The W32.Leave.B.Worm is a variant of the W32-Leave.worm reported recently, and according to Symantec's Web site, the virus is sent via email with the Subject: Microsoft Security Bulletin MS01-037 and Message: The following is a Security Bulletin from the Microsoft Product Security Notification Service.
The bogus bulletin dramatically declares that -the Internet has seen one of the first of its downfalls" and goes on to mention the virus which has -the complexity to destroy data like none seen before".
Users are encouraged to protect their systems by downloading and installing an attached "security patch" from a linked Web site, which resembles that of Microsoft - the patch has since been removed from the hosted site.
-This fake Microsoft security bulletin uses 'tricks' similar to a trojan virus - that is, it tries to pretend to be an authentic security bulletin in order to trick you into running the attached virus," Trend Micro's Andy Liou told ZDNet.
The "trojan" tactic has been used widely, with varied success, Liou said.
-Previously trojans have even pretended to be 'antivirus updates', telling readers to run the attached file to update their antivirus protection. Obviously once the reader executes the attached file, their system is infected."
This is apparently the first time that a virus or worm has been distributed using a faked Microsoft security bulletin.
-Users should always check that the information they have received is authentic before taking any action," Liou advised.
Microsoft has been contacted for comment.
Is anyone going to ever get around to mentioning that there is a newer version using MS01-139 as the subject and using a newer varient of Leave, namely Leave.G or .H, depending on who you ask? This was all reported 5 days ago on bugtraq. One of the important bits is that since it uses a new varient, virus scanners won't pick it up until they're updated.