CRIME FW: NYS OCSCIC-Cyber Advisory: Swen (aka Gibe) worm poses asofficial patch from Microsoft - Risk: Low/

From: George Heuston (geoneve@private)
Date: Fri Sep 19 2003 - 09:36:18 PDT

  • Next message: Todd Ellner: "Re: CRIME New worm swen"

    Here's an advisory on the worm posing as a patch, that Zot and others
    have been discussing.
    
     
    
    -----Original Message-----
    From: Gregg Shankle [mailto:Gregg.Shankle@private] 
    Sent: Friday, September 19, 2003 8:54 AM
     Subject: Fwd: NYS OCSCIC-Cyber Advisory: Swen (aka Gibe) worm poses
    asofficial patch from Microsoft - Risk: Low/
    
     
    
    
    
    >>> "Pelgrin, William (CSCIC)" <William.Pelgrin@private>
    09/19/03 08:15AM >>>
    
    DATE ISSUED: 9/19/03           
    
     
    
    NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE
    COORDINATION CYBER ADVISORY
    
     
    
    SUBJECT:  Swen (aka Gibe) worm poses as official patch from Microsoft.
    
     
    
    OVERVIEW:
    
    Anti-virus vendors are reporting that the Swen worm is spreading rapidly
    using e-mail, IRC, KaZaa, network shares and some newsgroups (NNTP). The
    worm attempts to socially engineer victims into executing an e-mail
    attachment by posing as an official Microsoft patch.  
    
     
    
    CSCIC is sending this advisory due to the large number of infected
    systems being reported by anti-virus vendors and the method of social
    engineering employed.  The primary concern with this worm is the
    potential for network congestion.  It does not appear to be destructive.
    
     
    
    Risk:
    
    Government:
    
    - Large and medium government entities: Low
    
    - Small government entities:                                Medium
    
     
    
    Businesses:
    
    - Large and small businesses:     Low
    
    - Small businesses:                   Medium
    
     
    
    Home users:      Medium
    
     
    
    SYSTEMS AFFECTED: 
    
    Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows
    Server 2003, Windows XP
    
     
    
    DESCRIPTION:
    
    One of the methods the worm uses to propagate is via an email attachment
    where the attachment name, subject, body and from: fields vary. One of
    the e-mails poses as an official patch from Microsoft and contains an
    executable attachment that starts with PATCH, INSTALL, UPGRADE, or
    UPDATE.  In addition it attempts to use an old Microsoft MIME
    vulnerability (MS01-020) to automatically execute.
    
     
    
    The worm contains its own SMTP engine so it does not rely on any
    specific e-mail client to spread.  It sends itself out to e-mail
    addresses it obtains from files on the infected system. Although
    agencies may block .EXE attachments at their e-mail gateways, home users
    or users that connect to other networks may not.
    
     
    
    In addition, the worm can compromise systems via other vectors such as
    the following:
    
    *	replicating over mapped network shares
    *	sharing itself over the KaZaa peer-to-peer  file-sharing network
    *	delivering itself via Internet Relay Chat (IRC)
    *	spreading through certain newsgroups (NNTP)
    
    The worm may also attempt to disarm various anti-virus or other security
    software processes to avoid detection.
    
     
    
    RECOMMENDATIONS: 
    
    1) If you are not already doing so, consider blocking common executable
    attachment types our e-mail gateway.  These include .EXE, .BAT, .PIF,
    .COM, and .SCR files.
    
     
    
    2) Use egress filtering on your perimeter firewalls to block outbound
    SMTP (UDP/TCP port 25) except from your e-mail server(s).  This will
    help prevent spread of the worm if someone on your internal network does
    get infected.
    
     
    
    3) Consider blocking access to file sharing networks and IRC since they
    are frequent vectors for virus propagation.
    
     
    
    4) Ensure that staff and home users have current anti-virus signatures
    applied.  In addition, ensure that anyone running Internet Explorer 5.5
    or earlier have MS01-020 applied.
    
     
    
    5) Warn users not to open any unsolicited e-mail or attachments.
    
     
    
     
    
    REFERENCES:
    
     
    
    Symantec:
    
    http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@private
    ml
    
     
    
    McAfee:
    
    http://us.mcafee.com/virusInfo/default.asp?id=description
    <http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=10066
    2> &virus_k=100662
    
     
    
    Sophos:
    
    http://www.sophos.com/virusinfo/analyses/w32gibef.html
    
     
    
    F-Secure:
    
    http://www.f-secure.com/v-descs/swen.shtml
    
     
    
    eWeek:
    
    http://www.eweek.com/article2/0,4149,1273249,00.asp
    
     
    
    Microsoft MS01-020 Patch:
    
     
    <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu
    rity/bulletin/MS01-020.asp>
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
    ity/bulletin/MS01-020.asp
    
     
    
     
    
     
    
    _____________________________
    
    William F. Pelgrin
    
    Director
    
    NYS Cyber Security and Critical Infrastructure Coordination
    
    30 South Pearl Street
    
    Albany, New York 12207
    
    518-473-4383 (Phone)
    
    518-402-3799 (Fax)
    
    william.pelgrin@private
    
     
    



    This archive was generated by hypermail 2b30 : Fri Sep 19 2003 - 10:14:31 PDT