"Department of safety a microsoft" <security@microsoft.co

[Jack W]

This morning I received an Email from (above)

I have had Windows XP Professional installed on my Mac under a windows emulator in the past. However, I removed the emulator some time ago, and all vestiges thereof, including WXPP.

I have never! (over a span of several years) had an Email from M$ about any of the thousands of vulnerabilities in Windows XP or IE or other.

Now this comes along. When I enter the URL as specified in my URL field, I get the following screen message:

  "The system cannot find the file specified."

The text of the message was:
________________________________
From: Department of safety a microsoft<security@microsoft.com
Date: Mon, 05 Jun 2006 14:44:49 +0200
To: myemailaddress
Subect: Microsoft Windows Explorer Remote Code Execution Vulnerability

A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to take complete control of an affected system. This flaw is due to an error in Windows Explorer that does not properly handle certain COM objects, which could be exploited by remote attackers to execute arbitrary commands by convincing a user to visit a web page that could force a connection to a remote file server containing specially crafted files and directories that invoke malicious code.

Affected Products
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Solution
Apply patches :
(The URL was:) htttp/www.m$.com/patches/patch=ms04685.exe (intentionally mis-spelled)
_________________

It sure sounds bogus to me.

The following is the Raw Source:
-------------------------------------------------
From security@microsoft.com Mon Jun  5 10:07:37 2006
Return-path: <httpd@wnx-11.seeweb.it>
Received: from ms-mta-01 (ms-mta-01 [10.24.14.215])
 by ms-mss-02.columbus.rr.com
 (iPlanet Messaging Server 5.2 HotFix 2.10 (built Dec 26 2005))
 with ESMTP id <0J0E00AZS0QSAQ@ms-mss-02.columbus.rr.com> for
 jwenrick@neo.rr.com; Mon, 05 Jun 2006 08:44:52 -0400 (EDT)
Received: from clmboh-mx-11.mgw.rr.com (clmboh-mx-11.mgw.rr.com [65.24.7.65])
 by ms-mta-01.columbus.rr.com
 (iPlanet Messaging Server 5.2 HotFix 2.10 (built Dec 26 2005))
 with ESMTP id <0J0E00CQO0QK0X@ms-mta-01.columbus.rr.com> for
 jwenrick@neo.rr.com (ORCPT jwenrick@neo.rr.com); Mon,
 05 Jun 2006 08:44:52 -0400 (EDT)
Received: from wnx-11.seeweb.it ([212.25.170.81]) by clmboh-mx-11.mgw.rr.com
 with ESMTP; Mon, 05 Jun 2006 08:44:51 -0400
Received: from wnx-11.seeweb.it (localhost [127.0.0.1])
    by wnx-11.seeweb.it (8.12.3/8.12.3/Debian-6.6) with ESMTP id k55CinXd009959
    for <jwenrick@neo.rr.com>; Mon, 05 Jun 2006 14:44:49 +0200
Received: (from httpd@localhost)    by wnx-11.seeweb.it (8.12.3/8.12.3/Debian-6.6)
 id k55CinLW009955; Mon, 05 Jun 2006 14:44:49 +0200
Date: Mon, 05 Jun 2006 14:44:49 +0200
From: Department of safety a microsoft <security@microsoft.com>
Subject: Microsoft Windows Explorer Remote Code Execution Vulnerability
To: jwenrick@neo.rr.com
Message-id: <200606051244.k55CinLW009955@wnx-11.seeweb.it>
MIME-version: 1.0
Content-type: text/html; charset=iso-8859-1
Original-recipient: rfc822;jwenrick@neo.rr.com


A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to take complete control of an affected system. This flaw is due to an error in Windows Explorer that does not properly handle certain COM objects, which could be exploited by remote attackers to execute arbitrary commands by convincing a user to visit a web page that could force a connection to a remote file server containing specially crafted files and directories that invoke malicious code. <br> <br>

Affected Products <br>

Microsoft Windows 2000 Service Pack 4 <br>
Microsoft Windows XP Service Pack 1 <br>
Microsoft Windows XP Service Pack 2 <br>
Microsoft Windows XP Professional x64 Edition <br>
Microsoft Windows Server 2003 <br>


Solution <br>

Apply patches : <br>
<a href="http://www.domestictunerz.com/lang/en/patch-ms04685.exe" onmouseout="window.status=""" onmouseover="window.status="http://www.microsoft.com/patches/patch-ms04685.exe";return true">http://www.microsoft.com/patches/patch-ms04685.exe</a>
-----------------------------------------------
Weirdoooooo!

