Trojan Horse Poses As Windows XP Update

A new Swen-style Trojan horse posing as a critical update from Microsoft has been detected on the Internet, and users who open the e-mail message may find their machines loaded with a back-door Trojan that can steal passwords or be used in conjunction with other systems to conduct major denial-of-service (DoS) attacks.

Dubbed Trojan.Xombe (as in zombie) by most security firms, the Trojan shares some characteristics of the Swen worm family in that it masquerades as a message from Microsoft and purports to carry a security update in its file attachment. However, unlike Swen--a worm which first appeared last September--Trojan.Xombe doesn't self-replicate.

"This Trojan was spammed out to a large number of computers overnight," said Ken Dunham, the director of malicious code at iDefense, a Reston, Va.-based security intelligence firm. By using spamming strategies, attackers hope to infect hundreds, even thousands, of machines before users realize what's up, or anti-virus companies can react with updated definition files.

The faux message, which sports a spoofed sending address of windowsupdate@microsoft.com, uses the subject line 'Windows XP Service Pack 1 (Express)-- Critical Update' to trick recipients into opening the attached file.