[ISN] New Internet worm targets e-mail, P2P software

From: InfoSec News (isnat_private)
Date: Thu Sep 18 2003 - 22:27:49 PDT

  • Next message: InfoSec News: "[ISN] Post-Isabel, IT managers say preparation paid off"

    By Paul Roberts
    IDG News Service
    Anti-virus companies are warning Internet users about W32.Swen, a new
    worm that spreads using e-mail messages, vulnerable network
    connections, IRC (Internet Relay Chat) and peer-to-peer networks.
    First detected on Thursday, Swen exploits a security hole in
    Microsoft's Internet Explorer Web browser and affects all supported
    versions of the Windows operating system, according to F-Secure of
    The worm poses as a software security update from Microsoft prompting
    users with "Yes" or "No" buttons to agree to install the update and
    even an installation "progress" bar if they do agree.
    However, the worm code is installed regardless of what users select.  
    Once on an infected system, Swen alters the configuration of the
    Windows operating system so that the worm is launched whenever Windows
    is started. The worm also detects and disables anti-virus software or
    other Windows features that could be used to disable it, according to
    Like other mass mailing worms, Swen scans an infected machine's hard
    drive for e-mail addresses and uses those to send out more copies of
    itself, skimming SMTP server addresses and user names from Windows.
    Infected e-mail messages are formatted to look like official
    correspondence from Microsoft. The messages appear to come from one of
    a variety of randomly generated senders like "MS Technical
    Assistance," and advertise a "cumulative patch" for Internet Explorer
    to patch "three newly discovered vulnerabilities," F-Secure said.
    The worm also can detect the presence of IRC clients or the Kazaa P2P
    file-sharing software and distribute itself on those networks. Swen
    places a specialized script file that sends a virus file to every
    computer on the same IRC channel as the infected computer.
    For machines running Kazaa file-sharing software, Swen enables the
    file-sharing feature, if it is not already enabled, and places
    multiple copies of itself in the Kazaa shared files folder disguised
    as Kazaa client software, pirated software or other popular
    applications, F-Secure said.
    F-Secure, Network Associates and Symantec all issued warnings about
    Swen Thursday, indicating that the worm is spreading on the Internet.
    More than one antivirus company noted the similarity between Swen and
    an earlier worm, W32.Gibe, which appeared in February. Like Swen, Gibe
    also attempted to spread via e-mail, as well as Kazaa and IRC networks
    while posing as a piece of legitimate Microsoft software when
    Customers are being advised to update their anti-virus definitions to
    detect Swen.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Sep 19 2003 - 01:39:37 PDT