[Full-Disclosure] New MS Patch - Any Idea What This Is

[Anthony Aykut]

Hi,

Anyone come across this one?? I have *just* received this - yet another
email claiming to be from MS (showing initially as being from
mbsyaojmmlds_tptnjv at confidence.msdn.com), titled 'New Patch'. Same nice HTML
page, with message body...

Microsoft User

this is the latest version of security update, the "October 2003, Cumulative
Patch" update which eliminates all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express. Install now to
continue keeping your computer secure from these vulnerabilities, the most
serious of which could allow an attacker to run code on your computer. This
update includes the functionality of all previously released patches.

...with an attachment 'UPDATE.exe', 69Bytes. My Norton AV, with virus
patterns dated 8th October doesn't give ANY warnings whatsoever, nothing
gets quarantined though the attachment gets saved as 0 bytes - so some
checking/stripping takes place.

Message headers...

Return-Path: <bterrel86 at charter.net>
Delivered-To: anthony.aykut at 5
Received: (qmail 28201 invoked by uid 457); 14 Oct 2003 20:02:36 -0000
Delivered-To: frame4.com-webmaster at frame4.com
Received: (qmail 28196 invoked from network); 14 Oct 2003 20:02:36 -0000
Received: from unknown (HELO remt25.cluster1.charter.net) (209.225.8.35)
  by hosting-132-36.phpwebhosting.com with SMTP; 14 Oct 2003 20:02:36 -0000
Received: from [68.112.20.189] (HELO ysjug)
  by remt25.cluster1.charter.net (CommuniGate Pro SMTP 4.0.6)
  with SMTP id 26689859; Tue, 14 Oct 2003 16:02:03 -0400
FROM: "Microsoft" <mbsyaojmmlds_tptnjv at confidence.msdn.com>
TO: "User" <kqmr at confidence.msdn.com>
SUBJECT: New Patch
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="zcwyruuzitrbo"
Date: Tue, 14 Oct 2003 16:02:04 -0400
Message-ID: <auto-000026689859 at remt25.cluster1.charter.net>

Regards,

Anthony Aykut
Frame4 Security Systems
Your Partner in IT Security
http://www.frame4.com/