E-mail worm poses as Microsoft invitation


E-mail worm poses as Microsoft invitation

Antony Savvas

E-mail users are being warned of a widespread malicious attack that poses as an invitation from Microsoft to download a beta version of Internet Explorer 7.0.

The emails, which claim to come from admin@microsoft.com and have the subject line "Internet Explorer 7 Downloads", display an image which invites users to download beta 2 of Internet Explorer 7. 

However, users who click on the image will download a file called ie7.0.exe which is infected by the Grum-A worm. Users who download the worm risk losing data and leaving their machines open to hackers.

"Worms like this are only succeeding in spreading because so many people have still not learned to be suspicious of unsolicited emails, even if they claim to come from well-known companies like Microsoft,"
said Graham Cluley, senior technology consultant at internet security software firm Sophos

He said, "The problem is that to the casual observer the e-mail looks genuine, and the image displayed looks near-identical to the imagery that Microsoft is using on its website to promote Internet Explorer 7.0.” 

Clicking on the image however, doesn't download the real beta - but malicious code straight from the hackers.

The Grum worm is an appender virus which infects executable files referenced by Run keys in the Windows Registry. 

When run, it copies itself to \winlogon.exe and makes changes to the Registry.  It also edits the Hosts file, injecting a thread into system.dll, and attempts to patch the system files ntdll.dll and kernel32.dll.

Related article: China is leading zombie host

Related article: Malware overview: the full details

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy