Microsoft Update Fake Emails

This post was written by admin on October 11, 2009
Posted Under: Email Dangers, Free PC Security, malware

Fake emails are nothing new and the 'Microsoft Update' emails have done the rounds before and will compromise your PC Security if downloaded.

The latest version from 'mailteam at microsoft.com' states the following:

"Security update Revised
When necessary, Microsoft provides a new security update on the second Tuesday of each month and publishes a bulletin to announce the update.
Occasionally, updates are released more often.

The links below go to the latest update download.
(Privat secured new link)
mail1.e-corecorporation.com/ef.htxrl.us/microsoftupdate

Each bulletin includes links to the security updates.Microsoft has submitted a new update for all Windows OS web browsers, which brings a more stable and secure application, Internet Explorer version 7.0.195.24.The new version has no new functionality but fixes one security vulnerability that has been classified as "high", the highest level. Vulnerability refers to the possibility of external attacks through Internet Explorer and Outlook Express . We recommend installing the update to keep you and your system safe .

Thank you, Adrian King Director of Security Assurance Microsoft Corp."

I have received two of these, one on Saturday and another again today. CPU usage rises as the malware takes control and a new item showing in task manager: sdra64.exe, right click and End process.

csrss.exe - Client Server Runtime Server Subsystem - will be using high amounts of CPU

IF you have downloaded this malware and run the fake update, download and install Malwarebytes Anti-Malware, if you don't already have it, allow it to update and then click on 'Scanner' and click Quick Scan to remove this parasite.

The scan will take longer than normal if the CPU usage is high with csrss.exe, but DO NOT end the csrss.exe process or you will have to reboot.

A reboot will be necessary to finish the removal process when malwarebytes has completed its scan and clean the damage that this fake 'update' does.

Update ONLY from the the genuine Windows Update

The following shows the Registry Keys and Values, Registry Data Items, Folders and Files that are infected for Manual Removal which should only be attempted if you know what you are doing!

Registry Keys Infected:
HKEY_USERS.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionExplorer{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot)
HKEY_USERS.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionExplorer{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot)
HKEY_USERSS-1-5-18SOFTWAREMicrosoftWindowsCurrentVersionExplorer{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot)
HKEY_USERSS-1-5-18SOFTWAREMicrosoftWindowsCurrentVersionExplorer{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot)

Registry Values Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkUID (Malware.Trace)

Registry Data Items Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit (Trojan.FakeAlert)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit (Trojan.FakeAlert)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit (Hijack.Userinit) -> Bad: (C:WINDOWSSYSTEM32userinit.exe,C:WINDOWSsystem32sdra64.exe,) Good: (Userinit.exe)

Folders Infected:
C:WINDOWSsystem32lowsec (Stolen.data)

Files Infected:
C:Documents and Settings[default user]Desktopmicrosoft_09 (Trojan.Dropper)
C:WINDOWSsystem32lowseclocal.ds (Stolen.data)
C:WINDOWSsystem32lowsecuser.ds (Stolen.data)
C:WINDOWSsystem32sdra64.exe (Trojan.FakeAlert)

Download Malwarebytes Anti-Malware Free Here