Security news30 March 2007
Grum worm poses as Internet Explorer beta download Beware email which claims to come from Microsoft
Sophos, a world leader in IT security and control, has warned email users of a widespread malicious attack that poses as an invitation from Microsoft to download a beta version of Internet Explorer 7.0.
The emails, which claim to come from admin@microsoft.com and have the subject line "Internet Explorer 7 Downloads", display an image which invites users to download beta 2 of Internet Explorer 7. However, users who click on the image will download a file called ie7.0.exe which is infected by the W32/Grum-A worm.
The spam email pretends to come from Microsoft.
"Worms like this are only succeeding in spreading because so many people have still not learnt to be suspicious of unsolicited emails, even if they claim to come from well-known companies like Microsoft," said Graham Cluley, senior technology consultant for Sophos. "The problem is that to the casual observer the email looks genuine, and the image displayed looks near-identical to the imagery that Microsoft is using on its website to promote Internet Explorer 7.0. Clicking on the image, however, doesn't download the real beta - but malicious code straight from the hackers."
The Grum worm is an appender virus which infects executable files referenced by Run keys in the Windows Registry. When run it copies itself to <Temp>\winlogon.exe and makes changes to the Registry. It also edits the HOSTS file, injecting a thread into system.dll and attempts to patch the system files ntdll.dll and kernel32.dll.
Sophos experts note that this isn't the first time that malware has posed as a download from Microsoft.
"There have been many occasions when virus writers have coded attacks that have presented themselves as communications from Microsoft," continued Cluley. "For instance, in 2003 the Gibe-F worm (also known as Swen) posed as a critical security update from the software giant, and two years ago hackers directed internet users to a bogus website masquerading as Microsoft's update page."
Sophos customers have been protected against the Grum worm since 00:30 GMT on 30 March 2007.
Sophos recommends companies automatically update their corporate virus protection, and run a consolidated solution to defend against viruses, spyware and spam.
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
About Sophos
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.
