Computer Cops - Graybird-A

Trojan preying on Lovsan hits inboxes

By Edward Hurley, SearchSecurity.com News Writer
15 Aug 2003, SearchSecurity.com

A new Trojan has emerged that preys off people's fears about the Lovsan worm.

Graybird-A is a backdoor Trojan, which travels by e-mail, and purports to be an update to protect against the worm. If installed, it could allow outsiders access to infected systems, antivirus software vendor Sophos said in an advisory.

Normally, Graybird wouldn't likely garner much attention (or be particularly successful), but Lovsan fears could make users fall prey since they're being bombarded with warnings about patching their systems.

Microsoft has had to take its patch download page down because the worm is set to launch a distributed denial of service attack on it on Aug. 16. The necessary patches are easy enough to find. There are multiple links to them on Microsoft's home page.

Experts always advise computer users to never install what purport to be patches attached to e-mails.

Never trust unsolicited executable code that arrives via e-mail, said Chris Belthoff, senior security analyst at Sophos, Inc., in a statement. Businesses should consider blocking all executable code at the e-mail gateway so it cannot reach their users.

The message carrying Graybird arrives looking like this:

Subject line: updated

Message text: Dear customer:

At 11:34 A.M. Pacific Time on August 13, Microsoft began investigating a worm reported by Microsoft Product Support Services (PSS). A new worm commonly known as W32.Blaster.Worm has been identified that exploits the vulnerability that was addressed by Microsoft Security Bulletin MS03-026.

Download the attached update program. To begin the download process, do one of the following:

To download the attached program to your computer for installation at a later time, click Save or Save this program to disk.then run it. If you have any problem, connect to us immediately.

Attached file: 03-26updated.exe

This is not the first time that a malware maker tapped fears about worms to get people to install malicious code. In March, W32/Gibe-A arrived as an attached executable to what appears to be an official Microsoft alert e-mail.

TechTarget


	Home · Topics · Submit News · Top 10 This entire site, Cops Themes, and Computer Cops are © 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright © 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 890 pages served in previous 5 minutes. Page Rendered: 0.233 seconds.