I have received this warming from several anti-virus lists I'm on - and have heard from people who have already had it come in to them too many times to count!! One gal has her own server, and she said 1st thing this morning it just kept coming - But she has great software and security so she's ok - but there will be a lot of people out there who will believe that microsoft sent them a patch! Especially with all the talk about having to update windows. I'm hoping it gets stopped in its tracks!! CrisS ----- Original Message ----- From: The Keyboard Cowboy To: !Keyboard Cowboy Group Send Sent: Friday, September 19, 2003 5:58 PM Subject: -=PCTechTalk=- Virus Poses as Microsoft Security Patch Virus Poses as Microsoft Security Patch By Ryan Naraine A new mass-mailing virus masquerading as a security patch from Microsoft (Quote, Chart) is on the loose and anti-virus experts say it has the ability to steal account information and e-mail server details from infected systems. The W32.Swen.A@mm or W32.Gibe.B@mm (Swen/Gibe) virus couldn't have come at a worst time for Microsoft and computer users in general -- now that software patches to fix buggy code has slowly crept into the public lexicon. After the SoBig and MSBlaster in August made national headlines, security experts now fear the heightened attention will now cause many victims to blindly fall prey to the new masquerade. The new virus, which originated in Europe, has started infected e-mail inboxes in the U.S., arriving with a .EXE attachment with the subject line "Microsoft Internet Update Pack", "Microsoft Critical Patch" or "Newest Security Update". According to Symantec Security Response, the worm uses its own SMTP engine to spread itself and attempts to kill anti-virus and personal firewall programs running on a computer. Swen/Gibe is also capable of exploiting a known Internet Explorer vulnerability to spread via peer-to-peer networks like Kazaa and IRC. Ken Dunham, Malicious Code Intelligence Manager for Virginia-based iDefense, warned that the Swen/Gibe worm "is quickly gaining ground in Europe and has the potential to become very widespread in a short period of time." Dunham said Swen/Gibe preys on the good nature of individuals who want to ensure computers are patched in the wake of a rise in security vulnerability warnings. He described the virus as "highly virulent" with the ability to auto-start in a variety of ways on an infected computer. The virus, which was written in C++, auto-executes the e-mail attachment on vulnerable computers by exploiting a known Microsoft vulnerability (MS01-020) and is capable of swiping an infected user's name, password and e-mail server details, Dunham warned. To curb the spread of Swen/Gibe, Dunham suggested that .EXE files be blocked at the gateway. In addition, he recommended users avoid the use of instant messaging (IM) and P2P software. More importantly, users should install the MS01-020 patch (download here) to protect against an incorrect MIME header that can cause Internet Explorer to execute harmful e-mail attachments. According to iDefense's Dunham, Home, SOHO, and Asian based computers are at the greatest risk for this type of attack since they are the sectors that traditionally update against such patches at a much lower rate as compared to that of the corporate world in the U.S. He suggested enterprise IT admins educate users about the dangers of believing unsolicited e-mails sent to them from well-known companies such as Microsoft. "Warn them about not executing any attachments claiming to be a patch, update, or virus fix," he added. "The P2P filenames are also designed to appear as a fix tool for various viruses that are household names, such as SoBig and BugBear. This type of social engineering has proven to be highly effective in former e-mail based worms," he added. Anti-virus vendors, including McAfee.com, Sophos, Symantec, Trend Micro and F-Secure have all updated IDE files to thwart the spread of the worm. Regards from the "Keyboard Cowboy", ,,,,,,,, Ô¿Ô¬ Cincinnati, Ohio Scottsdale, Arizona --------------------------------- Friday, 9/19/2003, @ 5:50:44 PM EST --------------------------------- If you can't see the light at the end of the tunnel. March down there and turn it on yourself. To unsub or change your email settings: //www.freelists.org/webpage/pctechtalk To access our Archives: http://groups.yahoo.com/group/PCTechTalk/messages/ //www.freelists.org/archives/pctechtalk/ For more info: //www.freelists.org/cgi-bin/list?list_id=pctechtalk To unsub or change your email settings: //www.freelists.org/webpage/pctechtalk To access our Archives: http://groups.yahoo.com/group/PCTechTalk/messages/ //www.freelists.org/archives/pctechtalk/ For more info: //www.freelists.org/cgi-bin/list?list_id=pctechtalk