Nasty Worm Poses as MS Security Update

The Register ^ | 09/19/03 | John Leyden

[Salo]

Windows users were yesterday warned of the appearance of a worm that poses as a security update from Microsoft but actually causes all manner of mischief on infected PCs.

Swen-A (AKA Gibe-F) is a mass-mailing worm that also attempts to spread through file-sharing networks, such as KaZaA and IRC, and over local area network shares. The worm attempts to de-activate antivirus and personal firewall programs running on an infected computer.

AV vendors warn that the worm is spreading rapidly and that disinfection is difficult. As usual this is a Windows-only menace - Linux, Mac, OS/2 and Unix users are immune.

Managed services firm MessageLabs reports today that it has blocked copies of Swen-A 35,400 times since first intercepting it on September 14. Initial copies all originated from Slovakia, and some later copies originated from the Netherlands, the company reports, adding that MessageLabs' subscribers in the US, UK and the Netherlands have been most heavily targeted by the worm.

Swen-A uses a well known vulnerability in Internet Explorer to execute directly from e-mail. Windows users can also catch the pox by executing an infected email attachment.

Finnish AV firm F-Secure compares the worm to Gibe, and believes it is likely that the same author wrote both worms.

Swen-A (like Gibe and numerous other viruses before it) purports to be a security alert from Microsoft. This time around infectious messages come with a well-presented HTML message complete with graphics that are more likely to trip up the unwary.

The worm can also impersonate mail delivery failure notices, attaching itself as a randomly named executable.

Swen-A attempts to spread by emailing itself using its own SMTP client to addresses extracted from various sources on the victim's drives (e.g. MBX and DBX files). Periodically the worm presents users with a fake MAPI Exception error, prompting them to enter the details of their email account (name, user name, servers).

Sneaky.

Swen-A also makes modifications which make it hard to run Reg Edit, along with other changes to infected PCs explained in advisories from F-Secure and Symantec.

Windows users are advised to update the virus signature files on their AV scanners to defend themselves against the worm, which is all very well but the reason the virus got a hold in the first place is probably because of the shortcomings of the scanner model. ®

[Salo]

Terrorists, careful with those weapons! Also, I realize this was covered somewhat yesterday, but this is a new article.

[Salo]

Pinging the Penguin Pinger.

[Salo]

We need an MS ping, too. :-)

[AppyPappy]

I talk to people until I am blue in the face and they still screw up. NEVER RUN ANYTHING YOU GET IN EMAIL. Do they listen? No.

And it doesn't help that our IT dept sent an email telling people to apply an update from their website. SHEESH!!

[A CA Guy]

I wonder how much of this is being created by Linux, Mac, OS/2 and Unix employees looking to get back into the market?

[A CA Guy]

Some of it also poses as a jpg or gif, so there is that issue as well.

[AppyPappy]

I tell them "If you don't know what it is, don't open it". I don't care if it came from the President.

[AppyPappy]

And while I am ranting, why can't I talk people into NOT sending messages in Word Documents. Every baby shower comes in a Word document. You know, that application that can carry VBA viruses.

And don't get me started on Webshots. A freaking hole in the firewall.

[Golden Eagle]

Thanks for the update. This shows just how diabolical these hacker fanatics are. Anything to vandalize personal property, including masquerading as a security patch to sneak attack the helpless. They are gutless punks and should have to spend the rest of their lives on an disconnected pc running Windows 1.0.

[Salo]

I would imagine none. Real companies don't pull crap like this because of what happens when they get caught. Think of that useless fatboy in Minnesota: he's more along the lines of what you are looking for. I'm hoping he becomes currency in the prison cigarette trade very soon.

I wonder how much of this is being created by Linux, Mac, OS/2 and Unix employees looking to get back into the market?

[Salo]

Damn, dude, that's worse than the death penalty. :-)

They are gutless punks and should have to spend the rest of their lives on an disconnected pc running Windows 1.0.

[Alouette]

I've gotten 6 emails today, purporting to be from "Microsoft Security" which were infected with the Automat.H worm. Symantec deleted them.

Microsoft never sends patches through email. If you have "Automatic Updates" in Control Panel set to "Notification" an icon will appear in the system tray.

[Eric in the Ozarks]

Correct. My Zone Alert firewall has stopped dozens of these over the past five days alone. Also glad I ditched McAffy and got Norton.

[Cicero]

a mass-mailing worm that also attempts to spread through file-sharing networks, such as KaZaA and IRC, and over local area network shares

Anyone who opens up his computer to hackers with Kazaa or some other file sharing program is asking for big trouble.

[SengirV]

Good thing the Department of Homeland SECURITY!!! has gone with M$. Makes me feel really safe - Ugghhhhh!!!

[Bush2000]

Good thing the Department of Homeland SECURITY!!! has gone with M$. Makes me feel really safe - Ugghhhhh!!!

Let's blame MS. We wouldn't want to blame the bastard hackers that actually commit these crimes... /SARCASM

[Salo]

Might as well learn to speak Farsi. :-)

Good thing the Department of Homeland SECURITY!!! has gone with M$. Makes me feel really safe - Ugghhhhh!!!

[redhead]

"And don't get me started on Webshots. A freaking hole in the firewall."

Even worse, I think, is weatherbug. Man, I never had so many popups and viruses as I did when I had that thing installed. I took it out, and the popups STOPPED.

[AppyPappy]

I did a webapp(php/Access...thanx for asking) for the school and went to test it. The person fired up the URL and a FREAKING POPUP jumped in. I almost had a coronary. Why is my webapp throwing out popups for a drug company?!! The person said "Oh that's because I have Webshots". I could have shot her.

[ThreeYearLurker]

This is what the e-mail looks like. I got it today by e-mail, and I never file swap.(Image is from symantec).