US-CERT has received reports of an email message circulating purporting to be a Microsoft Security Bulletin. The email directs the user to download and install an executable that is supposed to be a cumulative patch. Through the use of social engineering that attacker is hoping to trick the user into thinking they will be installing a cumulative patch when in fact they are installing a version of SDBot, a commonly used Trojan horse.
This variant of SDBot is part of a family of backdoor Trojan horse programs commonly controlled remotely by an attacker via Internet Relay Chat (IRC). Some variants of SDBot may not be detected by anti-virus applications.
In 2003, a similar email message masquerading as a Microsoft Security Bulletin was circulated via email. Users that clicked on the link in this email message were infected with the Swen mass-mailing worm.
US-CERT recommends:
* Users do not follow unsolicited web links received in email messages.
* Users should manually type in the URL when attempting to go to the web sites recommended in an email.
* Users install anti-virus software, and keep its virus signature files up-to-date.