Microsoft 'Support' email a Trojan hoax By Matthew Nelson InfoWorld Electric Posted at 3:13 PM PT, Sep 20, 1999 Microsoft is warning its customers to disregard and delete any emails that appear to come from "support@microsoft.com" and contain a Y2K countdown calendar, as it actually contains a malicious Trojan horse program. Sent as spam to an unknown number of Microsoft users, the email contains a text message that reads: "To All Microsoft Users, we are excited to announce Microsoft Year 2000 Counter. Start the countdown NOW. Let us all get in the 21 Century. Let us lead the way to the future and we will get YOU there FASTER and SAFER. Thank you, Microsoft Corporation." The message also contains a 124,885 bytes executable, Y2KCOUNT.EXE, which actually contains the Trojan horse program. It does not spread to other systems as a virus or worm might, but it does attempt to alter files, capture passwords and log-ins, and then send them to an email address in China, according to Microsoft. The company also stressed that its policy is to never send software updates or applications to its users by email. "It looks like it gathers password info, log-ins and user names, and it looks like it sends them to an address in China," said Don Jones, director of Year 2000 readiness for Microsoft. "We never send software in e-mail. It's just not done. We will send a URL or a link, but never software." The signature file and origin of the Trojan appears to have come from Bulgaria, according to Jones. When a user activates the executable file, a message reads: "Password protection error or invalid CRC32!" The exe is in fact a self-extracting WinZip archive that activates when the system is next booted up. Because the Trojan is spoofed to appear as originating from Microsoft and as it relates to Y2K issues, it is the latest in a growing list of malicious attacks that security vendors are expecting to spread as the new year approaches. Along with actual viruses, however, vendors also expect to see more hoaxes that will be issued to confuse users during a confusing time, which may be more dangerous than the Y2K bug itself. "I think the biggest single threat with Y2K is going to be these hoaxes with viruses," said Jones. "We think that hackers and people with malicious intent are going to use Y2K to spread viruses." Security vendors Symantec and Network Associates both have assigned Y2Kcount.exe a medium risk assessment at this time, and recommend as always that users update their DAT files. "We actually don't know how many users it was sent out to, [but] we don't believe it's something to panic about," said Motoaki Yamamura, senior program manager for the Symantec Anti-virus Research Center (SARC), in Santa Monica, Calif. "I believe it should be handled just like any other Trojan." As always, it is recommended that users update their security DAT files to protect against this latest attack. Microsoft Corp., in Redmond, Wash., is at www.microsoft.com Symantec Corp, in Santa Monica, Calif., is at www.symantec.com. Matthew Nelson is an InfoWorld senior writer. Go to the Week's Top News Stories Please direct your comments to InfoWorld Deputy News Editor, Carolyn April Copyright © 1999 InfoWorld Media Group Inc.