Welcome to Orange Frog Productions Scams, Shams & Flim-Flams Section [Banner]

Search this site powered by FreeFind

Page Title:

Malware Email Example #004 (Microsoft Spoof)

Please be sure to read my Malware Home Page

NOTE: This page Under Construction/Conversion
This page has not been completely converted to OFPv2 Standards.
When this is completed, this paragraph will go away.
Meanwhile, all external links on this page open a new window.

Things I Did, Below

I, personally, receive email in HTML format. The following was received (and looked) like I received it.

  • I removed my email addresses. These came to various accounts and some no longer exist. There are places on this site you can get hold of me if you wish or need to. They are protected from spambots using JavaScript, but all you have to do is click on them.
  • All scammer and related email addresses, and any actual website links have been changed, at least putting spaces into them. They appear as underlined blue links, though they aren't.
  • Any notes I added in the actual letter are in square brackets ("[" "]"), are bold, red in color, and highlighted. If what I found "behind the links" (email or website) are different than what was displayed, I will include them in this type of note.
  • All spelling, spacing, line-wrapping, and punctuation errors are the ones that appeared in the original received email. (I may or may not analyze some or all of these.)

Malware Email Example 004
Received 10/23/2006

From: Network Security Division [<== behind link: ouyour-jvydhfr @ bulletin.ms.com]
To: User [<== behind link: ouxh-zifczldle @ bulletin.ms.com]
Sent: Monday, October 23, 2006 3:38 PM
Subject: Newest Microsoft Critical Update

  Microsoft   All Products |  Support |  Search |  Microsoft.com Guide 
Microsoft Home  

Network Image

Microsoft User

this is the latest version of security update, the "October 2006, Cumulative Patch" update which eliminates all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express. Install now to continue keeping your computer secure from these vulnerabilities, the most serious of which could allow an malicious user to run code on your system. This update includes the functionality of all previously released patches.

 
Question Mark System requirements Windows 95/98/Me/2000/NT/XP
Question Mark This update applies to MS Internet Explorer, version 4.01 and later
MS Outlook, version 8.00 and later
MS Outlook Express, version 4.01 and later
Question Mark Recommendation Customers should install the patch at the earliest opportunity.
Question Mark How to install Run attached file. Choose Yes on displayed dialog box.
Question Mark How to use You don't need to do anything after installing this item.

Microsoft Product Support Services and Knowledge Base articles can be found on the Microsoft Technical Support web site. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site, or Contact Us.

Thank you for using Microsoft products.

Please do not reply to this message. It was sent from an unmonitored e-mail address and we are unable to respond to any replies.

The names of the actual companies and products mentioned herein are the trademarks of their respective owners.

 

  Contact Us  |  Legal  |  TRUSTe
  ©2006 Microsoft Corporation. All rights reserved. Terms of Use  |  Privacy Statement |  Accessibility

[This email appears as close to as I received it as I could make it. I do it this way, so search engines can find it. I did make a PDF version. I left everything in this email, even links, since they all appear to be actual MS links. But be VERY careful. -LE]

This email contained a file called UPDATE.exe (106KB).

Example Email 004 Headers
10/23/2006

If you're not interested in the technical aspect of the headers, skip to Example 004 Notes

X-Message-Status: n:0
X-SID-PRA: Network Security Division <ouyour-jvydhfr @ bulletin.ms.com>
X-SID-Result: TempError
X-Message-Info: txF49lGdW40nAWZeY1L1QOpFJvzyRPY0+RJ+LJ3osD0=
Received: from smtp-in.grundyec.net ([64.216.131.103]) by bay0-mc7-f12.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Mon, 23 Oct 2006 13:42:59 -0700
Received: from njrbadu (dial-40.grundyec.net [64.216.131.40])
by smtp-in.grundyec.net (8.11.6/8.11.6) with SMTP id k9NKcpU16254;
Mon, 23 Oct 2006 15:38:51 -0500
Date: Mon, 23 Oct 2006 15:38:51 -0500
Message-Id: <200610232038.k9NKcpU16254 @ smtp-in.grundyec.net>
FROM: "Network Security Division" <ouyour-jvydhfr @ bulletin.ms.com>
TO: "User" <ouxh-zifczldle @ bulletin.ms.com>
SUBJECT: Newest Microsoft Critical Update
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="smgimutoawpxhto"
Return-Path: crockhold @ lyn.net
X-OriginalArrivalTime: 23 Oct 2006 20:42:59.0565 (UTC) FILETIME=[D3A801D0:01C6F6E3]

[NOTE: I left names, email addresses, and phone numbers in here for the search engines to find. DO NOT TRY TO CONTACT THEM! They sent a virus! The shrunken section is apparently what Norton placed or left in my email.-LE]

Notes

  • First of all, my Windows updates are AUTOMATIC. Why would I receive a file from them to install manually?
  • The email addresses used (FROM and TO) are whatever @ bulletin.ms.com. When you enter www.ms.com, it goes to the Morgan Stanley website. Why would Morgan Stanley be sending me a Microsoft Bulletin?
  • The return email address is crockhold @ lyn.net. Why is it not a Microsoft address?
  • The attached filename was UPDATE.exe. Don't most MS updates START with MS, have some type of number associated, etc.? And, again, since my updates are automatic, why would they send this to me?
  • Even MS knows about all those viruses out there, attempting to exploit every vulnerability. They know about all the spoofed emails, the scams, the spam, etc. And, despite what a number of people may think, they are NOT stupid enough to send a patch through email. They would send a link to THEIR OWN site. (AND, if THIS happens, be sure to VERIFY that the site is MicroSoft!)
  • Besides, this came to email address I've never used at MS. Why would they send an email like this to it? While it's a HOTMAIL address, it was the ONLY one of my HOTMAIL addresses that got it. Therefore, it was direct to that email address, and, again, MS shouldn't know it (alone) as an MS user. Hmmm...
  • Being from someone I don't know, and an executable, I WILL NOT OPEN IT.

I will NOT be attempting to run this one! (No reason to!)

Send comments/questions about this page to Bill Sanders at:

Go to Malware (Viruses, Adware, Spyware) Home page
Go to Malware Examples Home Page
Go to NEXT Malware Example Page (last in sequence is not a link)

| Home | Main | Owner | Scams, Shams & More Flim-Flams | Glossary | Sitemap | Contact |

Send email to Bill Sanders ()
with questions or comments about this page or site.

This site, all text and graphics (unless otherwise noted) on it
were designed, developed and published by Bill Sanders of Orange Frog Productions.
It and it's CSS was validated and complies with both the: CSS and HTML 4.01 validators from W3C.
NOTE: All CSS validates except the "New Window Buttons" which include some invalid code (ie: hacks),
added PicoSearch Tables, and warnings for using transparent backgrounds when color foregrounds defined.
Copyright © 2003, 2004, 2005, 2006, 2007 by Bill Sanders / Full site last modified: October 21, 2006
Any reproduction, printing, or selling of this content is prohibited without express written consent from William D. Sanders.
ctr