September 18th, 2003, 10:28 PM
New virus preys on old IE flaw
A new e-mail worm has started to spread quickly, taking advantage of an Internet Explorer vulnerability that was first disclosed two years ago.
The bug, which has been alternately dubbed Swen and Gibe.F, appears to exploit a flaw that Microsoft first disclosed in a March 2001 security bulletin.
Ken Dunham, manager of malicious code intelligence for Reston, Va.-based iDefense, said that Swen preys upon people's best intentions, appearing as an e-mail that purports to be a security update from Microsoft.
The worm is programmed to send an official-looking e-mail that says it contains a "cumulative patch" for several Internet Explorer, Outlook and Outlook Express vulnerabilities.
A Microsoft representative noted that the software maker does not send out patches as e-mail attachments.
In addition to spreading via e-mail, experts said, Swen can be transmitted over services such as Internet relay chat (IRC) and through peer-to-peer networks. The virus turns on file sharing--if it is not already turned on--and creates a shared directory with multiple copies of itself under various file names, said Kevin Haley, a group product manager at Symantec Security Response. Among the files Swen tries to disguise itself as are virus removal tools.
More at (http://zdnet.com.com/2100-1104_2-507...ag=zdnnfd.main)
AntiOnline Quick Forum Version 2b Click Here
September 18th, 2003, 11:03 PM
Yeah, here is the URL for the Symantec analysis of this particular nasty.
Based on the length and complexity of this mass mailer, it is quite a compilation of a number of different vectors and methods.
If it actually tries the exploit described from 2001, and a system gets caught this way, shame on the owner. Probably, its most effective transport methods are the KaZaa or IRC vectors. The fact that it carries a payload that attempts to kill the anti-virus or firewall processes makes it a significant threat.
I've already distributed the updates for this in my org.
September 18th, 2003, 11:24 PM
Thanks Guys..... My content scanner killed 4 emails in 50 minutes late this pm that were going to try to connect via IRC so I sent out an email to all users recommending caution with any attachments until I could work out what it was...... To date, they were good - you came up with the issue and the AV scanners are now updated too in case it "mutates"....
Your diligence is appreciated.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides