Microsoft fake e-mail

sci0x

Got an e-mail which it says is from Microsoft Network Security. It all looks real but it gives an attachment to download update93.exe.

Heres what the e-mail looks like:
Microsoft Consumer

this is the latest version of security update, the "September 2003, Cumulative Patch" update which fixes all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express. Install now to help maintain the security of your computer from these vulnerabilities, the most serious of which could allow an malicious user to run executable on your computer. This update includes the functionality of all previously released patches.

System requirements Windows 95/98/Me/2000/NT/XP
This update applies to MS Internet Explorer, version 4.01 and later
MS Outlook, version 8.00 and later
MS Outlook Express, version 4.01 and later
Recommendation Customers should install the patch at the earliest opportunity.
How to install Run attached file. Choose Yes on displayed dialog box.
How to use You don't need to do anything after installing this item.

Microsoft Product Support Services and Knowledge Base articles can be found on the Microsoft Technical Support web site. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site, or Contact Us.

Thank you for using Microsoft products.

Please do not reply to this message. It was sent from an unmonitored e-mail address and we are unable to respond to any replies.

Here are the e-mail details:
Return-Path: <stayatwoodlands@eircom.net>
Delivered-To: denis@kerrypages.com
Received: (qmail 20415 invoked by uid 89); 21 Sep 2003 08:33:22 +0100
Received: from unknown (HELO mail00.svc.cra.dublin.eircom.net) (159.134.118.16)
by mail.valuehost.co.uk with SMTP; 21 Sep 2003 08:33:22 +0100
Received: (qmail 12878 messnum 1837845 invoked from network[159.134.156.171/p156-171.as1.twv.tralee.eircom.net]); 21 Sep 2003 07:32:56 -0000
Received: from p156-171.as1.twv.tralee.eircom.net (HELO wbbkzqm) (159.134.156.171)
by mail00.svc.cra.dublin.eircom.net (qp 12878) with SMTP; 21 Sep 2003 07:32:56 -0000
FROM: "Microsoft Network Security Center" <wyhtasadodftb-sofxr@confidence_msn.com>
TO: "Consumer" <consumer-ynelfmu@confidence_msn.com>
SUBJECT: New Network Patch
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="rqmqbnqksbsudx"

Microsoft never send e-mails with attachments either http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/policy/swdist.asp so dont open

dod

This virus was discussed in the Operating Systems/ Windows forum a little earlier in the week here

conZ

Protect yourself : ftp://ftp.europe.f-secure.com/anti-virus/tools/swentool.zip

and

Keep updated : http://www.f-secure.com/v-descs/_new.shtml

tom-thebox

Question: What type of Virus is Swen?

Answer: Swen is a massmailer that can also infect network shares, through Kazaa and ICQ.



Question: How to I detect infection?



Answer: Use free scanning tools from these VIA partners:

http://vil.nai.com/vil/stinger/

http://securityresponse.symantec.com/

http://www3.ca.com/virusinfo/

http://www.trendmicro.com/download/tsc.asp



Question: How can I get more information on Swen ?

Answer: Please review the alert below which contains



Computer Associates

W32/Swen@MM

http://www3.ca.com/virusinfo/virus.aspx?ID=36939

Network Associates:

W32/Swen@MM

http://vil.nai.com/vil/content/v_100662.htm

Trend Micro:

W32/Swen@MM

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWEN.A

Symantec:

W32/Swen@MM

http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html



Q: What is the Microsoft official response to the Swen Virus?

A: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/swen.asp



Q: What are symptoms of infection?

A: Varies – one symptom is a fake mapi error dialogue:





Question: How does the user prevent infection a second time?

Answer: Swen uses multiple methods of infection:

1) Users should be advised not to open attachments that are not from a trusted source and or that they are not suspecting.

2) Swen using the vulnerability in Microsoft Security Bulletin MS01-020 to automatically execute.
patch: http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp

3) Or preferably upgrade to Internet Explorer 6 SP1 which does not contain this vulnerability:

http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/default.asp

4) Users who were infected using Outlook or Outlook Express:

5) Outlook users should be encouraged to upgrade their Outlook version to one that includes the OESU. Users can scan their system and install all the latest updates for Office here:

http://office.microsoft.com/officeupdate/default.aspx

Outlook Express users should install the latest version of Internet Explorer which will also upgrade Outlook Express:

http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/default.asp


USE A MAIL PROVIDER THAT RUNS ANTI VIRUS!

Capt'n Midnight

USE A MAIL PROVIDER THAT RUNS ANTI VIRUS!

or just don't use windows

GuanYin

A girl in work called me in to ask me if she should run the "patch"

I asked her how exactly microsoft got her e-mail and why they would mail her personally. :rolleyes:

Anyone who got caught by that deserves to have their system wiped or whatever.

sci0x

Originally posted by sykeirl
A girl in work called me in to ask me if she should run the "patch"

I asked her how exactly microsoft got her e-mail and why they would mail her personally. :rolleyes:

Anyone who got caught by that deserves to have their system wiped or whatever.

Plus the fact that if you get one you will probably get at least 5 of the same e-mails of the same microsoft message at the same time. kind of a giveaway that something is up.

My friend is getting 19 of them microsoft e-mails every 20 mins ffs