New Worm Comes Disguised As Windows Warning

Washington Post ^ | 09/19/03 | Brian Krebs

[bedolido]

Computers running Microsoft's Windows operating system are falling prey to a new Internet worm that disguises itself as an official virus warning from Microsoft Corp.

Spread via e-mail, the "Swen" worm appears to do little damage, but experts say the unknown author's painstaking attempt to make it look like a real security bulletin from Microsoft shows a level of trickery new to Internet virus and worm attacks.

"This is a level of creativity we've not seen before," said Tony Magallanez, a San Jose, Calif.-based systems engineer for F-Secure, a Finnish anti-virus company. "This is a very authentic looking message that definitely uses some sophisticated social engineering tactics."

The worm takes advantage of a flaw discovered almost two years ago in Microsoft's Internet Explorer Web browser that allows hackers to infiltrate people's computers. Users who have not downloaded and installed the patch against the flaw are infected immediately.

Even users who have downloaded the patch can be infected if they click on the attachment that comes with the e-mail. Once started, the virus launches a program that looks nearly identical to one that Microsoft uses to install Windows security updates.

The worm, disguised as the installation program, asks: "This will install Microsoft Security Update. Do you want to continue?" Users who click the "yes" button are greeted with a graphic that tracks the progress of the worm's installation. The worm infects the computer even if the user clicks "no."

[camas]

have been getting "use this patch immediately"email from?? microsoft"" i have not opened it for fear of what it may be

is this what you are talking about??

[bedolido]

it sounds like it. I don't know. sorry

[Voltage]

I received an e-mail claiming to be from Microsoft with all kinds of links in it. I deleted it.

Best bet is to go to microsoft.com and from there get your updates, at least you should get authentic ones.

And on a similar topic I am very pleased with an anti spam solution from SpamPal.org. And its free! Now at most 1 or 2 get thru per day and 100-200 get canned. It's working so well I won't have to by valium advertised at cut rates by spammers!

[bedolido]

And on a similar topic I am very pleased with an anti spam solution from SpamPal.org. And its free! Now at most 1 or 2 get thru per day and 100-200 get canned. It's working so well I won't have to by valium advertised at cut rates by spammers!

Thanks for the info. I'll download it tonight. I have McAfee Spamkiller and it's pure crapolla (it wasn't free either).

[goodnesswins]

I got two of those "Microsoft" messages the other day.....but...if you notice they don't have any coding to indicate WHERE they are from.....I dumped them, and emailed friends and family to NOT open them either.

[ChemistCat]

It's a paradox. The sociopath smart enough to put together a worm like this, is inevitably far too stupid to write a convincing "official email from Microsoft."

Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected!

Oh yes. Sure. Right. That's VERY convincing.

There are dangerous virus in the Internet now! Its hugh!very series!

[Alouette]

experts say the unknown author's painstaking attempt to make it look like a real security bulletin from Microsoft shows a level of trickery new to Internet virus and worm attacks.

But there's just one catch. Microsoft doesn't send security patches by email.

[TomServo]

is this what you are talking about??

Yes - that's it.

[agrace]

Got two this morning, the first one was from "ms security section" and stated it was a security patch, however, the second was a "return message: user unknown" notice. Same virus though, both caught by Norton thankfully.

[dmcnash]

It's Japinglish, you know, like:

"All your base are belong to us!"

[King Prout]

yep.

I got my first hit of this tonight. I sh!tcanned it immediately, unopened, unread, certainly without opening the attachment.

Rule of thumb: I NEVER open ANY e-mail with an attachment which comes unsolicited from any source. Period, paragraph, end of story.

[Political Junkie Too]

I checked a free internet email account that I have, and there were about six different spoof emails from MS Customer Support with the "latest cumulative patch." Also waiting for me was the Nigerian scam and a clone from South Africa.

-PJ

[WaterDragon]

Last August Microsoft kept saying over and over that they DON'T send out emails about their patches!