Windows Update Trojan causes havoc

Trojan opens a backdoor that allows the PC to be controlled via IRC

Two newly discovered virus threats are circulating on the web, one attacking client machines and the other targeting web servers, web monitoring firm Websense warned today.

The first threat is a basic Trojan which masquerades as a Microsoft security patch. Recipients are urged to visit a spoofed URL based in Canada which uses a very similar design to Microsoft's own Update Centre and downloads a file named 'plugandplayfix.exe'.

The email, from a spoofed email address, arrives with the header 'Critical Update for Plug and Play devices MS05-4791k'. The body of the message reads:

'Please update your version of Windows at the Microsoft website. Failure to update your current version of Windows will leave your computer open to viruses and hackers. Microsoft Update Team.'

Once downloaded and run, the Trojan makes changes to the registry and opens a backdoor that allows the PC to be controlled via IRC.

It is most likely that the PC will then be used as part of a botnet and become a spam generator or take part in distributed denial of service attacks.

The second threat is a worm that targets web servers running XML-RPC for PHP prior to version 1.1.1, a sizeable minority of currently deployed systems.

The Internet Storm Centre has issued an advisory and is urging all users to update their virus scanners immediately. 

McAfee, Kaspersky, Computer Associates and Symantec have all issued signature files for the worm, which is hosted from a Norwegian website.