 |
Severity: Medium |
Microsoft Windows XP SP1 Update Hoax/Xombe Trojan
Overview: An unsolicited email purports to be an update to Microsoft Windows XP. When the attached program is executed, it installs a Trojan program to the victim's machine allowing the attacker to compromise the system.
Date Published: January 9, 2004
Last Update: January 9, 2004
Impact: An attacker can take control of the compromised system, gaining access to all information on that PC, and accessing any network it is connected to as that system.
Description: An unsolicited email that appears to be sent from "windowsupdate@microsoft.com" with a subject of "Windows XP Service Pack 1 (Express) - Critical Update" is being sent to random users on the Internet. This email is designed to cause victims to install a Trojan horse program which has been named "Xombe."
The Trojan is installed in a two-step process. The email sent to users contains an attachment named "winxp_sp1.exe." When the attachment is executed, it downloads a second program named "msvchost.exe" from a pre-determined website, installs itself so that it runs every time the system starts, and sends certain information about the system back to the website.
Zone Labs Products: All computers employing ZoneAlarm® Pro, or ZoneAlarm Plus with inbound MailSafe protection enabled, are protected from executing the Xombe Trojan.
Recommended Actions: Users of POP3 or IMAP based mail software such as Outlook Express or Eudora should enable inbound MailSafe protection in ZoneAlarm Pro. Note that inbound MailSafe protection is normally enabled by default. ZoneAlarm users should consider upgrading to ZoneAlarm Pro to take advantage of the MailSafe protection feature.
Install and update antivirus software which protects against the Xombe Trojan.
Do not execute unsolicited programs received via email.
Related Resources:
Contact: Zone Labs customers who are concerned about these vulnerabilities or have additional technical questions may reach our Technical Support group at: http://www.zonelabs.com/store/content/support/support.jsp.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Zone Labs and Zone Labs products, are registered trademarks of Zone Labs Incorporated. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
Copyright: ©2004 Zone Labs LLC All rights reserved. Zone Labs, TrueVector, ZoneAlarm, and Cooperative Enforcement are registered trademarks of Zone Labs LLC The Zone Labs logo, Check Point Integrity and IMsecure are trademarks of Zone Labs LLC Check Point Integrity protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat. & TM Off. Cooperative Enforcement is a service mark of Zone Labs LLC All other trademarks are the property of their respective owners.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Zone Labs. Reprinting the whole or part of this alert in any medium other than electronically requires permission from Zone Labs.
|
