Sophos, a world leader in anti-virus and anti-spam protection
for businesses, has warned that a new Trojan is being sent to users
disguised as an email appearing to come from Microsoft.
The Trojan, known as Troj/Dloader-L,
pretends to come from windowsupdate@microsoft.com with the subject
line "Windows XP Service Pack 1 (Express) - Critical Update". It
contains a long, official-looking message body, claiming that an
unstable application has been detected and that the attached file
should be run in order to replace it.
If the attached file, a Trojan called winxp_sp1.exe, is
launched, it downloads another Trojan, called Troj/Mssvc-A, which is a
remotely configurable distributed denial-of-service Trojan. This
means that once the Mssvc-A Trojan has been installed, the computer
can be controlled by a third-party to attack websites whenever it
is connected to the internet, all without the owner's
knowledge.
"We have seen quite a few recent infectors that purport to come
from Microsoft," said Carole Theriault, security consultant for
Sophos. "The Dumaru and Gibe worms, both
mass-mailers that made the top ten viruses reported to Sophos
during 2003, managed to fool many innocent computer users into
believing they were official communications that should be
trusted."
Sophos recommends that companies consider blocking all programs
at their email gateway. It is rarely necessary to allow users to
receive programs via email from the outside world. There is so
little to lose, and so much to gain simply by blocking all emailed
programs, regardless of whether they contain viruses or not.
"Best practice for business should include automatic blocking of
all executable code at the email gateway," continued Theriault.
"Reputable companies do not send out files in this way, and users
should think twice before they click on unsolicited email
messages."
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.