Contact Us
Windows-update.com Trojan Horse
- URL: http://www.secureworks.com/research/threats/winupdate
- Date: June 25, 2003
- Author: Joe Stewart
SecureWorks has confirmed reports of an Internet Explorer vulnerability being exploited for the purposes of installing a Trojan horse program on users' machines via a fake Windows Update site. There is a bogus email which appears to have been direct-spammed to users instructing them to apply a "critical patch." Because the URL of the patch-site in the email is windows-update.com (similar to the valid windowsupdate.com), many users may be fooled into clicking the link. If they are using an non-patched version of IE, a small executable will be downloaded to their computer and run. This executable downloads configuration information from a second website (lol.ifud.cc/63.246.131.30), then downloads one of many unknown custom Trojan Horse programs from a third site. This third and final site changes based on the configuration information downloaded.
Update - June 26, 2003
The windows-update.com site seems to have been taken down by the hosting provider. There is however the possibility the domain could reappear on another hosting service, or the scam could use another variant of the windowsupdate.com domain name, so users should stay alert to this threat, even though the immediate danger has subsided. Applying the IE hotfix below is the best course of action to prevent further exploitation.
Vulnerable Versions of Internet Explorer
- Microsoft Internet Explorer 5.01
- Microsoft Internet Explorer 5.5
- Microsoft Internet Explorer 6.0
- Microsoft Internet Explorer 6.0 for Windows Server 2003
The bogus email reads as follows:
Dear Windows User!
New Windows 9x/2000/NT/XP critical patch has been released.
Due to security problems, your system needs to be updated as earlier as
possible. You can download an update patch on Windows Update site:
http://www.windows-update.com
Best regards,
Windows Update Group
Damage
- unknown/unauthorized code run on user machines.
- possible full compromise of user systems
Remediation
- Make all users aware of this exploit.
- Ensure all versions of IE have the June 4th cumulative hot-fix
applied:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-020.asp
Manual Removal
If you become infected by this trojan, you can disable it by following these instructions:
- Find and remove the following files:
C:\%WINDIR%\regsvs32.exe C:\%WINDIR%\system32\wsock32p.exe C:\%WINDIR%\system32\drivers\nchkswt.exe
- Remove the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Network Checker = 'C:\WINNT\System32\drivers\.\nchkswt.exe' WSock32 Protocol = 'wsock32p.exe' HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Network Checker = 'C:\WINNT\System32\drivers\.\nchkswt.exe' WSock32 Protocol = 'wsock32p.exe' - Reboot the system.
