News

Swen Mass-Mailing Worm Carries Fake Microsoft Patch

Even as the industry awaited the breakout of a new Blaster-style worm and the G version of Sobig, a variation on another familiar piece of malware began making the rounds on Thursday. A virus based on the well-worn social engineering trick of making an e-mail look like it comes from Microsoft's support team started hitting user mailboxes.

Like previous viruses and worms based on the ruse, the e-mail arrives with an executable attachment that the virus authors try to pass off as a patch. This time, however, virus authors have gone to the trouble of designing a convincing HTML e-mail that resembles a Microsoft Web page. The HTML e-mail contains legitimate links to different Microsoft pages in addition to the nasty attachment.

Anti-virus vendors call the virus Swen (F-Secure), W32.Swen.A@mm (Symantec) or W32/Gibe-F (Sophos). Swen bears similarities to the Gibe.B worm discovered in February. Symantec upgraded its threat assessment for W32.Swen.A@mm to Level 3 on its severity scale Thursday evening due to an increasing volume of submissions.

The worm can arrive under a number of different subject lines and the From address varies. Once a system is infected, Swen attempts to send itself to e-mail addresses, and also attempts to spread through file sharing networks such as KaZaa and IRC. It also attempts to kill anti-virus and personal firewall systems running on a computer.

In response to similar worms in the past, Microsoft has said that it never sends security patches via e-mail.

The new virus comes at a time when IT organizations are on highest alert for new worms. Security experts expect a worm to be released any day that will exploit the critical Windows security hole Microsoft patched earlier this month with MS03-039. Also, the highly damaging Sobig.F worm expired on Sept. 10, and a Sobig.G variant is expected to hit any day.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Industrial Control System Honeypot Illustrates Bad Security Practices

    Security solutions provider Trend Micro has published results (PDF) from running an industrial control system (ICS) "honeypot."

  • Ransomware: What It Means for Your Database Servers

    Ransomware affects databases in very specific ways. Joey describes the mechanics of a SQL Server ransomware attack, what DBAs can do to protect their systems, and what security measures they should be advocating for.

  • Windows Admin Center vs. Hyper-V Manager: What's Better for Managing VMs?

    Microsoft's preferred interface for Windows Server is Windows Admin Center, but can it really replace Hyper-V Manager for managing virtual machines? Brien compares the two management tools.

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.