As I was working on my PC yesterday I received a number of odd emails from “admin@microsoft.com” inviting me to download Internet Explorer 7. I would never expect Microsoft to promote itself in this way, so I immediately suspected the emails were some kind of spam or a worm. Today Sophos has issued a warning about this very email: anyone who clicks on the embedded image contained in the email will download a file called ie7.0.exe which is infected by the W32/Grum-A worm.

“Worms like this are only succeeding in spreading because so many people have still not learnt to be suspicious of unsolicited emails, even if they claim to come from well-known companies like Microsoft,” said Graham Cluley, senior technology consultant for Sophos.

“The problem is that to the casual observer the email looks genuine, and the image displayed looks near-identical to the imagery that Microsoft is using on its website to promote Internet Explorer 7.0.”

The Grum worm is an appender virus which infects executable files referenced by Run keys in the Windows Registry. When run it copies itself to <Temp>\winlogon.exe and makes changes to the Registry. It also edits the HOSTS file, injecting a thread into system.dll and attempts to patch the system files ntdll.dll and kernel32.dll.

What always amazes me about these malicious email attacks is the massive scale on which they take place – in the space of just a few hours I received three of these emails to different email addresses that I use, and several friends also reported receiving the same email.

Beyond always running an integrated security package to protect your computer from viruses, spyware and spam, it’s also good practice to avoid clicking on links in emails.

Keep in mind that companies like Microsoft would never use SPAM email to promote their products. And even emails coming from friends could have been generated by viruses.

Related:

Entry was posted on Friday, March 30th, 2007 at 1:28 pm under Internet, Security.

Read more entries by John Pospisil.
Stumble It!