A spam email that takes users to a fake Microsoft Windows update website and then infects their machine is spreading fast, according to anti-virus experts.

The email contains a link to a site purporting to be a Windows update page and then exploits a recent vulnerability in Internet Explorer to infect the user with a Trojan.The fake URL is designed to fool people into clicking on it and is almost identical to the genuine Microsoft one apart from a hyphen.Attackers are apparently taking advantage of Microsoft’s Patch Tuesday to send legitimate-looking mailings to Microsoft customers that include a Trojan virus called Trojan.Backdoor.Haxdoor that could allow attackers to execute files and steal information from compromised computers.

The message urges users to run an attached file to install an update that the email said will protect from the recipient from security threats and performance problems. The fake mailing includes a legitimate-looking PGP signature, as well as purporting to come from a real Microsoft employee.

This fake phishing email making the rounds seemingly comes from Microsoft, but actually contains a “backdoor” trojan.The email has a subject line that reads, “Security Update for OS Microsoft Windows” and supposedly came from the "Microsoft Official Update Center" at a domain named securityassurance[at]microsof[dot]com.This email took advantage of a combination of social engineering techniques. The malicious attachment used Microsoft terminology, and the bottom of the email contains a PGP signature block.

Sometimes the fake e-mails claim that the recipient’s e-mail address has been discovered on a child abuse web site, and asks for a donation to prove the recipient is not a client of the site.The e-mail also has an attached file which contains a Trojan horse virus. When the file is opened, the virus infects the user’s PC.The scam e-mail falsely claims to be from the Association of Sites Advocating Child Protection (ASACP). The real ASACP have published a warning about the e-mail on their web site:www.asacp.org

Christopher Budd, a security program manager in the Microsoft Security Response Center, offers this perspective on the mailings in a security posting :

We received some questions from customers about an e-mail that’s circulating that claims to be a security e-mail from Microsoft. The e-mail comes with an attached executable, which it claims is the latest security update, and encourages the recipient to run the attached executable so they can be safe. While malicious e-mails posing as Microsoft security notifications with attached malware aren’t new (we’ve seen this problem for several years) this particular one is a bit different in that it claims to be signed by our own Steve Lipner and has what appears to be a PGP signature block attached to it. While those are clever attempts to increase the credibility of the mail, I can tell you categorically that this is not a legitimate e-mail: it is a piece of malicious spam and the attachment is malware. Specifically, it contains Backdoor:Win32/Haxdoor."

Microsoft’s October 2008 security bulletin included four critical bulletins concerning Windows, Internet Explorer, Microsoft Host Integration Server, and Microsoft Excel.

Marcus Sachs, director of SANS Internet Storm Center, told SCMagazineUS.com Friday that the organization received five reports from readers alerting them of the virus. Sachs later posted an alert about it.

"As long as your anti-virus is up-to-date, even though you are going to miss the first two things because they are new, the things it ultimately downloads should be caught."

A picture of the spam email (fake update) is below:

You should always visit the genuine Microsoft website or use automatic updating processes to keep your systems current.Microsoft never sends out security updates as email attachments, but the email tries to explain this by claiming it is “an experimental private version.”

Tags: Backdoor:Win32/Haxdoor.Trojan, spam email .