Security news
Security news13 January 2004
Dloader-L disguises itself as an email from Microsoft, Sophos advises
Sophos, a world leader in anti-virus and anti-spam protection for businesses, has warned that a new Trojan is being sent to users disguised as an email appearing to come from Microsoft.
The Trojan, known as Troj/Dloader-L, pretends to come from windowsupdate@microsoft.com with the subject line "Windows XP Service Pack 1 (Express) - Critical Update". It contains a long, official-looking message body, claiming that an unstable application has been detected and that the attached file should be run in order to replace it.
If the attached file, a Trojan called winxp_sp1.exe, is launched, it downloads another Trojan, called Troj/Mssvc-A, which is a remotely configurable distributed denial-of-service Trojan. This means that once the Mssvc-A Trojan has been installed, the computer can be controlled by a third-party to attack websites whenever it is connected to the internet, all without the owner's knowledge.
"We have seen quite a few recent infectors that purport to come from Microsoft," said Carole Theriault, security consultant for Sophos. "The Dumaru and Gibe worms, both mass-mailers that made the top ten viruses reported to Sophos during 2003, managed to fool many innocent computer users into believing they were official communications that should be trusted."
Sophos recommends that companies consider blocking all programs at their email gateway. It is rarely necessary to allow users to receive programs via email from the outside world. There is so little to lose, and so much to gain simply by blocking all emailed programs, regardless of whether they contain viruses or not.
"Best practice for business should include automatic blocking of all executable code at the email gateway," continued Theriault. "Reputable companies do not send out files in this way, and users should think twice before they click on unsolicited email messages."
When considering your anti-malware security vendor, what is more important to you?
