Important Microsoft Security Update by email is malware


We all know by now, I do hope so, that Microsoft distributes it’s updates throught their automated updated feature inside the Windows OS or by the Windows Update web site available in the Start menu. If you receive an email from Microsoft regarding an important security update that contains a link to some executable you should be aware that this is malware.

MX Lab intercepted a new sample of such an emails from “Microsoft Corporation <securitydept@microsoft.ssl.com>” with the subject “Important Windows Xp/Vista Security Update!”.

The message warns about a recent outbreak of the Conflicker worm that has infected 15 million Windows users and the fact that this worm has already been updated and harder to detect. The alleged security update notification recommend to install the removal tool remtool_conf.exe that can be downloaded from hxxp://windowsupdate.microsoft.com.ssl3.pop3.ru/remtool_conf.exe.

In the email are clear instructions on how to install the remtool_conf.exe:

Usage Instructions:
download file
click remtool_conf.exe and let it scan..
you are advised to disable your already existing antivirus software prior to running the removal tool to avoid conflicts.

The message also points to an online article of February 2009 at Network World to give the reader of the message the idea that this is a real threath. Well, the Conflicker worm is a threat but this removal tool won’t come to the rescue when your computer is infected.

When analysing the malware we got the following installation screen with the title Symantec Trojan.Brisv.A Removal Tool 2.1.0.7 EULA.

The malware will create the following files:

%Temp%\nsf3.tmp\webexplorer.exe
%Programs%\Startup\winupdate.exe
%System%\fixbrisa.log

And a directory at:

%Temp%\nsf3.tmp

New processes will be started:

fixbrisa.exe
webexplorer.exe
ns9.tmp

The Windows process wscsvc will be stopped and that’s the Windows Security Center.

The host hxxp://makemymoneys.com/install/winupdate.exe contacted. This is another malicious file of about 130 kB known as Suspicious.MH690 by Symantec.