Press Releases

Browse our press release archive

30 May 2006

Bogus Microsoft security warning leads to malware

BeastPWS-C Trojan horse steals passwords from infected users

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a spammed email campaign which claims to be security advice from Microsoft, but actually tries to encourage users to install a keylogger onto their computers.

The spammed emails, which have the subject line "Microsoft WinLogon Service - Vulnerability Issue" and purport to come from, claim that a vulnerability has been found "in the Microsoft WinLogon Service" and could "allow a hacker to gain access to an unpatched computer".

Recipients are advised to click on a link in the email to download the patch. However, the link really points to a non-Microsoft website and initiates the download of the Troj/BeastPWS-C Trojan horse, which is capable of spying on the infected user and stealing passwords.

The spam email claims to come from Microsoft, and includes a malicious link

The spam email claims to come from Microsoft, and includes a malicious link.

When first installed the Trojan horse displays the following bogus message

Microsoft WinLogon Service successfully patched.

but is secretly logging keystrokes and sending them to an email address belonging to the hacker.

"People are slowly learning that Microsoft does not email out security fixes as attachments, but they also need to learn to be careful of blindly clicking on links to download fixes too without checking that the email is legitimate," said Graham Cluley, senior technology consultant at Sophos. "In this case, the hackers made a mistake by referring to 'Microsoft Coorp' rather than 'Microsoft Corp', but its possible that users would miss that typo in their rush to protect themselves."

Sophos recommends that users visit Microsoft's website at for information about Microsoft security patches.

"The hackers are playing a dangerous game, because if Microsoft finds out who is responsible for besmirching their name in this way they are likely to throw the full force of the law at them," continued Cluley. "Security is becoming a hot topic for the software giant, and they don't want malware and spam to sully the company's public image through this kind of criminal activity."

Sophos has been protecting against the Troj/BeastPWS-C Trojan horse since 12:28 GMT, Monday 29 May and has automatically updated customers.

Sophos advises that companies put in place a consolidated solution to defend against viruses, spyware and spam, and ensure that it is automatically updated as new threats emerge.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at