-=PCTechTalk=- Re: Virus Poses as Microsoft Security Patch
- From: "cris" <cris@xxxxxxxxxxxxxxxx>
- To: <pctechtalk@xxxxxxxxxxxxx>
- Date: Fri, 19 Sep 2003 20:00:12 -0400
I have received this warming from several anti-virus lists I'm on - and have
heard from people who have already had it come in to them too many times to
count!! One gal has her own server, and she said 1st thing this morning it just
kept coming - But she has great software and security so she's ok - but there
will be a lot of people out there who will believe that microsoft sent them a
patch! Especially with all the talk about having to update windows.
I'm hoping it gets stopped in its tracks!!
CrisS
----- Original Message -----
From: The Keyboard Cowboy
To: !Keyboard Cowboy Group Send
Sent: Friday, September 19, 2003 5:58 PM
Subject: -=PCTechTalk=- Virus Poses as Microsoft Security Patch
Virus Poses as Microsoft Security Patch
By Ryan Naraine
A new mass-mailing virus masquerading as a security patch from
Microsoft (Quote, Chart) is on the loose and anti-virus experts say it
has the ability to steal account information and e-mail server details
from infected systems.
The W32.Swen.A@mm or W32.Gibe.B@mm (Swen/Gibe) virus couldn't have
come at a worst time for Microsoft and computer users in general --
now that software patches to fix buggy code has slowly crept into the
public lexicon. After the SoBig and MSBlaster in August made national
headlines, security experts now fear the heightened attention will now
cause many victims to blindly fall prey to the new masquerade.
The new virus, which originated in Europe, has started infected e-mail
inboxes in the U.S., arriving with a .EXE attachment with the subject
line "Microsoft Internet Update Pack", "Microsoft Critical Patch" or
"Newest Security Update".
According to Symantec Security Response, the worm uses its own SMTP
engine to spread itself and attempts to kill anti-virus and personal
firewall programs running on a computer. Swen/Gibe is also capable of
exploiting a known Internet Explorer vulnerability to spread via
peer-to-peer networks like Kazaa and IRC.
Ken Dunham, Malicious Code Intelligence Manager for Virginia-based
iDefense, warned that the Swen/Gibe worm "is quickly gaining ground in
Europe and has the potential to become very widespread in a short
period of time."
Dunham said Swen/Gibe preys on the good nature of individuals who want
to ensure computers are patched in the wake of a rise in security
vulnerability warnings. He described the virus as "highly virulent"
with the ability to auto-start in a variety of ways on an infected
computer.
The virus, which was written in C++, auto-executes the e-mail
attachment on vulnerable computers by exploiting a known Microsoft
vulnerability (MS01-020) and is capable of swiping an infected user's
name, password and e-mail server details, Dunham warned.
To curb the spread of Swen/Gibe, Dunham suggested that .EXE files be
blocked at the gateway. In addition, he recommended users avoid the
use of instant messaging (IM) and P2P software.
More importantly, users should install the MS01-020 patch (download
here) to protect against an incorrect MIME header that can cause
Internet Explorer to execute harmful e-mail attachments.
According to iDefense's Dunham, Home, SOHO, and Asian based computers
are at the greatest risk for this type of attack since they are the
sectors that traditionally update against such patches at a much lower
rate as compared to that of the corporate world in the U.S.
He suggested enterprise IT admins educate users about the dangers of
believing unsolicited e-mails sent to them from well-known companies
such as Microsoft. "Warn them about not executing any attachments
claiming to be a patch, update, or virus fix," he added.
"The P2P filenames are also designed to appear as a fix tool for
various viruses that are household names, such as SoBig and BugBear.
This type of social engineering has proven to be highly effective in
former e-mail based worms," he added.
Anti-virus vendors, including McAfee.com, Sophos, Symantec, Trend
Micro and F-Secure have all updated IDE files to thwart the spread of
the worm.
Regards from the
"Keyboard Cowboy",
,,,,,,,,
Ô¿Ô¬
Cincinnati, Ohio
Scottsdale, Arizona
---------------------------------
Friday, 9/19/2003, @ 5:50:44 PM EST
---------------------------------
If you can't see the light at the end of the tunnel. March down there
and turn it on yourself.
To unsub or change your email settings:
//www.freelists.org/webpage/pctechtalk
To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
//www.freelists.org/archives/pctechtalk/
For more info:
//www.freelists.org/cgi-bin/list?list_id=pctechtalk
To unsub or change your email settings:
//www.freelists.org/webpage/pctechtalk
To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
//www.freelists.org/archives/pctechtalk/
For more info:
//www.freelists.org/cgi-bin/list?list_id=pctechtalk
Other related posts:
- » -=PCTechTalk=- Re: Virus Poses as Microsoft Security Patch
