E-Musings Mon Immorata

Phantom Menace Mails from Microsoft with executable attachment are Trojan Horses This week one of my email accounts has received over 10 separate emails with different subjects, all supposedly sent by Microsoft Corporation. These messages include an executable attachment that's supposedly a cumulative update for Internet Explorer, Outlook and Outlook Express. This genre of message has evolved from a previous mail that supposedly arrived from Citibank NA asking the recipient to confirm their bank account details including Internet user name and password! Even Krishna Kumar of PC Quest was nearly fooled! Until the mail sender's address made him suspicious. I must admit the social engineering used is quite good. And the message body, both for the earlier Citibank version, and the current Microsoft variant, don't include too many grammatical or spelling mistakes. And a person with an average knowledge of English probably won't notice the oddities of composition. But as a former editor, I still keep a hawk-eye for errors! The infected messages were sent by MS Corporate Security Division, MS Corporate Security Assistance, Microsoft Program Security Department, Microsoft Network Security Division, Microsoft Corporation Network Security Division, Microsoft Corporation Network Security Center, and Microsoft Corporation Internet Security Division. And were addressed to either MS Customer or Microsoft Customer. The message body read:

this is the latest version of security update, the "October 2003, Cumulative Patch" update which fixes all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three newly discovered vulnerabilities. Install now to protect your computer from these vulnerabilities. This update includes the functionality of all previously released patches.

With details on what was patched, much like the company's on-line Security Bulletin's are formatted. In addition, the first thing I do for any mail received from an hitherto unknown accounts or senders is to process it through my Outlook mail client's Peek add-in (see also Freeloader, April 14, 2003). This separates HTML-formatted mail into the message body, the HTML code, and the mail headers. And I invariably check out the last first. The Citibank mail arrived from a Yahoo ID (since suspended for mail abuse)! The Microsoft mail is sent by a variety of mail servers; many of which appear to be individual computers infected by the Swen worm. Both mails included authentic links to the respective company's web sites. And this most recent one, includes attachment with titles like Upgrade7821 and Q126496. My friend Deepak in a moment of weakness (or jet lag) actually ran the attachment crashing his Windows XP-powered laptop. In the end he had to reformat the disk and reinstall the complete operating system! Luckily, just before downloading his mail that fateful day he'd run company-mandated complete system data backup and was able to recover his data but mail settings and browser Favorites were gone forever. In today's very dangerous on-line world, remain at high alert whenever you access the Internet. Or download your mail and if possible, check each mailbox twice. Once using a simple client like Popcorn or nPop. Or better use Mail2web.com; a Web-based mail retrieval service. And after reading a mail, delete it completely if it contains a seemingly-suspicious attachment. And the problem of fake email is now so acute, that Microsoft has even a dedicated page "How to Tell If a Microsoft Security-Related Message Is Genuine" on the subject. It suggest you verify the digital signature on TechNet, or read the complete list of Security Bulletins issued. A new buffer overflow vulnerability has been discovered in Windows Messenger Services and affects Windows NT/2000/XP desktop and servers. And allows a remote attacker local system (administrative) privileges that may result in complete system compromise, and also cause the Messenger Service to fail. To check if your computer too is vulnerable, security vendor eEye have released a free scanner. More information may be found in the Microsoft Security Bulletin MS03-043. I haven't been doing much software testing this week. Although the good news is that Opera 7.21 is finally available. As is the new MozillaFirebird 7. But oh how I'd wish they'd change the name, it's a mouthful! There's also Winamp 5 beta (4.8 MB, Windows, free) has just been announced. Its better than earlier versions, especially Winamp 3 which was a real loser and runs blazingly fast. New features include support for Winamp Classic and Modern skins, an improved Library to browse music and videos while allowing access to Internet Radio and TV stations, CD file ripping and an ability to burn your favorites tunes to a CD. Elsewhere Apple's immensely popular music download service, iTunes, is now available for Windows too. But the platform appears not without flaws. For the moment iPod users can't access other services and are limited to Apple's Music Store catalog. And combining the latter with iTunes blocks out the many different Windows Media-compatible portable music devices too! Hasta Manana! Click Here to Email Me