9. A Tech Support Scam
This e-mail message purports to be from Microsoft. It looks very
real. The trouble is that Microsoft didn't send it.
We recently received the e-mail below, which claims to be from Microsoft.
Attached was a file with what were supposed to be the latest Windows security
The letter looks authentic. It uses Microsoft's style and all the links
go to the Microsoft Website. There is a TRUSTe link at the bottom. This
letter is a scam and the attachment is a virus. There are a few problems
with this letter, some obvious and some subtle:
- There is a typographical spelling error. There is no salutation, only
"Microsoft Customer". The opening sentence starts in lower
case: "this is...."
- The language used throughout the letter is generally a bit crude.
- The attachment is very small. Patch files are often quite large.
- Patch files are generally specific to your version of the operating
system. There is usually no single file that will patch all versions.
- If, as stated, this patch incorporates the functionality of all previous
patches it will be huge!
- Most mail systems will reject large attachments.
- More importantly, Microsoft never sends out patches. They might send
out a notice with a link to their Website but even that is not likely.
Their preferred method of providing patches is for you to go get them.
You can also enable automatic updates and receive them automatically
when they become available.
- And, finally, why is there a note stating that the names of the products
are trademarks of their respective owners? These are all Microsoft products
discussed in a letter that is supposedly from Microsoft.
The note to choose "Yes" when running the attached file is
also a tip-off to a problem. It is likely that Windows will advise that
the file is not digitally "signed" for your protection and thus
may not be trusted. By clicking "Yes" you are telling Windows
to ignore a possible security threat.
There is good reason not to open the attached file. Our anti-virus software
flagged it as being infected, issuing this message:
Norton AntiVirus removed the attachment: Patch3172.exe.
The attachment was infected with the W32.Swen.A@mm virus.
So, what would happen if you were to open the attachment? Quite a lot,
according to the Symantec Website:
W32.Swen.A@mm is a mass-mailing worm that uses
its own SMTP engine to spread itself. It attempts to spread through
file-sharing networks, such as KaZaA and IRC, and attempts to kill antivirus
and personal firewall programs running on a computer.
The worm can arrive as an email attachment. The
subject, body, and From: address of the email may vary. Some examples
claim to be patches for Microsoft Internet Explorer, or delivery failure
notices from qmail....
This worm exploits a vulnerability in Microsoft
Outlook and Outlook Express in an attempt to execute itself when you
open or even preview the message.
If you thought that was bad it gets worse. According to Symantec
the virus also:
- Attempts to stop all anti-virus and firewall software.
- Disables Registry tools such as Regedit, so you can't view or change
- Scans your hard drives for files containing e-mail addresses and mails
itself to those addresses.
- Puts up an error message asking you to re-enter some critical information,
including: Email address, Username, Password, POP3 server, and SMTP
- Logs in to your POP server to retrieve your e-mail and deletes copies
of messages it has sent.
This thing is pretty clever. It tricks the recipient into launching it,
it can prevent the computer from combating it, and it sends itself to
any e-mail address it can find using your e-mail account. There are several
ways to protect yourself from this and other viruses:
- If you are using Outlook or Outlook Express make sure the preview
panel is turned off, otherwise message attachments such as this one
can open themselves without your permission.
- Be sure you have an anti-virus program and that you keep the virus
definitions current. You can buy excellent products from Symantec, McAfee,
and others. You can also download
free anti-virus software through links on our Website. Just get something!!!
- If you think have a virus visit the Website of and anti-virus vendor
to see if they have a free tool to identify and/or neutralize it. Click
here to find the Web addresses of several vendors.