Worm poses as Internet Explorer 7 beta download

Adam Turner
Saturday, 31 March 2007 01:35

Your IT - Home IT

A convincing email supposedly from Microsoft, inviting users to download a beta version Internet Explorer 7.0, actually links to a worm, warns security research Sophos.

The email claims to come from This e-mail address is being protected from spambots. You need JavaScript enabled to view it and has the subject line "Internet Explorer 7 Downloads". Rather than containing an infected attachment, the email contains an image linking to a file called ie7.0.exe which is infected by the W32/Grum-A worm.

"Worms like this are only succeeding in spreading because so many people have still not learnt to be suspicious of unsolicited emails, even if they claim to come from well-known companies like Microsoft," said Graham Cluley, senior technology consultant for Sophos.

"The problem is that to the casual observer the email looks genuine, and the image displayed looks near-identical to the imagery that Microsoft is using on its website to promote Internet Explorer 7.0. Clicking on the image, however, doesn't download the real beta - but malicious code straight from the hackers."

The Grum worm is an appender virus which infects executable files referenced by Run keys in the Windows Registry. When run it copies itself to <Temp>\winlogon.exe and makes changes to the Registry. It also edits the HOSTS file, injecting a thread into system.dll and attempts to patch the system files ntdll.dll and kernel32.dll.

Sophos experts note that this isn't the first time that malware has posed as a download from Microsoft.

"There have been many occasions when virus writers have coded attacks that have presented themselves as communications from Microsoft," Cluley says. "For instance, in 2003 the Gibe-F worm (also known as Swen) posed as a critical security update from the software giant, and two years ago hackers directed internet users to a bogus website masquerading as Microsoft's update page."