microsoft security bulliton?

[Snowsquall]

I got an email the other day from Microsoft siting a vulnerability in Plug
and Play.
But Microsoft *does not send emails*!
I carefully downloaded the file and immediately sent it to Virus Total.
The results:
AntiVir 6.33.0.61 12.09.2005 TR/Luhn
Avast 4.6.695.0 12.09.2005 no virus found
AVG 718 12.08.2005 no virus found
Avira 6.33.0.61 12.09.2005 TR/Luhn
BitDefender 7.2 12.09.2005 Trojan.Spy.Luhn.A
CAT-QuickHeal 8.00 12.08.2005 TrojanSpy.Luhn.a
ClamAV devel-20051108 12.08.2005 Trojan.Spy.W32.Luhn
DrWeb 4.33 12.09.2005 Trojan.Sklog
eTrust-Iris 7.1.194.0 12.09.2005 Win32/Luhn!Spy!Dropper
eTrust-Vet 11.9.1.0 12.09.2005 Win32.Luhn.A
Fortinet 2.54.0.0 12.09.2005 Spy/Luhn
F-Prot 3.16c 12.07.2005 security risk or a "backdoor" program
Ikarus 0.2.59.0 12.09.2005 no virus found
Kaspersky 4.0.2.24 12.09.2005 Trojan-Spy.Win32.Luhn.a
McAfee 4646 12.08.2005 no virus found
NOD32v2 1.1316 12.08.2005 no virus found
Norman 5.70.10 12.09.2005 no virus found
Panda 8.02.00 12.08.2005 no virus found
Sophos 4.00.0 12.09.2005 Troj/Dropper-BV
Symantec 8.0 12.07.2005 no virus found
TheHacker 5.9.1.052 12.09.2005 no virus found
VBA32 3.10.5 12.09.2005 Trojan-Spy.Win32.Luhn.a

The moral of the story:

Microsoft *never * sends security updates via email.

*Always* go through the Windows Update website and look for critical updates
there.

*Do not follow links* on unsolicited emails unless you know how *not* to run
them.

 

[David H. Lipman]

From: "Snowsquall" <[email protected]>

| I got an email the other day from Microsoft siting a vulnerability in Plug
| and Play.
| But Microsoft *does not send emails*!
| I carefully downloaded the file and immediately sent it to Virus Total.

< snip >

Did you receive my email ?

 

[Snowsquall]

From: "Snowsquall" <[email protected]>

| I got an email the other day from Microsoft siting a vulnerability in
Plug
| and Play.
| But Microsoft *does not send emails*!
| I carefully downloaded the file and immediately sent it to Virus Total.

< snip >

Did you receive my email ?

No, I have not got the email as of yet.
But please note I downloaded it but_did_not_run_it.
I was suspicious and curious to see what it was.
But I put up the warning so others will not "forget" and think it was a
genuine email.

 

[David H. Lipman]

From: "Snowsquall" <[email protected]>


| No, I have not got the email as of yet.
| But please note I downloaded it but_did_not_run_it.
| I was suspicious and curious to see what it was.
| But I put up the warning so others will not "forget" and think it was a
| genuine email.
??>>
??>> --
??>> Dave
??>> http://www.claymania.com/removal-trojan-adware.html
??>> http://www.ik-cs.com/got-a-virus.htm
??>>

Please check your Yahoo address.

 

[Dustin Cook]

I got an email the other day from Microsoft siting a vulnerability in Plug
and Play.
But Microsoft *does not send emails*!
I carefully downloaded the file and immediately sent it to Virus Total.
The results:
AntiVir 6.33.0.61 12.09.2005 TR/Luhn

I think BugHunter already detects this.. I'm not sure... Would you mind
sending a sample my way as well?

Regards,
Dustin Cook
http://bughunter.atspace.org

 

[David H. Lipman]

From: "Snowsquall" <[email protected]>

| I got an email the other day from Microsoft siting a vulnerability in Plug
| and Play.
| But Microsoft *does not send emails*!
| I carefully downloaded the file and immediately sent it to Virus Total.
| The results:

< snip >

After researching this a bit, I find that the only reports in News Groups seem to come from
posters who have a sympatico.ca email Domain.

 

[Heather]

From: "Snowsquall" <[email protected]>

| I got an email the other day from Microsoft siting a vulnerability in
Plug
| and Play.
| But Microsoft *does not send emails*!
| I carefully downloaded the file and immediately sent it to Virus Total.
| The results:

< snip >

After researching this a bit, I find that the only reports in News Groups
seem to come from
posters who have a sympatico.ca email Domain.

Good.....that is a mainly Toronto ISP (Bell Canada), as is mine. And I
haven't seen a Microsoft virus in my spam folder. But that is an old
dodge....haven't seen one for eons.

Heather

 

[Max Wachtel]

(e-mail address removed) AKA Snowsquall on 12/9/2005 in

I got an email the other day from Microsoft siting a vulnerability in
Plug and Play. But Microsoft *does not send emails*!
I carefully downloaded the file and immediately sent it to Virus
Total. The results:
snipped
The moral of the story:
Microsoft *never * sends security updates via email.
*Always* go through the Windows Update website and look for critical
updates there.
*Do not follow links* on unsolicited emails unless you know how not
to run them.

******************Reply Separator*************************

Here are links for M$ security e-mails
http://www.microsoft.com/technet/security/bulletin/notify.mspx
http://www.microsoft.com/technet/security/secnews/default.mspx
"If you receive an e-mail that claims to be distributing a
Microsoft security update, it is a hoax that may be distributing a
virus. Microsoft does not distribute security updates via e-mail.
You can learn more about Microsoft's software distribution
policies here:"
http://www.microsoft.com/technet/security/topics/policy/swdist.mspx

NEVER download files from anywhere unless it is from the website of the
developer,manufacturer or some entity you trust. The developers
websites ALWAYS have the most up to date files that haven't been
tampered with by some third party who is "hosting"(read Leeching or
Stealing) those files without permission.

max
--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
Keeping Windows Clean: http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help: http://home.neo.rr.com/manna4u/tools.html
Specific Fixes: http://home.neo.rr.com/manna4u/fixes.html
Playing Nice on Usenet: http://oakroadsystems.com/genl/unice.htm#xpost
To reply by e-mail change nomail.afraid.org to gmail.com
nomail.afraid.org is setup specifically for use in USENET
feel free to use it yourself. Registered Linux User #393236

 

[Dave]

But I put up the warning so others will not "forget" and think it was a
genuine email.

I never ever open e-mail from an address/someone I do not know or
don't recognise. Anything from Micro$oft I delete at the server end as
a matter of principal. Iff I have to correspond with someone whom I
have never met or I don't trust I set-up a dial-up e-mail account for
them. Any hanky panky and I know where it is coming from.

This probably won't help.

 

[Norman L. DeForest]

From: "Snowsquall" <[email protected]>

| I got an email the other day from Microsoft siting a vulnerability in Plug
| and Play.
| But Microsoft *does not send emails*!
| I carefully downloaded the file and immediately sent it to Virus Total.
| The results:

< snip >

After researching this a bit, I find that the only reports in News Groups seem to come from
posters who have a sympatico.ca email Domain.

I got one like that and I'm not on Sympatico. The URL used an IP address
instead of a hostname and the target computer apparently hosts more than
one domain.

Using http://IPAddress/~username/filename.pif (appropriate munging
added for posting) as given in the email, I got a "403 Access Forbidden"
error. Trying http://IPAddress/~username/ also gave me a "403"
message. Trying the IP address alone, http://IPAddress/ gave me a
page that informed me that the server hosts more than one domain and
that I should use the appropriate hostname to access the site I want.

Whatever the email was pushing, it almost certainly was malware but
the sender screwed up as far as that host was concerned.

 

[David H. Lipman]

|
| I got one like that and I'm not on Sympatico. The URL used an IP address
| instead of a hostname and the target computer apparently hosts more than
| one domain.
|
| Using http://IPAddress/~username/filename.pif (appropriate munging
| added for posting) as given in the email, I got a "403 Access Forbidden"
| error. Trying http://IPAddress/~username/ also gave me a "403"
| message. Trying the IP address alone, http://IPAddress/ gave me a
| page that informed me that the server hosts more than one domain and
| that I should use the appropriate hostname to access the site I want.
|
| Whatever the email was pushing, it almost certainly was malware but
| the sender screwed up as far as that host was concerned.
|

Hi Norman:

OK not you are not on Sympatico.
However, assuming it is the same infector, it is still has a pattern of all Canadian
recipients so far.

Did it contain the following text ?

Microsoft Security Bulletin MS05-039
Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation
of Privilege (899588)
Summary:
Who should receive this document: Customers who use Microsoft Windows
Impact of Vulnerability: Remote Code Execution and Local Elevation of Privilege
Maximum Severity Rating: CRITICAL
Recommendation: Customers should apply the update immediately.
Security Update Replacement: None
Caveats: None
Tested Software and Security Update Download Locations:

And with the following attachment ?
Windows-KB899588-x86-ENU.exe

 

[Norman L. DeForest]

From: "Norman L. DeForest" <[email protected]>


|
| I got one like that and I'm not on Sympatico. The URL used an IP address
| instead of a hostname and the target computer apparently hosts more than
| one domain.
|
| Using http://IPAddress/~username/filename.pif (appropriate munging
| added for posting) as given in the email, I got a "403 Access Forbidden"
| error. Trying http://IPAddress/~username/ also gave me a "403"
| message. Trying the IP address alone, http://IPAddress/ gave me a
| page that informed me that the server hosts more than one domain and
| that I should use the appropriate hostname to access the site I want.
|
| Whatever the email was pushing, it almost certainly was malware but
| the sender screwed up as far as that host was concerned.
|

Hi Norman:

OK not you are not on Sympatico.
However, assuming it is the same infector, it is still has a pattern of all Canadian
recipients so far.

Did it contain the following text ?

Microsoft Security Bulletin MS05-039
Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation
of Privilege (899588)
Summary:
Who should receive this document: Customers who use Microsoft Windows
Impact of Vulnerability: Remote Code Execution and Local Elevation of Privilege
Maximum Severity Rating: CRITICAL
Recommendation: Customers should apply the update immediately.
Security Update Replacement: None
Caveats: None
Tested Software and Security Update Download Locations:

And with the following attachment ?
Windows-KB899588-x86-ENU.exe

No, mine was different.

However, someone else at my ISP got such a notice with a URL pointing to
a file by that name (not including it as an attachment) and asked me if it
was malware. I downloaded the file (changing the name to ENU.XEX so it
wouldn't be executable) and scanned it with F-Prot. F-Prot didn't
identify it by name but reported it as (in F-Prot's words):
a security risk or a "backdoor"program

Quoting part of his message with his username [snip]ped and the IP address
in the spam replaced by "aa.bb.cc.dd" to avoid pointing to it:

