Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software
Invalid Worm
Fake patch pretends to cure fake certificate
 Related Resources
• Invalid Description
• Bogus Patches
• Breach of Trust
• Virus Encyclopedia
• Glossary of terms
 
 From Other Guides
• Protect Mailto Links
 Elsewhere on the Web
• F-Secure Description
 

In March 2001, it was discovered that VeriSign, the foremost authority for digitally signed certificates, had erroneously awarded security certificates to an unauthorized person posing as a Microsoft® employee. VeriSign was able to provide little information about the person to whom the certificates had been awarded, leaving many to doubt the credibility of an organization devoted to protecting other's credibility. Now, a new worm has been discovered exploiting the very mess created by the VeriSign oversight. Dubbed Invalid, the worm emails itself disguised as a Microsoft® patch to resolve invalid SSL certificates. The email message (described below) arrives with an attachment named 'SSLPATCH.EXE'. 

 From: "Microsoft Support" 
 Subject: Invalid SSL Certificate

 Hello,

 Microsoft Corporation announced that an invalid SSL certificate
 that web sites use is required to be installed on the user
 computer to use the https protocol. During the installation, the
 certificate causes a buffer overrun in Microsoft Internet
 Explorer and by that allows attackers to get access to your
 computer. The SSL protocol is used by many companies that
 require credit card or personal information so, there is a high
 possibility that you have this certificate installed.

 To avoid of being attacked by hackers, please download and
 install the attached patch. It is strongly recommended to
 install it because almost all users have this certificate
 installed without their knowledge.

 Have a nice day,
 Microsoft Corporation

At least one member of the popular Bugtraq mailing list noted, "Microsoft never sends patches/updates to customers via email (and) I've never known ANYONE at Microsoft to say 'Have a nice day'."

Rather than using the Windows address book as a means to spread, the worm searches HTML files on the local drive for any mailto tags, sending itself to any addresses found therein. Jennifer Kyrnin, the About guide to HTML, provides excellent tips for preventing the exploit of mailto tags in her article, Don't Catch a Virus from Your Web Page.

According to Alexey Podrezov, virus researcher at F-Secure, "The worm has a dangerous payload. It encrypts all EXE files it can find in current directory and upper directories with a generated key. The payload is activated if Internet connection is not present or in case of errors during worm's operations." A full description of the Invalid worm's activities can be found in the Virus Encyclopedia.

The Invalid worm is not the first malware to pose as official Microsoft® patches. In July 2001, the Leave worm attempted to trick users into downloading a bogus security patch that instead led to infection.

Explore Antivirus Software
About.com Special Features
Family Tech Center

Stay connected and entertained with reviews on tips on the latest HDTVs, cellphones and more. More >

Connect Your Home Computers

Easy ways to connect two computers for networking purposes. More >

Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software

©2009 About.com, a part of The New York Times Company.

All rights reserved.