Spammers disguise spyware as Microsoft upgrade

8 Apr 2005

SurfControl has uncovered a malicious spam message masquerading as a Windows update that it claims current heuristics and signature scanning used by core antivirus vendors will not detect.

Clicking on the link in the email takes users to a site constructed by pulling graphics from, to make an identical reconstruction of the screen display they would see when running legitimate Windows updates. At this point, both Express and Custom install from the page and download a malicious .exe file.

“The email won’t be picked up through anti-spyware software because the .exe file does not contain spyware signatures that would be used to identify it as potentially harmful,” said Martino Corbelli a spokesman for the international IT security firm.

“Anti-spyware software tends to scan URLs and attachments in suspicious emails, but because none of the recognised spyware signatures are present in the .exe here, there’s no way this approach could identify the threat.”

According to the SurfControl Adaptive Threat Intelligence unit, part based in Australia where the email was first discovered, it is not a malicious attack for network resources but appears to send a message to the internet advertising the infected PC as a zombie machine. SurfControl believes that the .exe file pulls other code to turn the infected machine into a spamming server.

The virus, titled Wupdate-20050401, installs an executable file into the Windows directory and adds a start-up service. When it is running the program takes up 100pc of the CPU power, controlling the CPU by forcing it to perform continuous processes.

“This evolution should concern those businesses and individuals that are using a single point solution to combat the threat of Spyware,” explained Susan Larson, vice-president of Adaptive Threat Intelligence for SurfControl.

“The only way to effectively stop Spyware from causing damage is to adopt an approach based around unified threat management, combining email and web security measures to provide multi-layered threat protection to counter the different ways in which malware can enter the IT network,” Larson said.

By John Kennedy