Fake Microsoft security update spreads Autorun worm

Filed Under: Malware, Microsoft, Spam

Masked manHave you received an email seemingly from Microsoft's security team telling you to "Update your Windows"? Have you been sent a file called KB453396-ENU.zip and told to run it on your Windows computer?

Well, think twice before following the instructions.

Cybercriminals are up to their old tricks, spreading malware under the disguise of a critical security patch from Microsoft.

In the current example, they've spammed out an email containing a worm, which even quotes the real name of a senior member of Microsoft's security team - Steve Lipner - to try to fool you into believing it is genuine.

The emails have a subject line of "Update your Windows" and contain the following text:

Fake Microsoft security update email

Of course, Mr Lipner has nothing to do with the emails and Microsoft never distributes security updates via email attachments. Nevertheless, there have been a series of attacks that have abused his name in the past.

With so much effort being taken by the cybercriminals to hoodwink unsuspecting computer users, though, you would have thought they would have not made an elementary mistake in their forged email header. The messages we've seen claim to come from no-reply@microsft.com

That's right. "microsft".

SophosLabs had added detection of the malware as W32/Autorun-BMF, and in addition the ZIP file is detected as Mal/BredoZp-B.

, , ,

You might like

10 Responses to Fake Microsoft security update spreads Autorun worm

  1. Thank you SO much for your continued efforts !! You do untold GOOD to people who are dilligent, yet unsuspecting when it comes to Microsoft !!

  2. Damien · 1702 days ago

    When scammers and spammers finaly learn to spell (or spell check), I guess we'll all be in trouble..

  3. @Damien, it's not just the spelling. The diction in general tends to come across as sounding like "Peggy" (the overseas customer support guy) in the credit card commercials on TV.

  4. Aaron · 1701 days ago

    Just goto start and windows update there to get all you windows and Microsoft updates. I never trust anything i see in emails.

  5. Mark Evertz · 1701 days ago

    Hey Graham,
    Nice work. Damien and Tim nailed it. This is forcing my hand to craft a future post on poor writing in social engineering e-mails as the first line of defense against cyber criminals.

    No telling if this an English as a Second Language issue, a grammar-check and spell-check are turned off problem , or e-mailers being so tweaked on Ketamine and code that they can't muster up a coherent thought much less a coherent sentence, but the proof is in the words.

    "Please notice that the Microsoft company..."

    "Please notice, that present update applies..."

    "If nothing changes after you run the file, probably in the settings of the OS you have an indication to, etc. (whoosh!)

    If it reads like "Peggy" from the Visa commercials, it probably is. Oh...and the .exe is another dead giveaway.

    To a social re-engineering of end-users in 2011 to read, think and question before the click or download.


  6. Oliver Metcalfe · 1701 days ago

    Thanks Graham, picked this story up from your twitter feed the other day! Great information as always.



  7. Icicle Pete · 1700 days ago

    Of course, perhaps it is a somewhat "good" thing there are malevolent actors around. After all, where would our good friend Graham be if there weren't security problems? Hmmm... maybe he'd have to write some little devils just to keep us smart. Sorry, no he wouldn't. I'm sure he'd be developing all sorts of gut-busting games with no solutions. Achhh....where are the flappertanknibbles now?

  8. Anne · 1699 days ago

    I am not able to even access the Microsoft website after a number of worms/viruses.. not sure what the differences are.

    These started after I started to receive pop-ups from what looked like Microsoft.

    • You should check your computer with an up-to-date anti-virus.

      Maybe your PC was infected by a fake anti-virus that presented itself as though it were Microsoft. Possibly some malware is blocking access to the real Microsoft website.

      Of course, it might be something else entirely - but better to be safe than sorry.

  9. katherine · 1693 days ago

    this happened to me...I couldn't even get to sign in page.I had to to do a recovery to get past this...be careful !!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley