Video Screencast Help
Security Response

Patch bulletin email?

Created: 21 Sep 2007 07:00:00 GMT • Updated: 23 Jan 2014 18:46:10 GMT
Vikram Thakur's picture
0 0 Votes
Login to vote

If you've recently received an email with an attachment or link,asking you to install a patch or an update from Microsoft, pleasebeware as this is in all probability a hoax and could transfer controlof your computer to some unknown entity anywhere in the world.

Recently, we received samples of emails which prompted users toinstall patches for Windows, via fake Security Bulletins. The patcheswere either linked from the email or attached to the mail itself.Symantec products detect the linked file as Trojan.Dropper.

Patch-1sm.JPG
Click image for larger view


In this case, the installer distributed via this spam message didindeed include an original Windows patch distributed publicly byMicrosoft. However, that wasn't the only file in the archive. If onetried to run the executable, in addition to the digitally signed patch,another piece of malware was installed on the host computer. This fileis detected by us as Downloader.It in turn downloads and installs a Browser Helper Object (BHO) forInternet Explorer. This BHO is loaded whenever one runs InternetExplorer and makes contact with third-party hosts. A simple lookup ofthis site on your favorite search engine shows that this site name hasbeen used by malicious applications several times in the recent past.Symantec is working to get this site shut down.

There are several suspicious looking items in this piece of spammessage that could give away the fact that this is a hoax. For examplehere is one - in the picture above, the spammed Security Bulletinmentions MS06-602. This bulletin doesn't exist.

We urge users to refrain from opening files or clicking links inemails from unknown sources. We recommend all users to always keeptheir computers up-to-date on latest patch levels for all softwareinstalled. In doing so, it's important that users always download thesepatches from the original software vendor sites, by visiting the sitesthemselves rather than following links in emails or other third-partyWeb pages.