Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Xombe Trojan poses as Microsoft warning Last modified: January 12, 2004, 9:48 AM PST By Munir Kotadia=20 Special to CNET News.com =20 An e-mail disguised as a message from Microsoft's security team contains = a dangerous Trojan horse called Xombe.=20 Xombe, also known as Trojan.Xombe, Downloader-GJ and Troj/Dloader-L, was = being distributed on Friday. It poses as a critical update for the = Windows XP operating system. When executed, it attempts to download a = malicious backdoor component from the Web.=20 =20 =20 =20 =20 =20 It appears to be an imitation of one of last year's most successful = worms, the mass-mailed Swen, which also masqueraded as a security = warning from Microsoft.=20 However, Xombe has yet to repeat the success of Swen. While the former = failed to make the top 10 threats intercepted by e-mail security company = MessageLabs on Monday morning, Swen was at No. 2, with some 7,000 = instances captured in the past 24 hours.=20 Ken Dunham, malicious code intelligence manager at security company = iDefense, said that the success of Swen has encouraged virus writers to = create e-mails and Web sites that appear official in order to fool more = people into executing malicious code.=20 The e-mail, which appears to have been sent from = windowsupdate@xxxxxxxxxxxxx, has the subject line "Windows XP Service = Pack 1 (Express) - Critical Update" and directs users to execute the = attachment, called winxp_sp1.exe, in order to fix some vulnerabilities = in Microsoft's Internet Explorer, Outlook and Outlook Express.=20 Dunham said that once executed, the attachment downloads a file called = msvchost.exe that alters the Windows Registry and opens certain ports in = order to listen out for commands from a hacker.=20 Most antivirus companies have already updated their signatures, but = users without up-to-date antivirus applications could be infected, = helping the Trojan's author to take control of large numbers of PCs. = Dunham said that once a "large army of zombie computers" has been built = up, attackers could use them for serious crimes such as ID theft and = banking fraud.=20 Microsoft was not immediately available to comment.=20 Although Xombe is only likely to be opened by Windows XP users, it = affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and = Windows Server 2003 systems, as well as Windows XP, according to = security company Symantec.=20 Munir Kotadia of ZDNet UK reported from London. http://news.com.com/2100-7349-5139317.html?part=3Ddht&tag=3Dntop --- Outgoing mail is certified Virus Free. Yipee! Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.559 / Virus Database: 351 - Release Date: 1/7/2004 -- No attachments (even text) are allowed -- -- Type: image/gif -- File: print_hed.gif -- No attachments (even text) are allowed -- -- Type: image/gif -- File: email_hed.gif -- No attachments (even text) are allowed -- -- Type: image/gif -- File: save.gif -- No attachments (even text) are allowed -- -- Type: image/gif -- File: b.gif Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig> Freelists login at //www.freelists.org/cgi-bin/lsg2.cgi List archives at //www.freelists.org/archives/pchelpers PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig Good advice is like good paint- it only works if applied.