Re: Suspicious email allegedly from Microsoft

From: EJG (ejg.net_at_verizon.net)
Date: 09/20/03 

Date: Sat, 20 Sep 2003 01:36:08 GMT

I must have received over 150 such emails today alone. I think all with a
attached file that is 106kb big. The attachments have different file names.
I am also receiving, today, a bunch of emails indicating the following:
"I'm sorry I wasn't able to deliver your message to the following addresses:
Undelivered message to ljqoppbl@aol.com "
The email address are of course different and the attachment is a file 106kb
long. I sent two batches of these files to abuse@verizon.net I have not
heard from Verizon, but it has only been the last couple of hours.

Message follows:

"Larry Samuels MS-MVP XP (Shell/User)" <larry@mvps.org> wrote in message
news:%23MEe8mwfDHA.408@TK2MSFTNGP10.phx.gbl...
> Microsoft never sends unsolicited files by email.
> DO NOT open the file--it is NOT from MS.
> REPEAT:Microsoft NEVER sends unsolicited files by email.
>
> It is a virus masquerading as MS security.
> The most recent is W32/Swen@MM which can be removed with Stinger
> http://vil.nai.com/vil/stinger/
>
> The others circulating are dumaru.b
>
http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru.b@mm.html
> or a variant of the gibe worm.
> Removal tool for gibe is at
>
http://securityresponse.symantec.com/avcenter/venc/data/w32.gibe@mm.removal.tool.html
>
>
> PSS Security Response Team Alert - New E-Mail Worm: W32/Swen@MM
>
> SEVERITY: MODERATE
> DATE: September 18, 2003
> PRODUCTS AFFECTED: Microsoft Outlook, Microsoft Outlook Express, and
> Web-based e-mail
>
> **********************************************************************
>
> WHAT IS IT?
> W32/Swen@MM spreads via e-mail and network shares. The Microsoft
> Product Support Services Security Team is issuing this alert to advise
> customers to be on the alert for this virus as it spreads in the wild.
> Customers are advised to review the information and take the appropriate
> action for their environments.
>
> IMPACT OF ATTACK: Mass Mailing, disabling processes related to security
> software such as antivirus and firewall software
>
> TECHNICAL DETAILS:
> For additional details on this worm from anti-virus software vendors
> participating in the Microsoft Virus Information Alliance (VIA) please
> visit the following links:
>
> Network Associates:
>
> http://vil.nai.com/vil/content/v_100662.htm
>
> Trend Micro:
>
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWE
> N.A
>
> Symantec
>
> http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.ht
> ml
>
> Computer Associates:
>
> http://www3.ca.com/virusinfo/virus.aspx?ID=36939
>
> For more information on Microsoft's Virus Information Alliance please
> visit this link: http://www.microsoft.com/technet/security/virus/via.asp
>
>
> Please contact your Antivirus Vendor for additional details on this
> virus.
>
>
> PREVENTION:
>
> 1. This worm is exploiting a previously patched vulnerability. The
> vulnerability exploited is related to the following Microsoft Security
> Bulletin:
> http://www.microsoft.com/technet/security/bulletin/ms01-020.asp
>
> As always, customers are advised to install the latest security patch
> for Internet Explorer. Information on the latest cumulative security
> patch for
> Internet Explorer can be found here:
> http://www.microsoft.com/technet/security/bulletin/MS03-032.asp
>
> 2. Outlook 2000 post SP2 and Outlook XP SP1 include the most recent
> updates to improve the security in Outlook and other Office programs.
> This includes the functionality to block potentially harmful attachment
> types. If you are running either of these versions, they will (by
> default) block the attachment, and you will be unable to open it.
>
> To ensure you are using the latest version of Office click here:
> http://office.microsoft.com/ProductUpdates/default.aspx
>
> By default, Outlook 2000 pre SR1 and Outlook 98 did not include this
> functionality, but it can be obtained by installing the Outlook E-mail
> Security Update. More information about the Outlook E-mail Security
> Update can be found here:
>
> http://office.microsoft.com/Downloads/2000/Out2ksec.aspx
>
> Outlook Express 6 can be configured to block access to
> potentially-damaging attachments. Information about how to configure
> this can be found here:
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q291387
>
> Outlook Express all other versions: Previous versions of Outlook Express
> do not contain attachment-blocking functionality. Please exercise
> extreme caution when opening unsolicited e-mail messages with
> attachments.
>
> Web-based e-mail programs: Use of a program-level firewall can protect
> you from being infected with this virus through Web-based e-mail
> programs.
>
> RECOVERY:
> If your computer has been infected with this virus, please contact your
> preferred antivirus vendor or Microsoft Product Support Services for
> assistance with removing it.
>
> TECHNET SECURITY LINK:
> http://www.microsoft.com/technet/security/virus/alerts/swen.asp
>
> As always please make sure to use the latest Anti-Virus detection from
> your Anti-Virus vendor to detect new viruses and their variants.
>
> If you have any questions regarding this alert please contact your
> Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the
> US, outside of the US please contact your local Microsoft Subsidiary.
> Support for virus related issues can also be obtained from the Microsoft
> Virus Support Newsgroup which can be located by clicking on the
> following link
> news://msnews.microsoft.com/microsoft.public.security.virus.
>
> PSS Security Response Team
>
> --
> Larry Samuels MS-MVP (Windows-Shell/User)
> Associate Expert
> Unofficial FAQ for Windows Server 2003 at
> http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
> Expert Zone - www.microsoft.com/windowsxp/expertzone
>
> "Duncan" <cduncanf@yahoo.com> wrote in message
> news:139801c37f06$7ea96d70$a001280a@phx.gbl...
> > I received an email allegedly from Microsoft but I am
> > suspicious. A family member received the same one and
> > installed it and now her system is hosed up and gives the
> > following error messages:
> > "Memory access violation in module kernel 32 at
> > 8445:44892326" when booting up XP.
> >
> > When trying to access any other program it says:
> > "Windows cannot access the specified device, path, or
> > file. You may not have the appropriate permissions to
> > access the item."
> >
> > It came with a file called "qvqfx.exe" which my Outlook
> > did not allow on to my system.
> >
> > This is the sender info:
> > Microsoft Program Security Section
> > [nufsnxos_hfmcir@confidence.com]
> >
> > Subject is "Current Microsoft Upgrade"
> >
> > I can not find the qvqfx.exe file on the Symantec site.
> > Any thoughts/suggestions? Who do i report this to for
> > investigation? How can I repair the infected system,
> > short of reinstalling the OS?
> > Thanks
>
>