Fake Microsoft Advisory Targeting French Users
Threat Type: Malicious Web Site / Malicious Code
Websense® Security Labs™ ThreatSeeker™ Network has discovered a ploy by scammers to trick users into executing a supposed fix for a Microsoft Security Advisory.
When the email's malicious attachment (MSC003-WIN.scr) is run, it connects via IRC to a BOT Controller, [removed]dns.be. This connection is not through the default port, but through port 81. The application binds to startup, ensuring it will be run automatically when the computer is restarted (as instructed in the email). The SHA1 of MSC003-WIN.scr is 2056c9fa1b97fca775cc7a01768fb39818963a94. Major antivirus vendors are not detecting the malicious attachment.
The malicious email:
Websense Messaging and Websense Web Security customers are protected against these threats.