Microsoft Spoofs / Spyware

Date:02.04.2005

Threat Type: Malicious Code / Malicious Website Alert

Websense® Security Labs™ has received several reports of two new versions of spoofed emails that are being used to install spyware/adware onto end-user's machines.

 

The first version of the email claims to be from Microsoft®'s security department and offers the end user a new security tool in order to feel more secure. The email points to an URL which is hosted in Romania and was up at the time of this alert. Once the user accesses the site in Romania, a Microsoft Internet Explorer Browser Helper Object (BHO DLL) is then installed on the machine. This BHO is spyware.

 

The second version is an email which also claims to be from Microsoft and claims that many people are illegally using its services without paying, and therefore Microsoft needs end users to update their credit card information, however, they will not be charged for any additional services at this time. The email links to a website which, upon accessing, attempts to install a Browser Helper Object (BHO DLL) which is then installed on the machine. The BHO is also spyware.

 

Version 1, Email Example:

 

----- Original Message -----
From: security@microsoft.com
<mailto:security@microsoft.com> 
Subject: Microsoft Windows Update

Dear Windows
User,

Thank you for using Windows. Microsoft is constantly
improving and we are trying to take care of your security. We offer you now a new security tool in order to feel more secure on the web.

Please click here <removed URL/MSUpdate.exe>
to install it.

Sincerely,

Microsoft Security TEAM

Version 2 Email Example:

 

: Hello Microsoft user,

We here at Microsoft would like you to still receive your normal computer updates, That Will protect your computer from Viruses and spyware. We have noticed A lot of people are illegally Using our services Without paying for their Windows Operating System. Therefor we've made a web site so you can update or validate your windows serial and credit card information. If you do not comply with our policy, windows will ask you to reactivate your serial number, and it will become invalid.

 

So you will lose any information on your computer. If you do not validate your serial number, your copy of windows will be labeled as piracy.

Your Credit Card will not be charged. We use your  credit card information to validate your windows system. If any one else has your serial number we will contact you by phone.

It is critical that you update your serial number and validate it, so no one else will attempt to use it. We've also added Programs to help fight

piracy and adware.

 

After your verification is complete, You can download these programs free of charge.

Please validate your account by Signing in our web site below.

 

<Site Removed>

Thank you

Removed
Windows XP Activation Team

XP Confirmed number;

 

"We here at Microsoft would like you to validate your Microsoft windows activation key in order to prevent against fraudulent use of the windows software.

Microsoft cares about your security and is working hard to keep windows secure. In support of our continuing efforts we encourage you

to spend a minute and validate your Microsoft windows (TM) licensee key "