Grum worm poses as Internet Explorer beta download

Sophos Press Release

Beware email which claims to come from Microsoft

Sophos, a world leader in IT security and control, has warned email users of a widespread malicious attack that poses as an invitation from Microsoft to download a beta version of Internet Explorer 7.0.

The emails, which claim to come from and have the subject line "Internet Explorer 7 Downloads", display an image which invites users to download beta 2 of Internet Explorer 7. However, users who click on the image will download a file called ie7.0.exe which is infected by the W32/Grum-A worm.

The spam email pretends to come from Microsoft
The spam email pretends to come from Microsoft.

"Worms like this are only succeeding in spreading because so many people have still not learnt to be suspicious of unsolicited emails, even if they claim to come from well-known companies like Microsoft," said Graham Cluley, senior technology consultant for Sophos. "The problem is that to the casual observer the email looks genuine, and the image displayed looks near-identical to the imagery that Microsoft is using on its website to promote Internet Explorer 7.0. Clicking on the image, however, doesn't download the real beta - but malicious code straight from the hackers."

The Grum worm is an appender virus which infects executable files referenced by Run keys in the Windows Registry. When run it copies itself to <Temp>\winlogon.exe and makes changes to the Registry. It also edits the HOSTS file, injecting a thread into system.dll and attempts to patch the system files ntdll.dll and kernel32.dll.

Sophos experts note that this isn't the first time that malware has posed as a download from Microsoft.

"There have been many occasions when virus writers have coded attacks that have presented themselves as communications from Microsoft," continued Cluley. "For instance, in 2003 the Gibe-F worm (also known as Swen) posed as a critical security update from the software giant, and two years ago hackers directed internet users to a bogus website masquerading as Microsoft's update page."

Sophos customers have been protected against the Grum worm since 00:30 GMT on 30 March 2007.

Sophos recommends companies automatically update their corporate virus protection, and run a consolidated solution to defend against viruses, spyware and spam.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at