New Trojan horse disguised as Blaster worm fix - "Cheap confidence trick", says Sophos

August 15, 2003 Sophos Press Release

Sophos has today updated its anti-virus software to protect against the new Graybird Trojan. Sophos's virus lab has seen an example of the backdoor Trojan horse, which is being deliberately distributed, disguised as a patch for the Microsoft Windows vulnerability, infamously exploited by the currently spreading Blaster worm.

Sophos advises users never to trust security patches that come attached to emails - even if they appear to come from reputable sources. The correct place to download a patch from is the vendor's website. In addition, under no circumstances should users forward this type of message to their friends and colleagues, thinking they are helping them. In the case of patching against the Blaster worm vulnerability, users should visit Microsoft's website at windowsupdate.microsoft.com.

"Packaging Graybird as a Microsoft patch is a very devious trick. Blaster is believed to have infected hundreds of thousands of computers around the world, and this is a deliberate attempt to exploit users' panic," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "Never trust unsolicited executable code that arrives via email. Businesses should consider blocking all executable code at the email gateway so it cannot reach their users."