Another Microsoft Patch, Another Masquerade

Trying to capitalize on the latest mega-patch
released last week by Microsoft, a strain of the SWEN/Gibe virus is once
again posing as a Microsoft security patch in an effort to trick users into
running a so-called Trojan Horse that opens up computers to remote attacks.

But what makes this deceptive e-mail more dangerous this time is that it
poses as one of the actual Microsoft patches released last week, security
patch No. MS03-047.

“So, this Trojan is just jumping on the bandwagon of trying to get code
distributed via social engineering,” explained Ken Durham, Malicious Code
Intelligence Manager for Virginia-based iDefense.

“The Swen worm shows how effective this type of socially engineered
attack can be, continuing to spread to thousands of computers still today.”

Durham told internetnews.com that while Swen (formerly known as
W32.Swen.A@mm or W32.Gibe.B@mm) was slow moving at first, it has
proliferated nearly 3 million times since late September with small- and
home-offices as well as the Far East region proving to be most vulnerable.

Part of the problem is that Swen arrives in the inbox as a .ZIP file that
needs to be executed and many companies still allow .ZIP files through the
firewall.

Durham said this new Trojan is actually a variant of the SDBot Trojan
horse family that provides the attacker with
complete backdoor access to a compromised computer. MessageLabs has given an
initial name to this new threat, Troj/Sdbot.R, aka SDBot.R.

As previously
reported, Microsoft said it never e-mails software patches.