Date: 19 September 2003
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
AusCERT Update AU-2003.015 - New email virus/worm "Swen" masquerades as
Microsoft Update
19 September 2003
Users and system administrators should be aware of a new mass-mailer worm
that purports to be the "September 2003, Cumulative Patch" for MS Internet
Explorer, MS Outlook and MS Outlook Express. The worm arrives as an
attachment with a .exe extension. In addition to email vectors, Swen will
attempt to spread through file-sharing networks and will attempt disable
antivirus programs and personal firewall programs on an infected computer.
This particular executable may be detected by anti-virus systems as the
W32/Gibe-F virus. It may also arrive in an email message appearing to be
a qmail delivery failure notice.
Some email subject lines that Swen may use are:
New Internet Security Update
net security upgrade
New Net Critical Update
Mail: User unknown
REFERENCES:
[1] Protecting your computer from malicious code
http://www.auscert.org.au/render.html?it=3352
[2] Information on Bogus Microsoft Security Bulletin E-mails
http://www.microsoft.com/technet/security/news/patch_hoax.asp
[3] F-Secure Virus Descriptions
http://www.europe.f-secure.com/v-descs/swen.shtml
[4] Symantec Security Response - W32.Swen.A@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html
[5] Computer Associates Virus - Win32.Swen.A
http://www3.ca.com/virusinfo/virus.aspx?ID=36939
[6] McAfee Security
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100662
[7] Trend Micro
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWEN.A&VSect=T
[8] Sophos virus analysis: W32/Gibe-F
http://www.sophos.com/virusinfo/analyses/w32gibef.html
[9] MessageLabs
http://www.messagelabs.com/viruseye/info/default.asp?virusname=W32%2FGibe%2EE%2Dmm
When possible, upgrade all anti-virus software to use the latest definition
files as soon as they become available.
Ensure that all network file shares are disabled unless necessary and if
possible ensure that active shares are password protected.
AusCERT advises members to disseminate and take action on this information
to prevent any undesirable activity by this virus within their sites. Users
should be again reminded that unsolicited attachments should not be opened.
Regards,
The AusCERT Team
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBP2pZbCh9+71yA2DNAQHP6wQAgKKIVwjUV0dJOX6na5Cs7+7u+1E0BJPN
At9V6LqDGUIhD0CRZrarJi37HH9DnYiC7KiRM0HgW0Qk8bQlo4QjP03cOa6dpYhA
4wDxQlExlNV9UFdyirUgZiSS+Q2TDt405XA1pwHCsafcU7F8+mce7b0y5zR2Lnbo
aGKlQjfo5kQ=
=WYw5
-----END PGP SIGNATURE-----
|