Jack

[gunug]

I have heard lots of times that Microsoft is not going to send emails to end-users so I think you can drop this in the round container.  This is also the same email that Jepinto is referring to in:

http://www.techsurvivors.net/forums/index....showtopic=12791

[dboh]

Heck, I got the same e-mail, and Microsoft doesn't even have my address!

[Epaminondas]

Jack,


I received two copies of the same message that you did.

I normally send and receive emails in "text" format for basic security reasons - i.e to avoid just such scams as this one in the first place. So all I saw initially was a blank page.

Knowing that it was likely a scam, I went ahead and turned on html in my email. And I then saw the text you did.

On displaying the html email Thunderbird 1.5 (my email client) produced - without prompting on my part - a yellow alert banner across the top of the email message reading:

QUOTE

! Thunderbird thinks this message might be an email scam.

Since I am running a Linux box - immune to such Windows scams - I decided to amuse myself by investigating further and clicking on the link embedded in the email.  Do NOT do this at home if you are running a Windows machine!

The embedded link in the email that I clicked seemed to read:

http://www.microsoft.com/patches/patch-ms04685.exe

which is a site that does not actually exist.

However, when I clicked on this embedded link in Thunderbird, I was warned as follows:

QUOTE

Thundebird thinks this site is suspicious!  It may be trying to impersonate the web page you want to visit.  Are you sure you want to visit www.domestictunerz.com?

Ahhh . . . a classic scam.

Now by this time I was not sure that I really wanted to visit www.domestictunerz.com - certainly not via a bogus embedded link in my email.

So - I fired up my seriously hardened Firefox 1.5.x.x web browser and away I went to www.domestictunerz.com. And this is what I found:

QUOTE

IPB WARNING [2] mysql_connect() [function.mysql-connect]: Too many connections (Line: 115 of /ips_kernel/class_db_mysql.php)
 
    There appears to be an error with the database.
    You can try to refresh the page by clicking here.

    Error Returned
    mySQL error: Too many connections mySQL error code: Date: Monday 05th 2006f June 2006 11:39:09 AM

    We apologise for any inconvenience

"Too many connections . . ."

Jepinto asked in the title of the other thread:

QUOTE

OT-Wonder how many will fall for this?

Answer - enough to overwhelm the scammer's web site with too many connections.

Oh - the web site eventually did try to download an .exe - so the site is still up and running and still doing evil -  but I declined the dishonour. That is as much investigation as I am pursuing - if anyone wants to investigate the ownership of the www.domestictunerz.com web site, feel free.  It might be interesting to see what country in which the web site is registered.


Note - not all sneaky emails are this obvious and this poorly done.

If your email client software did not warn you about this email likely being a scam email, you might want to consider migrating to a better email client.


The Thunderbird email client is both very feature rich and very security conscious.  IMAP. POP. SSL 3.0, TLS, anti-phishing, ant-spam, spell-checking, search, etc., etc, etc.  And Thunderbird makes security alerts for email scams as clear to the user as possible.

Thunderbird makes this kind of scam hard to miss.

Excellent support community.  

Thunderbird is cross platform - Macintosh, Linux and Windows - so once you get accustomed to using Thunderbird you can get the same email client on 'most any operating system you may be using.

And of course - Thunderbird is free:

http://www.mozilla.com/thunderbird/all.html

http://www.mozilla.com/thunderbird/

http://www.mozilla.org/support/thunderbird/faq.html

http://opensourcearticles.com/introduction_to_thunderbird

http://forums.mozillazine.org/viewforum.php?f=39


Take care -

Epaminondas

[antony]

QUOTE(Jack W @ Jun 6 2006, 12:42 AM) <{POST_SNAPBACK}>

<a href="http://www.domestictunerz.com/lang/en/patch-ms04685.exe" onmouseout="window.status=""" onmouseover="window.status="http://www.microsoft.com/patches/patch-ms04685.exe";return true">http://www.microsoft.com/patches/patch-ms04685.exe</a>

There's a quick way to reveal the actual URL of the link. If you use Mail.app, simply, move your mouse over the link and wait a few seconds. You will see the actual link being revealed as "tooltip" if it does not match what it appeared to be. (see screenshot below)


And when the actual link does not match the link that appears, 9.9 out of 10 it's a scam, spoof, or phishing email.

