A new mass-mailing virus masquerading as a security
patch from Microsoft
is on the loose and anti-virus
experts say it has the ability to steal account information and e-mail
server details from infected systems.
The W32.Swen.A@mm or W32.Gibe.B@mm (Swen/Gibe) virus couldn’t have come at a worst time for Microsoft and computer users in general — now that software patches to fix buggy code has slowly crept into the public lexicon. After the SoBig and MSBlaster in August made national headlines, security experts now fear the heightened attention will now cause many victims to blindly fall prey to the new masquerade.
The new virus, which originated in
Europe, has started infected e-mail inboxes in the U.S., arriving with a
.EXE attachment with the subject line “Microsoft Internet Update Pack”,
“Microsoft Critical Patch” or “Newest Security Update”.
According to Symantec Security Response, the worm uses its own SMTP
engine to spread itself and attempts to kill anti-virus and personal
firewall programs running on a computer. Swen/Gibe is also capable of
exploiting a known Internet Explorer vulnerability to spread via
peer-to-peer networks like Kazaa and IRC.
Ken Dunham, Malicious Code Intelligence Manager for Virginia-based
iDefense, warned that the Swen/Gibe worm “is quickly gaining ground in
Europe and has the potential to become
very widespread in a short period of time.”
Dunham said Swen/Gibe preys on the good nature of individuals who want to
ensure computers are patched in the wake of a rise in security vulnerability
warnings. He described the virus as “highly virulent” with the ability to
auto-start in a variety of ways on an infected computer.
The virus, which was written in C++, auto-executes the e-mail attachment
on vulnerable computers by exploiting a known Microsoft vulnerability
(MS01-020) and is capable of swiping an infected user’s name, password and
e-mail server details, Dunham warned.
To curb the spread of Swen/Gibe, Dunham suggested that .EXE files be
blocked at the gateway. In addition, he recommended users avoid the use of
instant messaging (IM) and P2P software.
According to iDefense’s Dunham, Home, SOHO, and Asian based computers are
at the greatest risk for this type of attack since they are the sectors that
traditionally update against such patches at a much lower rate as compared
to that of the corporate world in the U.S.
He suggested enterprise IT admins educate users about the dangers of
believing unsolicited e-mails sent to them from well-known companies such as
Microsoft. “Warn them about not executing any attachments claiming to be a
patch, update, or virus fix,” he added.
“The P2P filenames are also designed to appear as a fix tool for various
viruses that are household names, such as SoBig and BugBear. This type of
social engineering has proven to be highly effective in former e-mail based
worms,” he added.