1
   

IMPORTANT! Another virus alert! Windows Update Bogus Email

Forums: Computers
Email this Topic Print this Page
 
 
Butrflynet
 
Reply Fri 19 Sep, 2003 01:49 am
New Worm Masquerades As Security Update Sept. 18, 2003


Quote:

The worm poses as an E-mail from Microsoft and contains a bogus security update as an attachment.

By Gregg Keizer, TechWeb News



A new worm that tries to take advantage of Windows users anxious to get their hands on security updates began making the rounds on Thursday, several antivirus firms confirmed.
The worm, which goes by a variety of names, including Swen, W32/Swen@MM, Gibe, and W32/Gibe-F, can pose as an E-mail from Microsoft bearing a bogus security update as a file attachment.

It spreads in several ways, including the traditional mass-mailing method of stealing addresses from Outlook address books on compromised machines, but also propagates over Internet Relay Chat and peer-to-peer networks such as Kazaa. Successful infections attempt to steal account information, including usernames and passwords.

The worm also exploits a 2-year-old vulnerability in Windows--for which a fix is available from Microsoft--that allows it to auto-execute on unpatched PCs. In those situations, the receiving system is infected even if its user doesn't open the attached file.

Most anti-virus vendors have tagged Swen as a relatively low risk. Symantec rates it as only a 2 on its 1-through-5 scale, while both Trend Micro and Network Associates list it as "low," although Network Associates ranks it as a "medium" threat to home users.

"Swen preys upon the good nature of individuals who want to patch their computer in the wake of new vulnerability and virus announcements," said Ken Dunham, the malicious code intelligence manager at security firm iDefense.

Antivirus software suppliers have already posted updates to their products' definition files to detect Swen.
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 1 • Views: 945 • Replies: 3
No top replies

 
Butrflynet
 
  1  
Reply Fri 19 Sep, 2003 01:51 am
It can't be said enough...

Companies do not send e-mails asking for information or distributing software or updates/patches.

Companies do not send e-mails telling you to go to their website, with a link in the e-mail, to update your personal information.

Companies do not IM individuals asking for credit card info or bank account info.

If you get an e-mail from a company asking for your credit card/bank account info, ignore it, or forward it to the companies abuse e-mail address; typicallyabuse@[company website]. Ex: [email protected]

If you get an e-mail from a company asking you to go to "their" website and the e-mail has a link to that site. It's most likely the link will take you to a site that looks just like the companies website, however, if you look very closely at the address in the link, you will see it's not quite the correct address for that companies website.

Remember, e-mail From: and To: information can be spoofed, so it may infact say that it came from [email protected], however, it's likely it didn't.
0 Replies
 
Butrflynet
 
  1  
Reply Fri 19 Sep, 2003 01:59 am
From McAfee:

Quote:
W32/Swen@MM

W32/Swen@MM, I-Worm.Swen (AVP), W32/Gibe.e@MM, Win32.HLLM.Gibe.2 (DialogueScience) is a Medium Risk mass-mailing worm for home users. Sometimes posing as a Microsoft Security Update, this worm is intended to spread via the following methods:
Mailing itself to recipients extracted from the victim's machine
Copying itself over network shares (mapped drives)
Sharing itself over the KaZaa P2P network
Sending itself via IRC
The worm terminates processes relevant to various security and anti-virus products. Additionally, the worm contains its own SMTP engine to create outgoing messages to harvested email addresses from the victim's machine.
Various outgoing messages are created, with multiple subject lines and attachment names. Some make use of an Internet Explorer vulnerability to ensure the worm attachment is run upon viewing the email. See Microsoft Security Bulletin (MS01-020) . Messages created to take advantage of this vulnerability will be detected as Exploit-MIME.gen.exe with the 4215 DATs or greater (and earlier as Exploit-MIME.gen).

When the worm is run on the victim's machine, a series of fraudulent message boxes are displayed. The worm installs itself (using a random filename) into %WinDir%, for example: C:\WINDOWS\ZNFUL.EXE.

W32/Swen@MM modifies various registry keys and disables the execution of REGEDIT.EXE on the victim's machine. Additionally, the worm terminates various processes on the victim's machine.


What are the common subject lines, attachment names and message content associated with W32/Swen@MM emails?

Subject:
Returned Response
From:
Email Delivery Service ([email protected])

Body:
Undeliverable mail to (email address)


How do you know if you've been infected?

Display of a series of dialog boxes
Unexpected termination of various security and anti-virus products
Inability to run RegEdit on the victim's machine



http://us.mcafee.com/virusInfo/default.asp?id=helpCenter&hcName=swen
0 Replies
 
Tomkitten
 
  1  
Reply Fri 19 Sep, 2003 12:40 pm
Important! Another Virus Alert
You are so right that this warning cannot be repeated too often. Unfortunately, it's easy to be careless - these things look so very convincing!
0 Replies
 
 

Related Topics

Super cool computer tricks, for dopes like me. - Discussion by OCCOM BILL
Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
Mac help/can't install new printer, don't remember passwd - Discussion by ossobuco
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » IMPORTANT! Another virus alert! Windows Update Bogus Email
Copyright © 2024 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.67 seconds on 05/13/2024 at 02:51:13