Virus Posing As Microsoft E-mail Spreads Fast

[Sci-Fi]

From TechWeb:

Virus Posing As Microsoft E-mail Spreads Fast

September 19, 2003 (1:09 p.m. EST)
By Gregg Keizer, TechWeb News

Less than 24 hours after first being detected, the Swen blended-threat worm picked up steam Friday, gained a foothold in the U.S. and the U.K., and accounted for over 35,000 interceptions by e-mail filtering firm MessageLabs.
Swen -- also called W32/Swen@MM, Gibe, and W32/Gibe-F -- masquerades as e-mail from Microsoft, and purports to carry a security update as its file attachment.

The worm can also propagate over Internet Relay Chat (IRC) and peer-to-peer files sharing networks such as KaZaA, as well as over network shares within the firewall if an machine inside the enterprise is infected.

“It is highly effective in spreading because it looks very official and masquerades as a legitimate e-mail from Microsoft, or as a fix tool for a well-known virus,” said Ken Dunham, an analyst with security firm iDefense.

Most security firms reacted to the fast-spreading worm by boosting their threat levels. Symantec, for instance, increased its ranking for Swen from a '2' to a '3' in its 1 through 5 scale, while Network Associates revised its rating from 'low' to 'medium.'

According to MessageLabs, a U.K.-based message filtering company, it has detected more than 35,000 instances of the worm, which now leads all other viruses and worms in the wild.

After additional analysis, iDefense's Dunham called the new worm “eerily similar to Sobig,” the worm that clogged inboxes in August.

Not only does Swen attempt to steal confidential information from an infected computer -- leading in the most dire situation to theft of e-mail and other computer account data -- but it also communicates with 230 remote IP addresses, as well as to a remote Web site to track infections.

So far, the reasons why the worm communicates with the 200-some other computers isn't known.

Swen also presents problems for users who haven't deployed a two-and-a-half-year-old patch for a vulnerability in Internet Explorer 5.01 (but not 5.01 with SP2 installed) and IE 5.5. (The vulnerability stems from a flaw in how IE handles MIME types in HTML-based e-mail.) Windows systems still vulnerable to this flaw are especially at risk, since Swen exploits the security gaffe to automatically -- without user intervention -- execute the worm. Users who haven't rolled out this patch should do so immediately.

[Sci-Fi]

From TechWeb:

How To Protect Yourself Against Swen and MSBlaster II

September 19, 2003 (1:21 p.m. EST)
By Gregg Keizer , TechWeb News

With the fast-paced spread of the Swen worm and ongoing concerns that a second MSBlaster worm will soon strike, a variety of security experts and analysts made recommendations Friday on ways to detect and remove the first, and thwart the second.
Swen

To defend against the Swen/Gibe worm, anti-virus firms such as Symantec and Network Associates recommend that users update their anti-virus definition files as soon as possible. All the virus vendors have accounted for Swen in their definitions, and have posted updates on their sites.

Most anti-virus software will also detect an existing Swen infection, even if the software's been installed after Swen has compromised the system.

Removing the worm, however, is currently a laborious process that involves searching for instances of the worm's files and editing the Windows Registry. An example of the instructions for such manual cleansing can be found on the Trend Micros Web site.

Although no automated removal tools are currently posted on the Internet, a spokesperson for Symantec said that the anti-virus firm would have one ready and available for downloading sometime after noon, Pacific Time, Friday. A link to the tool will be placed on the Symantec page dedicated to the Swen worm.

Systems that have been patched with the Microsoft fix to the MIME header vulnerability in Internet Explorer will not automatically execute the worm's payload (which is attached as a file to the e-mail message). For those users, the traditional recommendation of not opening unanticipated file attachments holds true.

Users of Internet Explorer 5.01 and 5.5 (but not 5.01 with SP2 deployed) should immediately apply the fix for the MIME header vulnerability. The patch can be downloaded from the Microsoft TechNet Web site.

MSBlaster II

Although a worm exploiting the most recent Microsoft Windows RPC DCOM vulnerabilities has not yet been detected in the wild, enterprises can take precautions now, according to a Gartner analyst.

“The steps many enterprises took for the recent MSBlaster attack - and the fact that the newly discovered 'exploit' does not specifically target consumer desktops - will limit the impact of the coming attack,” said John Pescatore, a Gartner analyst in a brief published Thursday. “However, unprepared enterprises will get hit just as hard as they were by MSBlaster.”

Pescatore urged enterprises to immediately:

-- Block UDP ports 135, 137, 138, and 445, as well as TCP ports 135, 139, 445, and 593.

-- Verify that Windows services using these ports are not exposed on extranets or DMZs.

-- Install centrally-managed personal firewalls on all laptop computers, and audit the configurations of these firewalls to guarantee that the vulnerable ports are not accepting connections. (Unprotected laptops brought within the firewall are a potential hazard, since as in MSBlaster, just one infected machine within the corporate network can infect the entire environment in a matter of minutes.)

After taking these protective steps, said Pescatore, enterprise IT managers should deploy the patch for the vulnerability to every desktop and server running Windows NT Workstation 4, NT Server 4, NT Terminal Server Edition, Windows 2000, Windows XP, and Windows Server 2003.

More details about this vulnerability, and the patch, can be found on the Microsoft Web site.

[GOLDMEMBER]

Hey Sci was there another Virus break today ???

I went to work last night between 2 or 3 am this morning

[Spiderman]

I have received over 80 so far..
And boy do they look official !

Glad i run Virus scan all the time !

[Sci-Fi]

Quote:

Originally posted by GOLDMEMBER
Hey Sci was there another Virus break today ???

I went to work last night between 2 or 3 am this morning

Yes... the Swen worm is making its rounds and spreading very quickly. If you didn't keep up with the patches, you may be vulnerable. There were at least 3 anti-virus updates issued/posted on Wed and Thurs, so update your anti-virus programs. May also want to consider installing Mailwasher and SpywareBlaster and SpywareGuard.

Mailwasher allows you to look at the headers and indicates if the e-mail contains a virus and you can delete it before opening your regular e-mail client to read your mail.

SpywareBlaster and its companion program SpywareGuard is effective in preventing many unauthorized automated installs, you will get a message to either allow or deny the process, and there are currently over 815 known spyware/cookies/dialers that it prevents from getting into your computer. SpywareGuard is like an anti-virus program for spyware.

I also use the CookieWall program to allow or delete automatically any cookies than are deposited in my computer.

Can go to the Chatroom and follow the links or e-mail me for the programs that are no longer available on the net: http://groups.msn.com/PTEChatRoom/re...rsoftware.msnw

[daaper]

Another good program for getting rid of spyware is Spybot: Search & Destroy. The best thing: IT'S FREE!

[FlowRW]

Yeah, I've gotten this at least 30 times over the last couple of days. Norton zapped it every time.

[Sci-Fi]

Quote:

Originally posted by daaper
Another good program for getting rid of spyware is Spybot: Search & Destroy. The best thing: IT'S FREE!

I use that too, but you have to run it in order to get rid of spyware. The other programs will delete them on the fly, Then after running Spybot and/or Ad-Aware, you won't see any spyware listed but just tracking information, common dialogs, shutdown info, media sdk, etc. to be checked off and removed.

[Spiderman]

Wow is this Virus going nuts !
I have received almost 150 in the past two days !
I have a screen saver of what it looks like below.
It looks very official. So be sure your Virus Scanner is up to date !
And always keep it running !

[purplepassion65]

Thanks for the heads up....... downloaded the patch only to find out I already had it........whew!