New Worm poses as patch from MS
Posted: Sun Sep 21, 2003 10:04 am
Screenshots
Article Link
washingtonpost.com
Worm Comes Disguised As Windows Warning
By Brian Krebs
washingtonpost.com Staff Writer
Friday, September 19, 2003; 3:06 PM
Computers running Microsoft's Windows operating system are falling prey to a new Internet worm that disguises itself as an official virus warning from Microsoft Corp.
Spread via e-mail, the "Swen" worm appears to do little damage, but experts say the unknown author's painstaking attempt to make it look like a real security bulletin from Microsoft shows a level of trickery new to Internet virus and worm attacks.
"This is a level of creativity we've not seen before," said Tony Magallanez, a San Jose, Calif.-based systems engineer for F-Secure, a Finnish anti-virus company. "This is a very authentic looking message that definitely uses some sophisticated social engineering tactics."
The worm takes advantage of a flaw discovered almost two years ago in Microsoft's Internet Explorer Web browser that allows hackers to infiltrate people's computers. Users who have not downloaded and installed the patch against the flaw are infected immediately.
Even users who have downloaded the patch can be infected if they click on the attachment that comes with the e-mail. Once started, the virus launches a program that looks nearly identical to one that Microsoft uses to install Windows security updates.
The worm, disguised as the installation program, asks: "This will install Microsoft Security Update. Do you want to continue?" Users who click the "yes" button are greeted with a graphic that tracks the progress of the worm's installation. The worm infects the computer even if the user clicks "no."
Once installed, the worm tries to disable anti-virus and firewall software programs like Norton Anti-virus and Zone Alarm firewall.
That activity makes it difficult to rid infected machines of the worm, said Vincent Weafer, senior director at Cupertino, Calif.-based Symantec Security Response.
Symantec has released free software that deletes the worm and restores the anti-virus settings on infected PCs. The tool works for all Microsoft users, whether or not they are current Norton anti-virus customers.
Experts say the worm does not appear to attempt any malicious activity such as deleting files or installing Trojan horses, programs that allow hackers to gain access to an infected computer remotely.
Computers infected with the Swen virus sometimes launch a second dialogue box that says the computer's e-mail program is having trouble sending messages and needs updated information such as a valid e-mail address, username and password. Security experts have not determined whether the worm attempts to send the information to the worm's author.
The worm appears to try to keep track of the number of computers it has infected. Users whose computers are infected sometimes see a colorful popup graphic displaying a six-digit number, but anti-virus experts say the number of infected machines probably is exaggerated.
The worm is spreading at a rate nearly 800 machines per hour, according to Symantec.
Computers infected with the virus will attempt to spread the bug to e-mail addresses found on the victim's hard drive. On infected computers that have the popular file-sharing service Kazaa installed, the worm copies itself into the victim's folder used for sharing digital files with other computer users. It gives itself one of several dozen names, including "naked sister," "key generator" and "sick joke."
Microsoft officials did not return telephone calls seeking comment. The company has repeatedly cautioned users that it never sends out security patches through e-mail.
Swen arrives on the heels of the "Blaster" worm, which in August attacked computers running several versions of the Windows operating system. Blaster, along with several variations of the worm, infected more than a half-million computers worldwide, crashing thousands of PCs.
Microsoft on Sept. 10 said that it had found two new security flaws in the operating system that could lead to the resurgence of another Blaster-like worm. Patches for the flaws are available through an advisory on its Web site.
© 2003 TechNews.com
Archived topic from Iceteks, old topic ID:1347, old post ID:11747
Article Link
washingtonpost.com
Worm Comes Disguised As Windows Warning
By Brian Krebs
washingtonpost.com Staff Writer
Friday, September 19, 2003; 3:06 PM
Computers running Microsoft's Windows operating system are falling prey to a new Internet worm that disguises itself as an official virus warning from Microsoft Corp.
Spread via e-mail, the "Swen" worm appears to do little damage, but experts say the unknown author's painstaking attempt to make it look like a real security bulletin from Microsoft shows a level of trickery new to Internet virus and worm attacks.
"This is a level of creativity we've not seen before," said Tony Magallanez, a San Jose, Calif.-based systems engineer for F-Secure, a Finnish anti-virus company. "This is a very authentic looking message that definitely uses some sophisticated social engineering tactics."
The worm takes advantage of a flaw discovered almost two years ago in Microsoft's Internet Explorer Web browser that allows hackers to infiltrate people's computers. Users who have not downloaded and installed the patch against the flaw are infected immediately.
Even users who have downloaded the patch can be infected if they click on the attachment that comes with the e-mail. Once started, the virus launches a program that looks nearly identical to one that Microsoft uses to install Windows security updates.
The worm, disguised as the installation program, asks: "This will install Microsoft Security Update. Do you want to continue?" Users who click the "yes" button are greeted with a graphic that tracks the progress of the worm's installation. The worm infects the computer even if the user clicks "no."
Once installed, the worm tries to disable anti-virus and firewall software programs like Norton Anti-virus and Zone Alarm firewall.
That activity makes it difficult to rid infected machines of the worm, said Vincent Weafer, senior director at Cupertino, Calif.-based Symantec Security Response.
Symantec has released free software that deletes the worm and restores the anti-virus settings on infected PCs. The tool works for all Microsoft users, whether or not they are current Norton anti-virus customers.
Experts say the worm does not appear to attempt any malicious activity such as deleting files or installing Trojan horses, programs that allow hackers to gain access to an infected computer remotely.
Computers infected with the Swen virus sometimes launch a second dialogue box that says the computer's e-mail program is having trouble sending messages and needs updated information such as a valid e-mail address, username and password. Security experts have not determined whether the worm attempts to send the information to the worm's author.
The worm appears to try to keep track of the number of computers it has infected. Users whose computers are infected sometimes see a colorful popup graphic displaying a six-digit number, but anti-virus experts say the number of infected machines probably is exaggerated.
The worm is spreading at a rate nearly 800 machines per hour, according to Symantec.
Computers infected with the virus will attempt to spread the bug to e-mail addresses found on the victim's hard drive. On infected computers that have the popular file-sharing service Kazaa installed, the worm copies itself into the victim's folder used for sharing digital files with other computer users. It gives itself one of several dozen names, including "naked sister," "key generator" and "sick joke."
Microsoft officials did not return telephone calls seeking comment. The company has repeatedly cautioned users that it never sends out security patches through e-mail.
Swen arrives on the heels of the "Blaster" worm, which in August attacked computers running several versions of the Windows operating system. Blaster, along with several variations of the worm, infected more than a half-million computers worldwide, crashing thousands of PCs.
Microsoft on Sept. 10 said that it had found two new security flaws in the operating system that could lead to the resurgence of another Blaster-like worm. Patches for the flaws are available through an advisory on its Web site.
© 2003 TechNews.com
Archived topic from Iceteks, old topic ID:1347, old post ID:11747