Facebook Blogging

Edward Hugh has a lively and enjoyable Facebook community where he publishes frequent breaking news economics links and short updates. If you would like to receive these updates on a regular basis and join the debate please invite Edward as a friend by clicking the Facebook link at the top of the right sidebar.

Friday, September 19, 2003

Click on Cancel to Install

Now this is something. If I read this right Mr or Mrs average computer user gets a mail at home saying there is a security alert. The alert purports to come from microsoft, who, as they have just been reading, have been having problems. So they panic and open the mail, then, half-way through, they have their doubts, so when asked about installing the update, they click no, and the worm is still installed. The other details about the experts believing "that the family of worms is being used to create open relays for spamming" and that the worm is also preparing "systems for copies of itself to be shared via the Kazaa peer-to-peer network" are equally preocuppying. The virus is mutating in response to the bacteria. Scary.

A new mass-mailing worm has gained moderate traction this week by preying on users' heightened fears about Windows security. The Swen worm, also known as Gibe-F, sometimes travels as an attachment to an HTML e-mail purporting to be a patch alert from Microsoft. It can also arrive impersonating an e-mail delivery failure notice. If installed, the worm will try to shut off antivirus and other security software. It also tries to spread itself through network file shares and by e-mailing copies of itself. The worm, which does not contain a destructive payload, seems to be hitting Europe hardest. U.K.-based e-mail filtering outsourcer MessageLabs Inc. had intercepted 35,450 copies of it as of midmorning EDT today, meaning it has topped the company's threat list for the day so far. Helsinki, Finland-based antivirus vendor F-Secure Corp., meanwhile, elevated Swen to a level 1 threat, the company's highest threat designation. Swen has hit at an interesting time. Last week, Microsoft Corp. announced two new vulnerabilities in how RPC-DCOM is implemented in Windows. Either could be used to create a worm similar to Blaster, which struck in August.

Moreover, experts are watching for the emergence of another variant of the Sobig worm. Sobig-F spread widely last month, choking e-mail systems until its pre-programmed expiration date of Sept. 10. Experts believe that family of worms is being used to create open relays for spamming. Some experts are calling Swen a variant of the Gibe worm, but most consider it a new worm. Swen is likely written by that worm's author -- it has features similar to those of Gibe variants, according to F-Secure. The worm is more of a threat to home users and small offices because it travels as an executable file. Most enterprises strip executables at the gateway. Also, the bogus alert e-mail should set off warning lights to recipients because Microsoft does not send fixes via e-mail. Instead it refers people to its download page. If the worm is installed, a window pops up that reads "This will install Microsoft Security Update" and asks the user to click "yes" or "no." If "yes" is clicked, then a bogus installation dialog comes up. The worm will install if either button is clicked. Swen disables registry tools so users can't run the Regedit utility and import REG files data, alerts said. The worm also prepares systems for copies of itself to be shared via the Kazaa peer-to-peer network. When it copies itself, it uses such names as "XXX Pictures," "XboX Emulator" and "Download Accelerator." The worm also searches the hard drives of infected systems for e-mail addresses that it can send copies of itself to with its own SMTP engine. It looks for addresses in .html, .asp, .eml, .dbx, .wab and .mbx files. It also searches for e-mail addresses from newsgroups. Swen also tries to spread via IRC networks. The worm tries to send a copy of itself as "WinZip installer.zip" to every user joining a channel where an infected user is present. The author of the worm seems to want to keep tabs on his creation. When it first runs, the worm sends an HTTP Get request to a server that displays counter information.
Source: Search Security.com

No comments: