The patch that isn't: "Microsoft" InvalidSSL
Be suspicious if you find a message in your e-mail from Microsoft Technical Support informing you of an invalid SSL certificate. InvalidSSL (W32.InvalidSSL.A@mm) is not a patch from Microsoft but a clever attempt by a worm writer to get users to click on the infected attachment. If executed, InvalidSSL will encrypt all the executable files on the hard drive, rendering desktop programs useless. Fortunately, the SMTP server for spreading copies of InvalidSSL has now been disabled, so antivirus software vendors do not expect InvalidSSL to become widespread. Despite its limited potential, InvalidSSL still ranks it as a 5 on the ZDNet Virus Meter because of its ability to do serious damage.
How it works
InvalidSSL arrives as an e-mail supposedly sent from "support@microsoft.com" with the following information:
Subject: Invalid SSL certificate
Body: Hello,
- Microsoft Corporation announced that an invalid SSL certificate that web sites use is required to be installed on the user computer to use the https protocol. During the installation, the certificate causes a buffer overrun in Microsoft Internet Explorer and by that allows attackers to get access to your computer. The SSL protocol is used by many companies that require credit card or personal information so, there is a high possibility that you have this certificate installed. To avoid of being attacked by hackers, please download and install the attached patch. It is strongly recommended to install it because almost all users have this certificate installed without their knowledge.
Have a nice day,
Microsoft Corportation
Attached file: sslpatch.exe
If the user clicks the attached file, InvalidSSL will start scanning the user's hard drive for e-mail addresses and will attempt to send copies of itself to any addresses it finds. The hardcoded SMTP server that would relay those e-mail messages has now been disabled, therefore severely limiting the spread of InvalidSSL. The worm could still find its way into your e-mail box by well-intentioned individuals thinking the infected e-mail actually came from Microsoft.
Whether or not copies of the worm are successfully sent to other users, InvalidSSL will still look for all examples of any program files (*.exe) on the infected user's hard drive. It will replace the program files with a key that has been cryptapi generated from the text "Invalid.Iworm." The encrypted program files are then rendered useless to the user.
Removal
Antivirus software companies are in the process of updating their signature files to include InvalidSSL. For more information on removing InvalidSSL from your system, see Central Command, Sophos, and McAfee.