New "upgrade from Microsoft" variant?

[Joel Rubin]

Hi. I got an "upgrade from Microsoft" from Niftyserve, Japan, today
and NAV on my ISP's server didn't think it was a virus, NAV on my
computer (12/9 definitions, Live Upgrade said not needed) didn't think
upgrade.exe was a virus and I downloaded the newest defs for
f-prot.com and it didn't ID it as a virus. (I'll get today's defs for
NAV in a few hours when they come out.)

Obviously, everyone has seen dozens and maybe hundreds of "upgrades
from Microsoft" ID'ed as viruses by now.

12/15/2004 10:36 AM 24,015 UPGRADE.EXE

There are no obvious "ha ha, you're infected" or packing program
strings. There's "Rich:" between the DOS executable MZ string and the
Win32 executable PE string.

 

[Netuser 58]

Hi. I got an "upgrade from Microsoft" from Niftyserve, Japan, today
and NAV on my ISP's server didn't think it was a virus, NAV on my
computer (12/9 definitions, Live Upgrade said not needed) didn't think
upgrade.exe was a virus and I downloaded the newest defs for
f-prot.com and it didn't ID it as a virus. (I'll get today's defs for
NAV in a few hours when they come out.)

Obviously, everyone has seen dozens and maybe hundreds of "upgrades
from Microsoft" ID'ed as viruses by now.

12/15/2004 10:36 AM 24,015 UPGRADE.EXE

There are no obvious "ha ha, you're infected" or packing program
strings. There's "Rich:" between the DOS executable MZ string and the
Win32 executable PE string.

The extension on the attachment is NOT exe as the message says.
It is ATT. Add that to your extension list in your AV scanner and it
should pick it up immediately as the Swen worm.

Netuser 58