AusCERT Update AU-2003.015 - New email virus/worm "Swen" masquerades as
Microsoft Update
19 September 2003
Users and system administrators should be aware of a new mass-mailer worm
that purports to be the "September 2003, Cumulative Patch" for MS Internet
Explorer, MS Outlook and MS Outlook Express. The worm arrives as an
attachment with a .exe extension. In addition to email vectors, Swen will
attempt to spread through file-sharing networks and will attempt disable
antivirus programs and personal firewall programs on an infected computer.
This particular executable may be detected by anti-virus systems as the
W32/Gibe-F virus. It may also arrive in an email message appearing to be
a qmail delivery failure notice.
Some email subject lines that Swen may use are:
New Internet Security Update
net security upgrade
New Net Critical Update
Mail: User unknown
REFERENCES:
[1] Protecting your computer from malicious code
http://www.auscert.org.au/render.html?it=3352
[2] Information on Bogus Microsoft Security Bulletin E-mails
http://www.microsoft.com/technet/security/news/patch_hoax.asp
[3] F-Secure Virus Descriptions
http://www.europe.f-secure.com/v-descs/swen.shtml
[4] Symantec Security Response - W32.Swen.A@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html
[5] Computer Associates Virus - Win32.Swen.A
http://www3.ca.com/virusinfo/virus.aspx?ID=36939
[6] McAfee Security
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100662
[7] Trend Micro
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWEN.A&VSect=T
[8] Sophos virus analysis: W32/Gibe-F
http://www.sophos.com/virusinfo/analyses/w32gibef.html
[9] MessageLabs
http://www.messagelabs.com/viruseye/info/default.asp?virusname=W32%2FGibe%2EE%2Dmm
When possible, upgrade all anti-virus software to use the latest definition
files as soon as they become available.
Ensure that all network file shares are disabled unless necessary and if
possible ensure that active shares are password protected.
AusCERT advises members to disseminate and take action on this information
to prevent any undesirable activity by this virus within their sites. Users
should be again reminded that unsolicited attachments should not be opened.
Regards,
The AusCERT Team
|