We've received samples of an e-mail which is being actively spammed at the moment. The e-mail purports to be from Microsoft and it is notifying the recipient of "a new vulnerability [that] has been discovered in the Microsoft WinLogon Service". It further states that the vulnerability can allow an attacker access to the unpatched system.

Of course, the user is advised to install the patch which can be downloaded from the included link.

As the e-mail body is an HTML message, the displayed link (http://www.microsoft.com/patches-win-logon-critical/winlogon_patchV1.12.exe) is not where the user will really be sent:

http:// www.redcallao.com/ [REMOVED] / winlogon_patchV1.12.exe

At the time when this diary was written, the site was still up and serving malware. AV detection although a better then first time when we tried it, is still pretty bad. Only 8 products from VirusTotal detected this:

AntiVir     6.34.1.34   05.29.2006    Heuristic/Crypted.Modified
BitDefender 7.2         05.30.2006    Trojan.BeastPWS.C
Kaspersky   4.0.2.24    05.30.2006    Trojan-Spy.Win32.Delf.jq
NOD32v2     1.1566      05.30.2006    Win32/Spy.Delf.NBR
Panda       9.0.0.4     05.29.2006    Suspicious file
Sophos      4.05.0      05.30.2006    Troj/BeastPWS-C
Symantec    8.0         05.30.2006    Infostealer

Does all this sound familiar? Sure, it's (almost) the same story that the Swen worm (or Gibe.F) tried to "sell" to the users. Hopefully this one will not come close to doing what Swen did.

UPDATE

The malware has been removed from the site above and AV vendors are slowly starting to detect it.