New Worm poses as patch from MS

manadren_it · Post by **manadren_it** » Sun Sep 21, 2003 10:04 am

Screenshots
Article Link

washingtonpost.com

Worm Comes Disguised As Windows Warning

By Brian Krebs
washingtonpost.com Staff Writer
Friday, September 19, 2003; 3:06 PM

Computers running Microsoft's Windows operating system are falling prey to a new Internet worm that disguises itself as an official virus warning from Microsoft Corp.

Spread via e-mail, the "Swen" worm appears to do little damage, but experts say the unknown author's painstaking attempt to make it look like a real security bulletin from Microsoft shows a level of trickery new to Internet virus and worm attacks.

"This is a level of creativity we've not seen before," said Tony Magallanez, a San Jose, Calif.-based systems engineer for F-Secure, a Finnish anti-virus company. "This is a very authentic looking message that definitely uses some sophisticated social engineering tactics."

The worm takes advantage of a flaw discovered almost two years ago in Microsoft's Internet Explorer Web browser that allows hackers to infiltrate people's computers. Users who have not downloaded and installed the patch against the flaw are infected immediately.

Even users who have downloaded the patch can be infected if they click on the attachment that comes with the e-mail. Once started, the virus launches a program that looks nearly identical to one that Microsoft uses to install Windows security updates.

The worm, disguised as the installation program, asks: "This will install Microsoft Security Update. Do you want to continue?" Users who click the "yes" button are greeted with a graphic that tracks the progress of the worm's installation. The worm infects the computer even if the user clicks "no."

Once installed, the worm tries to disable anti-virus and firewall software programs like Norton Anti-virus and Zone Alarm firewall.

That activity makes it difficult to rid infected machines of the worm, said Vincent Weafer, senior director at Cupertino, Calif.-based Symantec Security Response.

Symantec has released free software that deletes the worm and restores the anti-virus settings on infected PCs. The tool works for all Microsoft users, whether or not they are current Norton anti-virus customers.

Experts say the worm does not appear to attempt any malicious activity such as deleting files or installing Trojan horses, programs that allow hackers to gain access to an infected computer remotely.

Computers infected with the Swen virus sometimes launch a second dialogue box that says the computer's e-mail program is having trouble sending messages and needs updated information such as a valid e-mail address, username and password. Security experts have not determined whether the worm attempts to send the information to the worm's author.

The worm appears to try to keep track of the number of computers it has infected. Users whose computers are infected sometimes see a colorful popup graphic displaying a six-digit number, but anti-virus experts say the number of infected machines probably is exaggerated.

The worm is spreading at a rate nearly 800 machines per hour, according to Symantec.

Computers infected with the virus will attempt to spread the bug to e-mail addresses found on the victim's hard drive. On infected computers that have the popular file-sharing service Kazaa installed, the worm copies itself into the victim's folder used for sharing digital files with other computer users. It gives itself one of several dozen names, including "naked sister," "key generator" and "sick joke."

Microsoft officials did not return telephone calls seeking comment. The company has repeatedly cautioned users that it never sends out security patches through e-mail.

Swen arrives on the heels of the "Blaster" worm, which in August attacked computers running several versions of the Windows operating system. Blaster, along with several variations of the worm, infected more than a half-million computers worldwide, crashing thousands of PCs.

Microsoft on Sept. 10 said that it had found two new security flaws in the operating system that could lead to the resurgence of another Blaster-like worm. Patches for the flaws are available through an advisory on its Web site.

© 2003 TechNews.com

Archived topic from Iceteks, old topic ID:1347, old post ID:11747

Red Squirrel · Post by **Red Squirrel** » Sun Sep 21, 2003 12:25 pm

I keep getting these emails! Forgot to tell my parants not to open them... It's probably too late!

Archived topic from Iceteks, old topic ID:1347, old post ID:11749

Wren · Post by **Wren** » Sun Sep 21, 2003 12:30 pm

Yep, I got that email two days ago. I'm not sure you have to open the attachment to get the virus. Panda picked up a virus and gave me the name and location after disinfection.

Strange thing was, at the same time I got a returned email that I hadn't sent. Didn't think too much about that since it's happened before. Yesterday I ran a virus scan and I had the Exploit/iFrame virus on here that came from that returned email. Still can't figure out why Panda didn't catch that one since it's been around a while!

Archived topic from Iceteks, old topic ID:1347, old post ID:11750

Chris Vogel · Post by **Chris Vogel** » Sun Sep 21, 2003 12:51 pm

Thanks. I'll have to alert my mother about this.

