A couple of days ago, I received an email with the
following information:

Date: Thu, 2 Oct 2003 08:45:24 -0400 (EDT)
From: "Microsoft Technical Assistance"
> | This is not spam | Add to
Address Book
To: "MS Corporation User" >
Subject: Last Network Critical Update

With all the nuts out there, I was not sure if this was
legitimate or a ruse to have me download their
little "patch."

Any advice will be appreciated.
Thank You.
Robert Hill

You will never receive an executable in email from Microsoft.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Robert Hill" > wrote in message
...
> A couple of days ago, I received an email with the
> following information:
>
> Date: Thu, 2 Oct 2003 08:45:24 -0400 (EDT)
> From: "Microsoft Technical Assistance"
> > | This is not spam | Add to
> Address Book
> To: "MS Corporation User" >
> Subject: Last Network Critical Update
>
> With all the nuts out there, I was not sure if this was
> legitimate or a ruse to have me download their
> little "patch."
>
> Any advice will be appreciated.
> Thank You.
> Robert Hill
>
>

Greetings --

What you received is either a very common malicious hoax or the
output of a computer infected by one of several wide-spread, mass
emailing worms. The most widely-known are:

W32.Swen.A_mm


W32.Dumaru_mm


W32.Gibe_mm


How to Tell If a Microsoft Security-Related Message Is Genuine
http://www.microsoft.com/security/antivirus/authenticate_mail.asp

Microsoft never has, does not currently, and never will email
unsolicited security patches. At the most, if, and only if, you
subscribe to their security notification newsletter, they will send
you an email informing you that a new patch is available for
downloading.

Microsoft Policies on Software Distribution
http://www.microsoft.com/technet/treeview/?url=/technet/security/policy/swdist.asp

Information on Bogus Microsoft Security Bulletin Emails
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news/patch_hoax.asp

How to Tell If a Microsoft Security-Related Message Is Genuine
http://www.microsoft.com/security/antivirus/authenticate_mail.asp

Any and all legitimate patches and updates are readily available
at http://windowsupdate.microsoft.com/. (Notice that this is the true
URL, rather than the bogus one that may have been contained in the
email you received.) Any messages that point to any other source(s) or
claim to have the patch attached are bogus.

You're receiving these emails because your email address is in
the address book of someone infected with a worm, and/or because you
posted your real email address somewhere on-line, either in a forum
accessible to the public and spambots, such as Usenet, or on an
untrustworthy web site that subsequently sold your address as part of
a mailing list. One thing you can do is notify _everyone_ with whom
you've ever corresponded via email that one or more of them may be
infected with a mass emailing worm, and should take the appropriate
steps.

There's probably no way of blocking all of the bogus messages, but
you can greatly reduce the number you get by creating a rule, based
upon the most commonly used subject lines, to delete the emails from
the server without ever downloading them.


Bruce Chambers

--
Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH


"Robert Hill" > wrote in message
...
> A couple of days ago, I received an email with the
> following information:
>
> Date: Thu, 2 Oct 2003 08:45:24 -0400 (EDT)
> From: "Microsoft Technical Assistance"
> > | This is not spam | Add to
> Address Book
> To: "MS Corporation User" >
> Subject: Last Network Critical Update
>
> With all the nuts out there, I was not sure if this was
> legitimate or a ruse to have me download their
> little "patch."
>
> Any advice will be appreciated.
> Thank You.
> Robert Hill
>
>

Most certainly you are receiving these e-mails because you have sent
your
e-mail address to an untrusting web site in a form or it is in a
friend's infected computer or a news group which is picked up by this
worm.

The worm/virus is probably one of the followings:

W32.Swen.A_mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.
html

W32.Dumaru_mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru@mm.
html

W32.Gibe_mm

ml

Also:
< Microsoft never has, does not currently, and never will email
unsolicited security patches.>



------
WARNING:

Many of these e-mails can self execute the attached file ( the worm)
when
you only open or see the preview of the e-mail sent to you even
without
opening the attachment...If you receive them , delete them immediately
even without opening them ( This is due to a famous vulnerability in
IE
while rendering HTML messages with wrong MIME headers and executing
such files, which I still see exists in OE 6 and IE 6 came with Win
XP)

------
A good guide:
The worm has a fixed file size...., something about 145KB, 150KB or
around it. So
if your e-mails --with any subjects or From line text-- are of the
mentioned
size or sth around it , please delete the message immediately.

------

Some famous forms of these infected messages:

1- From: Microsoft Corporation Program Se
Subject: Network security Upgrade Size: 143KB

2- From: Public Assistance
Subject: net update Size: 130KB

3- From: Admin
Subject: Error Letter Size: 150KB

4- From: MS Corporation Security Center
Subject: Newest Net Update Size: 145KB

5- From: Admin
Subject: Message Size : 125KB

6- From: Network Security Section
Subject: "NO SUBJECT" Size : 150KB

7- From: Net message delivery
Subject: No delivery found Size : 144KB



Good luck

----------------------------------------------------------------------
----------------------------------------------------------------------
-------------------
"Robert Hill" > wrote in message
...
> A couple of days ago, I received an email with the
> following information:
>
> Date: Thu, 2 Oct 2003 08:45:24 -0400 (EDT)
> From: "Microsoft Technical Assistance"
> > | This is not spam | Add to
> Address Book
> To: "MS Corporation User" >
> Subject: Last Network Critical Update
>
> With all the nuts out there, I was not sure if this was
> legitimate or a ruse to have me download their
> little "patch."
>
> Any advice will be appreciated.
> Thank You.
> Robert Hill
>
>