Reported in Codefish.  We checked out this Trojan and it’s not very friendly. 

Here is what the email looks like::

Microsoft Security Bulletin MS05-039

Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)

Summary:

Who should receive this document: Customers who use Microsoft Windows
Impact of Vulnerability: Remote Code Execution and Local Elevation of Privilege
Maximum Severity Rating: CRITICAL
Recommendation: Customers should apply the update immediately.
Security Update Replacement: None
Caveats: None
Tested Software and Security Update Download Locations:

Affected Software:

Microsoft Windows 2000 Service Pack 4 – Download the update

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 – Download the update

Microsoft Windows XP Professional x64 Edition – Download the update

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 – Download the update

Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems – Download the update

Microsoft Windows Server 2003 x64 Edition – Download the update

Non-Affected Software:

Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

Executive Summary:

This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in Plug and Play (PnP) that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Conclusion: We recommend that customers apply the update immediately.

© 2005 Microsoft Corporation. All rights reserved.  Terms of Use | Trademarks | Privacy Statement

 

Loading the trojan, here’s what it looks like:

1trojan13

 

2trojanadf2134

3traojoani34adf

I checked the file at Virustotal.com and here are the results are as follows
(“No virus found” means that the virus scanner did not detect it):

This is a report processed by VirusTotal on 12/12/2005 at 18:59:39 (CET) after scanning the file “Windows-KB899588-x86-ENU.exe” file.

AntivirusVersionUpdateResult
Avast4.6.695.012.10.2005No virus found
AVG71812.08.2005No virus found
McAfee464812.12.2005No virus found
NOD32v21.131912.12.2005No virus found
Norman5.70.1012.12.2005No virus found
TheHacker5.9.1.05312.12.2005No virus found
F-Prot3.16c12.09.2005security risk or a “backdoor” program
AntiVir6.33.0.6112.12.2005TR/Luhn
Avira6.33.0.6112.12.2005TR/Luhn
Panda8.02.0012.12.2005Trj/Spy.Luhn
Sophos4.00.012.12.2005Troj/Dropper-BV
Symantec812.12.2005Trojan.Dropper
DrWeb4.3312.12.2005Trojan.Sklog
BitDefender7.212.12.2005Trojan.Spy.Luhn.A
ClamAVdevel-2005110812.12.2005Trojan.Spy.W32.Luhn
CAT-QuickHeal812.12.2005TrojanSpy.Luhn.a
Kaspersky4.0.2.2412.12.2005Trojan-Spy.Win32.Luhn.a
VBA323.10.512.12.2005Trojan-Spy.Win32.Luhn.a
Fortinet2.54.0.012.11.2005W32/SpyLuhn.A-dr
eTrust-Iris7.1.194.012.11.2005Win32/Luhn!Spy!Dropper
eTrust-Vet12.3.3.012.12.2005Win32/Luhn.A

 

Alex Eckelberry
(Hat tip to Sunbelt researchers Eric Sites, Eric Howes and Patrick Jordan)

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.