Viral, bogus MS bulletins shuttered

The two bogus bulletins--complete with software patches and links to a hoax Web site--were discovered on July 10. Both contained potentially damaging viruses.

The first virus, nicknamed W32.Pet_Tick.G, arrives as an email with the message, "This is a fix against I-Worm.Magistr." It also contains an executable file attachment entitled "MSVA.EXE." The other phony bulletin, dubbed W32.Leave.B.Worm, claims to contain the patch for a serious virus, but instead is itself malicious code.

"This is a cunning piece of psychology to get past the most suspicious PC user," said Graham Cluley, senior technology consultant at anti-virus firm Sophos. "You receive a message that at first glance looks like a Microsoft bulletin, but once executed takes you to the virus distributor's Web site and downloads the malicious component."

Security experts are satisfied that the bogus Web sites have now been removed, and claim it is unlikely that more PCs will be infected with the viruses. Microsoft issued a statement explaining that the Pet Tick worm is easy to spot by its lack of digital signature, and the direct link that it contains to the phony patch instead of the complete bulletin.

But Cluley is less optimistic about the IT competence of individuals to spot emails that don't contain digital signatures. "It's a unfortunate case that most people are suffering from a bug in their brain rather than a bug in their PC--they need to be more suspicious about email and not trust everything that they receive," he said.

Phony security alerts represent the latest social engineering trick for hackers, but virus experts predict that the pornographic trap as exploited in the Anna Kournikova virus earlier this year is still the most popular. "There's an unlimited demand for porn and Russian tennis players, and there will be for some time," said Cluley. "But the two viruses that have recently posed as Microsoft bulletins could give others the same idea."