: Is this a scam?
:
: ---------- Forwarded message ----------
: Received: from lich.chebucto.ns.Ca ([192.75.95.79]:35542 "EHLO
: lich.chebucto.ns.Ca" smtp-auth: <none> TLS-CIPHER: <none> TLS-PEER-CN1:
: <none>) by halifax.chebucto.ns.ca with ESMTP id S13872AbVLGAjn
: (ORCPT <rfc822;[snip]@chebucto.ns.ca>);
: Tue, 6 Dec 2005 20:39:43 -0400
: Received: from 240.Red-213-96-252.staticIP.rima-tde.net ([213.96.252.240]:45577
: "EHLO Santoxt.rrn.es") by lich.chebucto.ns.Ca with ESMTP
: id <S863436AbVLGAjd>; Tue, 6 Dec 2005 20:39:33 -0400
: Received: by Santoxt.rrn.es (Postfix, from userid 0)
: id 077A91623F; Mon, 5 Dec 2005 18:08:38 +0100 (CET)
: content-type: text/html
: Subject: Critical security update available
: From: Microsoft Windows Updates <[email protected]>
: To: [snip]@chebucto.ns.ca
: Message-Id: <[email protected]>
: Date: Mon, 5 Dec 2005 18:08:38 +0100 (CET)
: X-MailScanner: Found to be clean
: X-Is-Spam: Yes, SpamAssassin (score=5.311, required 5, BAYES_50 1.57,
: DATE_IN_PAST_24_48 0.88, HELO_DYNAMIC_SPLIT_IP 2.19, HTML_40_50 0.50,
: HTML_MESSAGE 0.00, MIME_HEADER_CTYPE_ONLY 0.00, MIME_HTML_ONLY 0.00,
: NORMAL_HTTP_TO_IP 0.17)
: X-MailScanner-SpamScore: sssss
: X-MailScanner-From: (e-mail address removed)
: X-MailScanner-To: [snip]@chebucto.ns.ca
: Return-Path: <[email protected]>
:
:
: <html>
:
: <head>
:
: <title>Microsoft Security Bulletin MS05</title>
:
: </head>
:
: <body>
:
: <h2>Microsoft Security Bulletin MS05-039</h2>
:
: <h3 class="subtitle">Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)</h3>
:
: <h4>Summary:</h4>
:
: <b>Who should receive this document:</b> Customers who use Microsoft Windows<br>
:
: <b>Impact of Vulnerability:</b> Remote Code Execution and Local Elevation of Privilege<br>
:
: <b>Maximum Severity Rating: </b><b>CRITICAL</b><br>
:
: <b>Recommendation: </b>Customers should apply the update immediately.<br>
:
: <b>Security Update Replacement: </b>None<br>
:
: <b>Caveats: </b>None<br>
:
: <b>Tested Software and Security Update Download Locations:</b><br><br>
:
: <b>Affected Software:</b></p>
:
:
:
: <table cellspacing="0" cellpadding="0" border="0"><tr>
:
:
:
: <td class="listBullet" valign="top">•</td><td class="listItem">
:
: <p>Microsoft Windows 2000 Service Pack 4 –
:
: <a href="http://aa.bb.cc.dd/Windows-KB899588-x86-ENU.exe"><font color="red"><b>MailScanner has detected a possible fraud attempt from "aa.bb.cc.dd" claiming to be</b></font> Download the update</a></p></td></tr><tr>
:
: <td class="listBullet" valign="top">•</td><td class="listItem">
:
: <p>Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 –
:
: <a href="http://aa.bb.cc.dd/Windows-KB899588-x86-ENU.exe"><font color="red"><b>MailScanner has detected a possible fraud attempt from "aa.bb.cc.dd" claiming to be</b></font> Download the update</a></p></td></tr>
:
: <tr><td class="listBullet" valign="top">•</td><td class="listItem">
:
: <p>Microsoft Windows XP Professional x64 Edition –
:
: <a href="http://aa.bb.cc.dd/Windows-KB899588-x86-ENU.exe"><font color="red"><b>MailScanner has detected a possible fraud attempt from "aa.bb.cc.dd" claiming to be</b></font> Download the update</a></p></td></tr><tr>
:
: <td class="listBullet" valign="top">•</td><td class="listItem">
:
: <p>Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 –
:
: <a href="http://aa.bb.cc.dd/Windows-KB899588-x86-ENU.exe"><font color="red"><b>MailScanner has detected a possible fraud attempt from "aa.bb.cc.dd" claiming to be</b></font> Download the update</a></p></td></tr><tr>
:
: <td class="listBullet" valign="top">•</td><td class="listItem">
:
: <p>Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems –
:
: <a href="http://aa.bb.cc.dd/Windows-KB899588-x86-ENU.exe"><font color="red"><b>MailScanner has detected a possible fraud attempt from "aa.bb.cc.dd" claiming to be</b></font> Download the update</a></p></td></tr><tr>
:
: <td class="listBullet" valign="top">•</td><td class="listItem">
:
: <p>Microsoft Windows Server 2003 x64 Edition –
:
: <a href="http://aa.bb.cc.dd/Windows-KB899588-x86-ENU.exe"><font color="red"><b>MailScanner has detected a possible fraud attempt from "aa.bb.cc.dd" claiming to be</b></font> Download the update</a></p></td></tr></table><p>
:
:
:
: <b>Non-Affected Software:</b></p><table cellspacing="0" cellpadding="0" border="0"><tr>
:
:
:
: <td class="listBullet" valign="top">•</td><td class="listItem">
:
: <p>Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)</p></td></tr></table>
:
:
:
: <div class="expandoIndent"><p><b>Executive Summary:</b></p>
:
:
:
: <p>This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in Plug and Play (PnP) that could allow an attacker who successfully exploited this vulnerability to take complete control of the af
: fected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p>
:
:
:
: <p><b>Conclusion: We recommend that customers apply the update immediately.</b><br><br>
:
:
:
: <span dir="ltr">© 2005 Microsoft Corporation. All rights reserved.&nbsp;</span><nobr>
:
: <a href="http://www.microsoft.com/info/cpyright.mspx">Terms of Use</a> |</nobr><wbr /><nobr>
:
: <a href="http://www.microsoft.com/library/toolbar/3.0/trademarks/en-us.mspx">Trademarks</a> |</nobr><wbr /><nobr>
:
: <a href="http://www.microsoft.com/info/privacy.mspx">Privacy Statement</a></nobr></div></td>
:
: </body>
:
: </html>