>Well, at least the bad guys got Steve's name right. However, he's actually senior director of security engineering strategy in Microsoft’s Trustworthy Computing Group, <a href="http://www.microsoft.com/presspass/features/2008/sep08/09-16lipnersdl.mspx">according to a recent interview</a>. </p> <p>The message (minus the Trojan, of course), is <a href="http://blogs.technet.com/mmpc/archive/2008/10/13/email-scam-targets-microsoft-customers.aspx">available</a> at the Microsoft Malware Protection Center blog, where you can see for yourself the classic hallmarks of a fake message: a shaky command of the English language, sentence construction that's so stiff it looks as if it belongs on a Victorian-era calling card, and off-the-wall sentiments that show it was adapted from a different con job document: &quot;<em>We apologize for any inconvenience this back order may be causing you.</em>&quot; Back order? Whaat? I didn't order any malware!</p> <p>If you've been called in by baffled family, friends, or co-workers only after Haxdoor's done its work (system slowdowns, popup ads and other nasty business are typical symptoms), check these links for help:</p> <ul> <li><a href="http://www.microsoft.com/security/portal/Entry.aspx?Name=Backdoor%3aWin32%2fHaxdoor">Microsoft Malware Protection Center writeup</a> </li> <li><a href="http://www.f-secure.com/v-descs/haxdoor.shtml">F-Secure writeup</a></li> <li><a href="http://www.symantec.com/security_response/writeup.jsp?docid=2006-072413-3859-99">Symantec writeup</a> and <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2007-011109-2557-99">free removal tool</a></li> <li><a href="http://research.sunbelt-software.com/threatdisplay.aspx?name=Haxdoor.Fam&amp;threatid=44159">Sunbelt Software writeup</a></li> <li><a href="http://www.sophos.com/security/analyses/trojhaxdoorin.html">Sophos Software writeup</a></li> </ul> <p>After you solve the problem, remind them: <em>Microsoft never - repeat <strong>never </strong>- sends out security updates via email</em>.</p> <p>Know somebody who's been hexed by Haxdoor? Have a clever way to get rid of it? Seen other recent examples of Haxdoor fakery? Hit Comment and share your stories.</p> http://www.maximumpc.com/article/news/fake_microsoft_security_update_email_includes_haxdoor_trojan#comments News Windows fake email Haxdoor malware microsoft Security social engineering Trojan Thu, 16 Oct 2008 16:07:25 -0500 Mark Edward Soper 3903 at http://www.maximumpc.com http://www.maximumpc.com/article/fake_microsoft_update_email_can_ruin_your_evening_stop_it_now <!--paging_filter--><h4>Heed This &quot;Warning&quot; - And You'll Be Sorry</h4> <p>Security vendor Sunbelt Software's blog reports that a fake warning to &quot;update your P.C. in maximum 12 hours otherwise your Windows will be Expired&quot; is making the email rounds. While the message (visible <a href="http://sunbeltblog.blogspot.com/2008/01/fake-ms-update.html">here</a>) has all of the earmarks of a fake (including broken English), it might convince some technical novices that they'd better get clicking. If they do click, what happens? They download <a href="http://research.sunbelt-software.com/threatdisplay.aspx?name=IRC.Backdoor.Trojan&amp;threatid=45277">IRC.Backdoor.Trojan</a>, an old threat that can still take over a system. It's disguised as <b>updateWindows.exe</b>. You can learn more about how it works by reading PacketShack.org's <a href="http://www.packetshack.org/index.php?page=fDDoS">analysis</a>. </p> <h4>Removing IRC.Backdoor.Trojan</h4> <p> There are a large number of variants of this nasty bit of malware, as this <a href="http://www.tek-tips.com/viewthread.cfm?qid=1431507&amp;page=1">Tek-Tips thread</a> suggests. It also goes by <a href="http://www.sunbelt-software.com/ihs/alex/vt21888123888.pdf">many different names</a> depending upon the antivirus vendor, including Win32.HackTool (eSafe), Backdoor.IRC.Zapchast (F-Secure and Kaspersky), Riskware.HideWindow.B (Webwasher-Gateway), and many others (link requries a PDF reader). Some antivirus programs may have difficulty removing it. </p> <p> If you're working on an infected computer and can't get rid of it, one Tek-Tips poster recommends using the free <a href="http://support.f-secure.com/enu/home/ols.shtml">F-Secure online scanner</a>. You must use IE6 or IE7 with ActiveX enabled to use the F-Secure scanner, and it runs on Windows XP or 2000 (a beta version is available for Windows Vista users). </p> <h4>What Not to Click </h4> <p> Tired of fixing virus and malware infections? Remind your family, friends, co-workers (and anybody else who thinks you're a technology genius) of the rules for staying out of trouble online: </p> <ul> <li><b>Don't </b>click links purporting to come from PayPal, eBay, or your local bank or credit union</li> <li><b>Always </b>log into Windows Update, e-commerce and similar sites manually</li> <li><b>Hover </b>the mouse over links in an email or web page to find out where it will really take you</li> <li><b>Ignore</b> logos and artwork when attempting to determine if an email or website is legit - they're easily stolen and reused</li> </ul> <p> These can be summarized in one rule: <a href="/article/safer_browsing">Think before you click!</a> </p> http://www.maximumpc.com/article/fake_microsoft_update_email_can_ruin_your_evening_stop_it_now#comments News Windows antimalware antivirus fake email malware news Software sunbelt Trojan Horse virus windows XSS Tue, 22 Jan 2008 21:25:52 -0600 Mark Soper 1821 at http://www.maximumpc.com