Monday, December 8, 2008
"Websense® Security Labs™ ThreatSeeker™ Network has discovered a ploy by scammers to trick users into executing a supposed fix for a Microsoft Security Advisory.
"The fraudulent email message references a real Microsoft Security Advisory 951306 (also known as CVE-2008-1436). The email provides instructions in both French and English.
"When the email's malicious attachment (MSC003-WIN.scr) is run, it connects via IRC to a BOT Controller, [removed]dns.be. This connection is not through the default port, but through port 81. The application binds to startup, ensuring it will be run automatically when the computer is restarted (as instructed in the email). Major antivirus vendors are not detecting the malicious attachment."
Full alert at Websense...