• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Are these legit Microsoft email messages?

S

StormRider

Diamond Member
I keep getting these email messages from "Microsoft" that includes a "security patch" in the form of an executable file called q216309.exe but I am highly suspicious of the authenticity of these emails. I've never known Microsoft to send executable files embedded in email messages before. Does anyone know anything about this? The message in the email appears below.




<<
Microsoft Customer,

this is the latest version of security update, the
"9 Mar 2002 Cumulative Patch" update which eliminates all
known security vulnerabilities affecting Internet Explorer and
MS Outlook/Express as well as six new vulnerabilities, and is
discussed in Microsoft Security Bulletin MS02-005. Install now to
protect your computer from these vulnerabilities, the most serious of which
could allow an attacker to run code on your computer.


Description of several well-know vulnerabilities:

- "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability.
If a malicious user sends an affected HTML e-mail or hosts an affected
e-mail on a Web site, and a user opens the e-mail or visits the Web site,
Internet Explorer automatically runs the executable on the user's computer.

- A vulnerability that could allow an unauthorized user to learn the location
of cached content on your computer. This could enable the unauthorized
user to launch compiled HTML Help (.chm) files that contain shortcuts to
executables, thereby enabling the unauthorized user to run the executables
on your computer.

- A new variant of the "Frame Domain Verification" vulnerability could enable a
malicious Web site operator to open two browser windows, one in the Web site's
domain and the other on your local file system, and to pass information from
your computer to the Web site.

- CLSID extension vulnerability. Attachments which end with a CLSID file extension
do not show the actual full extension of the file when saved and viewed with
Windows Explorer. This allows dangerous file types to look as though they are simple,
harmless files - such as JPG or WAV files - that do not need to be blocked.


System requirements:
Versions of Windows no earlier than Windows 95.

This update applies to:
Versions of Internet Explorer no earlier than 4.01
Versions of MS Outlook no earlier than 8.00
Versions of MS Outlook Express no earlier than 4.01

How to install
Run attached file q216309.exe

How to use
You don't need to do anything after installing this item.


For more information about these issues, read Microsoft Security Bulletin MS02-005, or visit link below.
http://www.microsoft.com/windows/ie/downloads/critical/default.asp
If you have some questions about this article contact us at rdquest12@microsoft.com

Thank you for using Microsoft products.

With friendly greetings,
MS Internet Security Center.
----------------------------------------
----------------------------------------
Microsoft is registered trademark of Microsoft Corporation.
Windows and Outlook are trademarks of Microsoft Corporation.
 >>

 
Paste the source code (Go to the email and hit Control-F3)

It should show what servers it came through...
 
to be on the safe side, i would say no. If you think its a real security issue, just go to windows update and see what you find. It doesn't seem like a legit thing to me, but i could be wrong.
 
Microsoft doesn't send you updates with an actual file attached. If you subscribed to one of their security lists you would see a vulnerability announcement and a link to download it from an M$ server. I've never heard of any company actually attaching a patch to a security email unless you were paying for a support contract.
 
Here's the header part (from hitting Ctrl-F3). I removed references to my email address.



<<
(with Cubic Circle's cucipop (v1.31 1998/05/13) Wed Mar 13 23:47:59 2002)
X-From_: mgiggleman@peoplepc.com Wed Mar 13 19:08:06 2002
Return-Path: <mgiggleman@peoplepc.com>
Received: from c002.snv.cp.net (c002-h001.c002.snv.cp.net [209.228.32.165])
by beast.toad.net (8.11.0/8.11.0) with SMTP id g2E085718938
Date: Wed, 13 Mar 2002 19:08:05 -0500
Message-Id: <200203140008.g2E085718938@beast.toad.net>
Received: (cpmta 11978 invoked from network); 13 Mar 2002 16:07:20 -0800
Received: from 63.24.154.140 (HELO pfuckie)
by smtp.peoplepc.com (209.228.32.165) with SMTP; 13 Mar 2002 16:07:20 -0800
X-Sent: 14 Mar 2002 00:07:20 GMT
From: "Microsoft Corporation Security Center" <rdquest12@microsoft.com>
To: "Microsoft Customer" <'customer@yourdomain.com'>
Subject: Internet Security Update
Reply-To: <rdquest12@microsoft.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="NextPart_000235"

