Worm poses as Internet Explorer beta download

Sophos is warning email users of a widespread malicious attack that poses as an invitation from Microsoft to download a beta version of Internet Explorer 7.0.

The emails, which claim to come from admin@microsoft.com and have the subject line “Internet Explorer 7 Downloads”, display an image which invites users to download beta 2 of Internet Explorer 7. However, users who click on the image will download a file called ie7.0.exe which is infected by the Grum-A worm.

The Grum worm is an appender virus which infects executable files referenced by Run keys in the Windows Registry. When run, it copies itself to \winlogon.exe and makes changes to the Registry. It also edits the HOSTS file, injecting a thread into system.dll, and attempts to patch the system files ntdll.dll and kernel32.dll.

Sophos experts note that this isn’t the first time that malware has posed as a download from Microsoft.

“There have been many occasions when virus writers have coded attacks that have presented themselves as communications from Microsoft,” continued Cluley. “For instance, in 2003 the Gibe-F worm, also known as Swen, posed as a critical security update from the software giant, and two years ago hackers directed internet users to a bogus website masquerading as Microsoft’s update page.”