Jan 4, 2011 16:57 GMT  ·  By

Security researchers from Sophos warn of a new malware distribution campaign that tries to pass an AutoRun worm as a critical Windows security update.

The spam emails bear a subject of "Update your Windows" and their header is forged to appear as if they originate from a [email protected] [intentional domain typo] address.

The rather lengthy message contained within claims that a security update was recently released for all Windows versions, including Windows 2000 which is no longer supported.

Furthermore, cybercriminals claim the user's computer is set to receive email notifications and encourages them to install the alleged update in the KB453396-ENU.zip attachment.

The executable inside the ZIP archive is not an update, but the installer for a computer worm that spreads via USB sticks and is detected by Sophos as W32/Autorun-BMF.

To avoid attracting suspicion because nothing is displayed when the executable is opened, the malware distributors claim in the email that this is the result of OS preferences to run updates in the background.

They even go as far as to impersonate a well known Microsoft representative by signing the email message as Steve Lipner, Director of Security Assurance, Microsoft Corporation.

It seems that for this attack they modified the template used in a similar spam campaign that ran back in 2008. That explains Mr. Lipner's outdated title, who is now Microsoft's senior director of Security Engineering Strategy.

"Of course, Mr Lipner has nothing to do with the emails and Microsoft never distributes security updates via email attachments. Nevertheless, there have been a series of attacks that have abused his name in the past," notes Graham Cluley, senior technology consultant at antivirus vendor Sophos.

There are several elements that give this spam away, the most obvious of which is the rather poor spelling of the message. Nevertheless, users should be extra cautious when dealing with email attachments, even if they appear to originate from trusted sources. Online services like VirusTotal can be used to scan them.