Archived topic from Iceteks, old topic ID:1347, old post ID:11751

Wren · Post by **Wren** » Sun Sep 21, 2003 3:19 pm

Gibe.C is a worm that spreads via e-mail, through the peer-to-peer (P2P) file sharing program KaZaA, across shared network drives and via IRC.

When Gibe.C spreads via e-mail, it reaches the computer in a message with HTML format that perfectly imitates the style of Microsoft web pages, in order to trick the user into thinking that the attached file is a security patch.

In addition, Gibe.C attempts to exploit the iFrame and Incorrect MIME Header vulnerabilities. The attached file is automatically activated when the message is viewed through Outlook’s Preview Pane.

Gibe.C ends processes belonging to several antivirus programs, firewalls and system monitoring tools. This leaves the affected computer vulnerable to the attack of other viruses and worms.

Gibe.C disables the Windows Registry Editor. In addition, Gibe.C displays a message that attempts to trick the user into giving confidential information, as e-mail address, mail account password, name of the mail server, etc.

This is from Panda's virus information page. It explains how I got the Exploit/iFrame virus. Looks like you get two for one with Gibe.C

Archived topic from Iceteks, old topic ID:1347, old post ID:11757

Chris Vogel · Post by **Chris Vogel** » Sun Sep 21, 2003 3:25 pm

ACH! That looks nasty!

I have heard of a lot of people getting stuff because of that preview window...

Archived topic from Iceteks, old topic ID:1347, old post ID:11759

Red Squirrel · Post by **Red Squirrel** » Sun Sep 21, 2003 4:08 pm

That's scarry how it can open itself like that. I wonder if I'm safe if I use mozilla mail. I opened a few ones up, I like checking these things out, such as the message IP and all that. I of course, don't open the attachment though.

Archived topic from Iceteks, old topic ID:1347, old post ID:11762

Chris Vogel · Post by **Chris Vogel** » Sun Sep 21, 2003 4:16 pm

Red Squirrel wrote: That's scarry how it can open itself like that. I wonder if I'm safe if I use mozilla mail. I opened a few ones up, I like checking these things out, such as the message IP and all that. I of course, don't open the attachment though.

I'm pretty sure you're safe with Mozilla Mail unless you open up a bad attachment (of course)... Mozilla.org claims that nothing can execute on its own in Mozilla Mail, and I believe them because I haven't heard any complaints stating otherwise.

Archived topic from Iceteks, old topic ID:1347, old post ID:11766

Wren · Post by **Wren** » Sun Sep 21, 2003 5:26 pm

The reason I got the Exploit/iFrame from the returned email was when I tried to bounce it from Mail Washer, it would not bounce, so the program opened OE. I never had a clue these two virus files were related, that's why they both hit at the same time.

Archived topic from Iceteks, old topic ID:1347, old post ID:11773

Red Squirrel · Post by **Red Squirrel** » Sun Sep 21, 2003 5:38 pm

So did you get hit with it? do you know if it executed?

Archived topic from Iceteks, old topic ID:1347, old post ID:11775

Wren · Post by **Wren** » Sun Sep 21, 2003 7:27 pm

Panda picked up the Exploit/iFrame after I did a scan the next day. It was in the returned email. Not sure about the execution but it didn't do anything that I can tell. The info page at Panda said it would disable the AV and firewall but they seem to be ok. The only thing I noticed is Panda did not update today, but that happens occasionally. Their website didn't have any new updates today so I guess it's ok.

Man, that firewall stays busy though!

Archived topic from Iceteks, old topic ID:1347, old post ID:11777

manadren_it · Post by **manadren_it** » Sun Sep 21, 2003 8:25 pm

The important thing to remember about this one is that if you try to install the "patch" the virus will infect your computer regardless of antiviirus software - it actaully disables your antivirus before it installs itself. Get the word out that microsoft NEVER delivers patches via email.

Luckily this one doesn't seem to do anything harmful aside from trying to spread itself - so far anyway...

Archived topic from Iceteks, old topic ID:1347, old post ID:11782

rovingcowboy · Post by **rovingcowboy** » Mon Sep 22, 2003 11:48 pm

well i opened the letter to see what ms wanted.

but when i read the line " This is the patch to end all patches "

that was a give away cause ms is not ever going to do that.

so i closed the message and forwarded it to support at ms.

Archived topic from Iceteks, old topic ID:1347, old post ID:11821