Daily cyber threats and internet security news: network security, online safety and latest security alerts
October 13th, 2008

Microsoft’s “Experimental Security Fix” Is Actually A Malware

Microsoft warned Monday about fake e-mails sent by scammers that claim to include critical Windows security alerts. The fake alerts describe themselves as part of a new “experimental private version of an update for all Microsoft Windows OS users, according to Microsoft’s note on the scam.

The e-mails then instruct the victim to download an attachment, which is actually a malicious Trojan Horse program known as Win32/Haxdoor. This software records sensitive information such as passwords and credit card numbers and sends this data back to the attackers who are running the scam. The malware well-known, however, and is detected by anti-virus programs as well as Microsoft’s free Microsoft Malicious Software Removal Tool (MSRT).

The warning comes the day before Microsoft is set to deliver 11 genuine security fixes. These updates, due Tuesday at around 10 a.m. Pacific include critical security updates for Windows Active Directory, Internet Explorer, Excel and the Microsoft Host Integration Server. As always, they will be delivered via Microsoft’s standard automated update tools. Major software vendors such as Microsoft never distribute security patches via email.

“As a matter of company policy, Microsoft will never send you an executable attachment,” wrote Microsoft spokesman Christopher Budd in a blog posting on the scam. “If you get an e-mail that claims to be a security notification with an attachment, delete it. It is always a spoof.”

Microsoft does, however, send out security notification emails to customers who have asked to be told whenever patches are released or updated. These emails are in plain text and never contain attachments.

Users who have doubts about any security notification email they’ve received can go to Microsoft’s TechNet security Web site, which contains the same information as its e-mail notifications.

Share this item with others:

More on CyberInsecure:
  • Fake Microsoft-like Sites Attempt To Install Malware
  • Law Enforcement Get Around Encryption With Microsofts Help
  • Record Number Of Vulnerabilities Fixed In Microsoft’s Patch Tuesday
  • Microsoft’s October 2008 Update Plugs Critical Vulnerabilities In IE, Office And Windows
  • Microsoft’s CAPTCHA Under Spammers Attack Again

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Microsoft’s “Experimental Security Fix” Is Actually A Malware

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.