[ISN] New worm poses as Microsoft patch

From: InfoSec News (isnat_private)
Date: Thu Jul 17 2003 - 00:45:24 PDT

  • Next message: InfoSec News: "[ISN] Update: Money seen as biggest obstacle to effective IT security"

    http://www.nwfusion.com/news/2003/0716kazaaworm.html
    
    By Paul Roberts
    IDG News Service
    07/16/03
    
    Antivirus company TruSecure is warning users about a new e-mail worm
    that is beginning to spread on the Internet and over the Kazaa
    peer-to-peer network.
    
    The new worm, dubbed "Gruel" is a mass-mailing worm that masquerades
    as a Windows software patch from Microsoft and as a virus removal tool
    from Symantec, according to an alert from TruSecure.
    
    Like other mass mailing worms, Gruel spreads by stealing e-mail
    addresses from an infected computer's Microsoft Outlook address book
    and mailing copies of itself to those addresses, the company said.
    
    The worm deletes files from machines it infects and copies itself into
    various locations, including folders used by the Kazaa file-sharing
    network, enabling it to spread on that network as well, TruSecure
    said.
    
    TruSecure received word of five infections and fielded around 20 calls
    from users who have received e-mail messages containing the virus,
    according to Bruce Hughes, content security lab manager at TruSecure.
    
    While the number of infections is still low, Gruel has a number of
    characteristics that have allowed other worms to successfully spread
    in recent months, Hughes said.
    
    In addition to its clever use of so-called "social engineering" tricks
    such as using the names of Microsoft and Symantec to fool recipients,
    the coupling of mass mailing techniques and features to spread over
    peer-to-peer networks makes Gruel more dangerous, Hughes said.
    
    Unlike other worms, however, Gruel does not spread over shared folders
    on local area networks, he said.
    
    While most organizations have antivirus software that will block or
    quarantine the executable attachment containing the Gruel virus, home
    users without such protections will likely bear the brunt of the new
    worm, Hughes said.
    
    In the coming hours and days, infections on those home systems may
    bombard corporate mail gateways with infected messages as well, Hughes
    said.
    
    The company currently has the new worm on "watch," he said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jul 17 2003 - 04:06:21 PDT