"Websense® Security Labs(TM) has received reports of a new email scam disguised as a Microsoft Security Update for the recent Plug and Play vulnerability. Users receive a spoofed message requesting that they download a critical patch for MS-05-479
* in order to be protected from hackers and viruses.
Upon clicking the included URL they are directed to a fraudulent website hosted in Canada, which was up and running at the time of this alert. The site uses screenshots of the real Microsoft security update site. Included is a link to the patch which is a program called "plugandplayfix.exe". The website URL is hosted on a machine which appears to have been compromised and simply has an IP address followed by:
http://<IP address removed>/update.microsoft.com/windowsupdate/v6/plugandplayfix.exe
Upon execution the Trojan Horse opens a backdoor on the machine, connects to an IRC channel, and modifies several system variables..."*(No such patch exists)
"...Microsoft sends e-mail messages to subscribers of our security e-mail notification services when we release information about a security software update or security incident. Unfortunately, malicious individuals can and have sent fake e-mail notifications that appear to be from Microsoft, a tactic known as spoofing. Some of these messages lure recipients to Web sites to download malicious code, while others include a file attachment that contains a virus..."