A new Swen-style Trojan horse posing as a critical update from Microsoft has been detected on the Internet, and users who open the e-mail message may find their machines loaded with a back-door Trojan that can steal passwords or be used in conjunction with other systems to conduct major denial-of-service (DoS) attacks.
Dubbed Trojan.Xombe (as in zombie) by most security firms, the Trojan shares some characteristics of the Swen worm family in that it masquerades as a message from Microsoft and purports to carry a security update in its file attachment. However, unlike Swen -- a worm which first appeared last September -- Trojan.Xombe doesn't self-replicate.
"This Trojan was spammed out to a large number of computers overnight," said Ken Dunham, the director of malicious code at iDefense, a Reston, Va.-based security intelligence firm. By using spamming strategies, attackers hope to infect hundreds, even thousands, of machines before users realize what's up, or anti-virus companies can react with updated definition files.
The faux message, which sports a spoofed sending address of [email protected], uses the subject line 'Windows XP Service Pack 1 (Express) -- Critical Update' to trick recipients into opening the attached file.
"Window [sic] Update has determined that you are running a beta version of Windows XP Service Pack 1 (SP1)," the message's text reads in part. "To help improve the stability of your computer, Microsoft recommends that you remove the beta version of Windows XP SP1 and re-install Windows XP SP1." The message goes on to urge the user to run the winxp_sp1.exe file attachment to re-install SP1, and recommends that anti-virus software be disabled, as it "may interfere with the installation."