It is also a good idea to know the URL format.

The URL can contain login and password in following format:
http://user:pass@url.com/

hence, http://www.paypal.com: randomstring@123.123.123.123/ actually links to 123.123.123.123

My 7.01 cents.

[sandbox]

Sorry, we couldn't find any pages containing http-://www.microsoft.com/patches/patch-ms04685....
 
Some Search Tips:

    * Make sure all words are spelled correctly.
    * Try different keywords.

http://search.microsoft.com/results.aspx?q...n-US&FORM=QBME1


The title of the email is the title m$ uses for their warnings
Microsoft Windows Explorer Remote Code Execution Vulnerability
but this one is Bogus, and is coming from many server and many senders with holes in their security software.

[kelly]

I got mine.  

[Jack W]

QUOTE(Epaminondas @ Jun 5 2006, 12:39 PM) <{POST_SNAPBACK}>

Jack,
. . .
If your email client software did not warn you about this email likely being a scam email, you might want to consider migrating to a better email client.
. . .
Take care -

Epaminondas

E,

I did not click on the link in the message, but entered the link verbatum in my URL field.

I am using Apple Mail v1.2.5 (Jaguar version). - no warning, nor hover-over. I have the "Display images and embedded objects in HTML messages" turned off, yet the text in this Email showed up, as versus your experience. I have since deleted the message.

I'm upgrading to Tiger soon, perhaps Apple Mail 2 has some of these features?

As you suggested, I should look into Thunderbird also.

Thanks, Jack

[MacHeadCase]

I got the same email as Jack this morning and very rarely ever get any spam. In fact it had been months since I got the last one...

[Pascalin]

Me too!  

QUOTE

Affected Products
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Solution
Apply patches :
"h t t p : //www.microsoft.com/patches/patch-ms04685.exe"

but if you click on the link you will go to: "h t t p : //www.domestictunerz.com/lang/en/patch-ms04685.exe"

I don't want to try it  

[Epaminondas]

Antony wrote:

QUOTE

There's a quick way to reveal the actual URL of the link. If you use Mail.app, simply, move your mouse over the link and wait a few seconds. You will see the actual link being revealed as "tooltip" if it does not match what it appeared to be. (see screenshot below)

I just tried this in Thunderbird.  If you place your mouse over any url embedded in the email Thunderbird  instantaneously gives the true underlying url at the lower left portion of the frame of the email.  If the two do not match, something is fishy.

(No offense intended towards any fish reading this).

I did not know this feature was there. I will use it in the future.

Thank you, Antony.

_____________________________________________________

Jack wrote:

QUOTE

I'm upgrading to Tiger soon, perhaps Apple Mail 2 has some of these features?

As you suggested, I should look into Thunderbird also.

Apple's Mail is likely more elegant and likely has greater ease of use than Thunnderbird.

Thunderbird is likely uglier and likely has a steeper learning curve - and is likely much more customizable.

If you would like to give FOSS (Free and Open Software) a try, the Firefox web browser is probably the best place to begin.

Once you are comfortable with Firefox, Thunderbird is a good next step up the FOSS ladder.


Milady calls -

Epaminondas

[tacit]

I got this email too.

This email is a fake. It was written by the author of a very widespread computer virus called W32/Klez.

No company--not Microsoft, not any other--actually sends out security bulletins by email, unless you specifically ask for them. The fake email you received is a virus email. If you have a Windows computer and you install the "update," you are now infected with a computer virus.

This particular technique--sending out fake "security updates" from forged "Microsoft security" email addresses in order to spread viruses--was very popular and very widespread a couple of years back, and then faded away when people started catching on. It looks like it's making a comeback, though.