This is a multi-part message in MIME format.
You should read this with client which
supported MIME standard.
 >>

 


<<
by beast.toad.net (8.11.0/8.11.0) with SMTP id g2E085718938
Date: Wed, 13 Mar 2002 19:08:05 -0500
Message-Id: <200203140008.g2E085718938@beast.toad.net>
Received: (cpmta 11978 invoked from network); 13 Mar 2002 16:07:20 -0800
Received: from 63.24.154.140 (HELO pfuckie)
 >>



Theres your answer right there
 
funny you should mention this, not 2 minutes ago I just read in the latest Langaletter:


3) Avoid This Fake Microsoft Security Patch

Microsoft doesn't send out security patches by email. To my knowledge, it never has. Still, a number of people have been fooled by an email purporting to be from the "Microsoft Corporation Security Center" and carrying the subject line "I n t e r n e t S e c u r i t y U p d a t e" (I've spaced out the letters here to try to get past stupid email filters that may assume that this newsletter is the fake security patch).
The fake email mostly uses the format and language of real security bulletins to offer an attachment ( Q 2 1 6 3 0 9 . e x e ) that's supposed to be a cumulative patch that eliminates "all known vulnerabilities" in Internet Explorer.
Of course, it's not a security patch at all; it's the W 3 2 . G i b e worm, which uses Outlook and its own internal SMTP engine to propagate. You can get all the gory details--- and removal instructions--- by searching your favorite security site. For example, go to http://securityresponse.symantec.com/ and search for w 3 2 . g i b e.
Remember: Microsoft doesn't mail out patches. You have to get them via Windows Update or by going to http://www.microsoft.com/security/ and manually downloading them. That latter site is also a good place to check to see if any supposed patch from Microsoft is real or not.
 


<< Microsoft doesn't send you updates with an actual file attached. If you subscribed to one of their security lists you would see a vulnerability announcement and a link to download it from an M$ server. I've never heard of any company actually attaching a patch to a security email unless you were paying for a support contract. >>


 


<< <<
by beast.toad.net (8.11.0/8.11.0) with SMTP id g2E085718938
Date: Wed, 13 Mar 2002 19:08:05 -0500
Message-Id: <200203140008.g2E085718938@beast.toad.net>
Received: (cpmta 11978 invoked from network); 13 Mar 2002 16:07:20 -0800
Received: from 63.24.154.140 (HELO pfuckie)
>>



Theres your answer right there
>>



What part identifies it as a fake? Is it the (HELO pfuckie) part or something else?
 


<< What part identifies it as a fake? Is it the (HELO pfuckie) part or something else? >>

1. The fact that you received an email with an attachment.

2. The fact that it doesn't sound anything like an email Microsoft would send, in terms of english grammar, even though they wouldn't send you email.

3. Please kill yourself now. The virus has infected your computer, and infected your body through your keyboard. It is too late. Save your loved ones by ending your life.

😛

Come on. This can't possibly be a serious post? Please tell me it's a joke...
rolleye.gif
 
The beast.toad.net redflags it as a fake. Toad.net is some ISP.

I hate the way outlook express shows full headers. In netscape mail, they read logicaly, the originating email server is first, and your email server is at hte bottom. The semi-broken english at the bottom of the email (in the messege for non MIME readers) also leads me to believe it's a fake.
 


<< Come on. This can't possibly be a serious post? Please tell me it's a joke...
>>



No, it's not a joke. As I stated in my first post, I was highly suspicious of it. I would never run an executable if I never asked to receive one. But I was just curious, what part of the email could absolutely identify it as a fake.
 
Trojan virus, do not open.



<< what part of the email could absolutely identify it as a fake. >>


The part where MS doesn't email out security updates with .exe's attached.


 
You must log in or register to reply here.

TRENDING THREADS

Back
Top