View Full Version : Fake MS Security Bulletin -> Malicious Browser Add-On

2007-06-08, 14:18

- http://isc.sans.org/diary.html?storyid=2946
Last Updated: 2007-06-08 03:51:23 UTC ~ "... Email message that claims to be a Microsoft Security Bulletin:

Microsoft Security Bulletin MS06-4
Cumulative Security Update for Internet Explorer (113742734)
Published: June 3, 2007
Version: 1.0
Who should read this document: Customers who use Microsoft Windows
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should apply the update immediately.

Of course, the proper format for the bulletin number would be "MS06-004", not "MS06-4". Second, the number of a bulletin released in 2007 would start with "MS07", not "MS06".
The scheme is what you would expect: the message includes a link to what, it claims, is a patch that is supposed to address the issue. The file, hosted on a remote server, is called "updatems06.exe". It is a UPX-packed executable that is recognized as being malicious by half of the anti-virus engines available to VirusTotal.
The executable installs a malicious browser add-on (BHO) "down.dll" on the victim's system in C:\WINDOWS\system32. Anti-virus engines that recognize the BHO as malware identify it as Agent.avk* ... This seems to be a downloader that is also capable of spying on the user's interactions with certain sites."
* http://www.avira.com/en/threats/section/fulldetails/id_vir/3023/tr_psw.lineag.abi.2.html