Websense® Security Labs™ has received reports of a new email scam disguised as a Microsoft Security Update for the recent Plug and Play vulnerability. Users receive a spoofed message requesting that they download a critical patch for MS-05-479 in order to be protected from hackers and viruses.
Upon clicking the included URL they are directed to a fraudulent website hosted in Canada, which was up and running at the time of this alert. The site uses screenshots of the real Microsoft security update site. Included is a link to the patch which is a program called “plugandplayfix.exe”. The website URL is hosted on a machine which appears to have been compromised and simply has an IP address followed by
http://
Upon execution the Trojan Horse opens a backdoor on the machine, connects to an IRC channel, and modifies several system variables.
