Worm Attack Masquerades As IE7 Download Offer - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications

Worm Attack Masquerades As IE7 Download Offer

E-mails display an image that invites users to download a beta of a new version of Internet Explorer 7, but instead they are hit with the Grum-A worm.

A security company issued a warning Friday about a widespread attack that's masquerading as an offer from Microsoft to download a version of Internet Explorer 7.

The e-mails, which claim to come from [email protected] and have the subject line "Internet Explorer 7 Downloads," display an image that invites users to download beta 2 of Internet Explorer 7, according to an advisory from Sophos, a security company. Users who make the mistake of clicking on the link in the message, though, instead are infected by the W32/Grum-A worm.

"Worms like this are only succeeding in spreading because so many people have still not learned to be suspicious of unsolicited e-mails, even if they claim to come from well-known companies like Microsoft," said Graham Cluley, senior technology consultant for Sophos, in a written statement. "The problem is that to the casual observer the e-mail looks genuine, and the image displayed looks near-identical to the imagery that Microsoft is using on its Web site to promote Internet Explorer 7.0. Clicking on the image, however, doesn't download the real beta, but malicious code straight from the hackers."

The Grum worm is an appender virus that infects executable files referenced by Run keys in the Windows Registry. When activated, it copies itself to \winlogon.exe and makes changes to the Registry. It also edits the HOSTS file, injecting a thread into system.dll and attempts to patch two system files.

Cluley noted in the advisory that it's an old trick for hackers to mask their attacks as communications from Microsoft. In 2003, the Gibe-F worm, which also was known as Swen, was disguised as a critical Microsoft security update, and in 2005, hackers directed duped users to a bogus and malicious Web site masquerading as a Microsoft update page.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll