From: ccie2be (ccie2be@nyc.rr.com)
Date: Fri Sep 19 2003 - 21:43:26 GMT-3
http://www.informationweek.com/story/showArticle.jhtml?articleID=1500013
4
Virus Posing As Microsoft E-Mail Spreads Fast Sept. 19, 2003
Swen, a blended-threat worm, has accounted for more than 35,000
interceptions, according to E-mail filtering firm MessageLabs.
By Gregg Keizer, TechWeb News
Less than 24 hours after first being detected, the Swen blended-threat
worm picked up steam Friday, gained a foothold in the United States and
the United Kingdom, and accounted for more than 35,000 interceptions by
E-mail filtering firm MessageLabs.
Swen, also called W32/Swen@MM, Gibe, and W32/Gibe-F, masquerades as
E-mail from Microsoft and purports to carry a security update as its
file attachment. The worm can also propagate over Internet Relay Chat
and peer-to-peer files sharing networks such as Kazaa, as well as over
network shares within the firewall if a machine inside a company is
infected.
"It is highly effective in spreading because it looks very official and
masquerades as a legitimate E-mail from Microsoft or as a fix tool for a
well-known virus," said Ken Dunham, an analyst with security firm
iDefense.
Most security firms reacted to the fast-spreading worm by boosting their
threat levels. Symantec, for instance, increased its ranking for Swen
from a "2" to a "3" on its 1-through-5 scale, while Network Associates
revised its rating from "low" to "medium."
MessageLabs, a U.K.-based message filtering company, said it has
detected more than 35,000 instances of the worm, which now leads all
other viruses and worms in the wild.
After additional analysis, iDefense's Dunham called the new worm "eerily
similar to Sobig," the worm that clogged in-boxes last month.
Not only does Swen attempt to steal confidential information from an
infected computer--leading in the most dire situation to theft of E-mail
and other computer account data--but it also communicates with 230
remote IP addresses, as well as to a remote Web site to track
infections.
So far, the reasons why the worm communicates with the 200-some other
computers isn't known.
Swen also presents problems for users who haven't deployed a
2-1/2-year-old patch for vulnerability in Internet Explorer 5.01 (but
not 5.01 with SP2 installed) and IE 5.5. The vulnerability stems from a
flaw in how IE handles MIME types in HTML-based E-mail. Windows systems
still vulnerable to this flaw are especially at risk, since Swen
exploits the security gaffe to automatically, without user intervention,
execute the worm. Users who haven't rolled out this patch should do so
immediately.
***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:32 GMT-3