RealTime IT News

Virus Poses as Microsoft Security Patch

A new mass-mailing virus masquerading as a security patch from Microsoft is on the loose and anti-virus experts say it has the ability to steal account information and e-mail server details from infected systems.

The W32.Swen.A@mm or W32.Gibe.B@mm (Swen/Gibe) virus couldn't have come at a worst time for Microsoft and computer users in general -- now that software patches to fix buggy code has slowly crept into the public lexicon. After the SoBig and MSBlaster in August made national headlines, security experts now fear the heightened attention will now cause many victims to blindly fall prey to the new masquerade.

The new virus, which originated in Europe, has started infected e-mail inboxes in the U.S., arriving with a .EXE attachment with the subject line "Microsoft Internet Update Pack", "Microsoft Critical Patch" or "Newest Security Update".

According to Symantec Security Response, the worm uses its own SMTP engine to spread itself and attempts to kill anti-virus and personal firewall programs running on a computer. Swen/Gibe is also capable of exploiting a known Internet Explorer vulnerability to spread via peer-to-peer networks like Kazaa and IRC.

Ken Dunham, Malicious Code Intelligence Manager for Virginia-based iDefense, warned that the Swen/Gibe worm "is quickly gaining ground in Europe and has the potential to become very widespread in a short period of time."

Dunham said Swen/Gibe preys on the good nature of individuals who want to ensure computers are patched in the wake of a rise in security vulnerability warnings. He described the virus as "highly virulent" with the ability to auto-start in a variety of ways on an infected computer.

The virus, which was written in C++, auto-executes the e-mail attachment on vulnerable computers by exploiting a known Microsoft vulnerability (MS01-020) and is capable of swiping an infected user's name, password and e-mail server details, Dunham warned.

To curb the spread of Swen/Gibe, Dunham suggested that .EXE files be blocked at the gateway. In addition, he recommended users avoid the use of instant messaging (IM) and P2P software.

More importantly, users should install the MS01-020 patch (download here) to protect against an incorrect MIME header that can cause Internet Explorer to execute harmful e-mail attachments.

According to iDefense's Dunham, Home, SOHO, and Asian based computers are at the greatest risk for this type of attack since they are the sectors that traditionally update against such patches at a much lower rate as compared to that of the corporate world in the U.S.

He suggested enterprise IT admins educate users about the dangers of believing unsolicited e-mails sent to them from well-known companies such as Microsoft. "Warn them about not executing any attachments claiming to be a patch, update, or virus fix," he added.

"The P2P filenames are also designed to appear as a fix tool for various viruses that are household names, such as SoBig and BugBear. This type of social engineering has proven to be highly effective in former e-mail based worms," he added.

Anti-virus vendors, including McAfee.com, Sophos, Symantec, Trend Micro and F-Secure have all updated IDE files to thwart the spread of the worm.