A new Internet worm masquerading as a security patch sent by Microsoft is spreading fast around the world.
The worm, known as I-Worm.Swen, W32/Swen.A@mm, W32/Gibe@MM.e or Gibe.F, affects Windows 95, Windows NT and all newer versions. It was first reported yesterday and has already spread to at least 66 countries with tens of thousands of interceptions within the first 24 hours noted on public tracking sites, says Ken Dunham, malicious code intelligence manager at US-based security intelligence firm Idefense.
Swen arrives as an .EXE attachment on an e-mail pretending to contain a patch for holes in Internet Explorer, Outlook and Outlook Express. It then mails itself to addresses located on the victim`s computer. When it infects a computer, it alerts a Web site that appears to be counting the infections, say anti-virus companies. The number of the counter was reportedly near 1.5 million by this morning.
Idefense says home and small office users are particularly vulnerable. "Swen does spread as a blended threat: e-mail, IRC, network shares, and through P2P networks," says Dunham. "It is highly effective in spreading because it looks very official and masquerades as a legitimate e-mail from Microsoft."
He says the worm then attempts to steal confidential information from a computer. This component of the attack could lead to a full compromise of a user`s e-mail account or computer. It also communicates with 230 remote IP addresses once it has infected a PC.
"This is eerily similar to the Sobig worm family in several ways, but the analysis of this most complicated worm has yet to be completed," says Dunham.
Brett Myroff, CEO of southern African Sophos distributor, NetXactics, says there have been no reports of local Swen infections yet.
"SA usually follows one to two hours behind the rest of the world with these infections, and we haven`t seen any locally yet. This could be because South Africans are still alert after the recent Blaster attacks." However, he warns against complacency setting in.
Microsoft has cautioned customers in the past against e-mail software updates, saying it does not distribute patches that way but rather directs customers to its Web site.
Share