It always pays to be suspicious when unsolicited e-mails arrive, and on Friday new evidence underscored the point: A malicious e-mail purportedly from Microsoft actually serves up a worm dubbed “Grum.”
The e-mail, which claims to come from email@example.com and reads “Internet Explorer 7 Downloads” in the subject line, displays an image that invites users to click on it to download a beta 2 version of Internet Explorer 7.0. Trusting users who click on the image, however, download not the promised software but a file called ie7.0.exe, which is infected by the W32/Grum-A worm.
A worm is a type of computer virus that reproduces by sending copies of itself to other nodes on a network — in this case, it uses the addresses in users’ e-mail address books.
The Grum Reality
The Grum worm is an appender virus that infects executable files referenced by Run keys in the Windows Registry, according to officials at security provider Sophos. When run, it copies itself to winlogon.exe and makes changes to the Registry. It also edits the HOSTS file, injecting a thread into system.dll, and tries to patch the system files ntdll.dll and kernel32.dll.
“Worms like this are only succeeding in spreading because so many people have still not learned to be suspicious of unsolicited e-mails, even if they claim to come from well-known companies like Microsoft,” said Graham Cluley, senior technology consultant for Sophos. “The problem is that to the casual observer the e-mail looks genuine, and the image displayed looks near-identical to the imagery that Microsoft is using on its Web site to promote Internet Explorer 7.0.”
Indeed, this isn’t the first time that malware has posed as a download from Microsoft. “There have been many occasions when virus writers have coded attacks that have presented themselves as communications from Microsoft,” Cluley noted. “In 2003 the Gibe-F worm (also known as Swen) posed as a critical security update from the software giant, and two years ago hackers directed Internet users to a bogus Web site masquerading as Microsoft’s update page.”
Banking on Trust
“Because the e-mail purports to be from Microsoft, it’s not unlike one that purports to be from your bank,” Ronald O’Brien, senior security analyst for Sophos, told TechNewsWorld. “It appears to be coming from a legitimate organization with which you probably have a relationship and from which you have probably downloaded stuff before. You have every reason to believe it’s a legitimate e-mail — it makes you suspend your suspicion.”
The recent release of Microsoft Windows Vista and publicity about the benefits of Explorer 7 also make the hoax more likely to pique readers’ interest and gullibility, O’Brien added. “Calling it beta 2 also suggests more functionality,” he pointed out. “That all sets the stage for this type of campaign to be very successful.”
Users with up-to-date antivirus software, including that from Sophos, will be protected against the virus, O’Brien explained. Unfortunately, not all users are scrupulous about performing updates.
A Hard Lesson
“This is a lesson to those who have not yet realized the value of updating,” he cautioned. “If it doesn’t happen automatically, many people choose to defer updates. Later becomes tomorrow, tomorrow becomes next week, and before you know it, you’re no longer running up-to-date antivirus software.”
Updating the operating system with patches is also critical, O’Brien said, because malware is capable of exploiting additional vulnerabilities when it determines there are missing patches.
“When you receive an e-mail purporting to offer an update to any application, the best suggestion is, don’t believe it,” added Shane Coursen, senior technical consultant with Kaspersky Lab.
“If you do think it’s real, don’t click on any links,” Coursen told TechNewsWorld. “Instead, manually start your Internet browser, physically type in the name of the Web site you want to visit, and see if they’re actually offering the updates described in the e-mail.”