Here's an advisory on the worm posing as a patch, that Zot and others have been discussing. -----Original Message----- From: Gregg Shankle [mailto:Gregg.Shankle@private] Sent: Friday, September 19, 2003 8:54 AM Subject: Fwd: NYS OCSCIC-Cyber Advisory: Swen (aka Gibe) worm poses asofficial patch from Microsoft - Risk: Low/ >>> "Pelgrin, William (CSCIC)" <William.Pelgrin@private> 09/19/03 08:15AM >>> DATE ISSUED: 9/19/03 NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE COORDINATION CYBER ADVISORY SUBJECT: Swen (aka Gibe) worm poses as official patch from Microsoft. OVERVIEW: Anti-virus vendors are reporting that the Swen worm is spreading rapidly using e-mail, IRC, KaZaa, network shares and some newsgroups (NNTP). The worm attempts to socially engineer victims into executing an e-mail attachment by posing as an official Microsoft patch. CSCIC is sending this advisory due to the large number of infected systems being reported by anti-virus vendors and the method of social engineering employed. The primary concern with this worm is the potential for network congestion. It does not appear to be destructive. Risk: Government: - Large and medium government entities: Low - Small government entities: Medium Businesses: - Large and small businesses: Low - Small businesses: Medium Home users: Medium SYSTEMS AFFECTED: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP DESCRIPTION: One of the methods the worm uses to propagate is via an email attachment where the attachment name, subject, body and from: fields vary. One of the e-mails poses as an official patch from Microsoft and contains an executable attachment that starts with PATCH, INSTALL, UPGRADE, or UPDATE. In addition it attempts to use an old Microsoft MIME vulnerability (MS01-020) to automatically execute. The worm contains its own SMTP engine so it does not rely on any specific e-mail client to spread. It sends itself out to e-mail addresses it obtains from files on the infected system. Although agencies may block .EXE attachments at their e-mail gateways, home users or users that connect to other networks may not. In addition, the worm can compromise systems via other vectors such as the following: * replicating over mapped network shares * sharing itself over the KaZaa peer-to-peer file-sharing network * delivering itself via Internet Relay Chat (IRC) * spreading through certain newsgroups (NNTP) The worm may also attempt to disarm various anti-virus or other security software processes to avoid detection. RECOMMENDATIONS: 1) If you are not already doing so, consider blocking common executable attachment types our e-mail gateway. These include .EXE, .BAT, .PIF, .COM, and .SCR files. 2) Use egress filtering on your perimeter firewalls to block outbound SMTP (UDP/TCP port 25) except from your e-mail server(s). This will help prevent spread of the worm if someone on your internal network does get infected. 3) Consider blocking access to file sharing networks and IRC since they are frequent vectors for virus propagation. 4) Ensure that staff and home users have current anti-virus signatures applied. In addition, ensure that anyone running Internet Explorer 5.5 or earlier have MS01-020 applied. 5) Warn users not to open any unsolicited e-mail or attachments. REFERENCES: Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@private ml McAfee: http://us.mcafee.com/virusInfo/default.asp?id=description <http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=10066 2> &virus_k=100662 Sophos: http://www.sophos.com/virusinfo/analyses/w32gibef.html F-Secure: http://www.f-secure.com/v-descs/swen.shtml eWeek: http://www.eweek.com/article2/0,4149,1273249,00.asp Microsoft MS01-020 Patch: <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu rity/bulletin/MS01-020.asp> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/bulletin/MS01-020.asp _____________________________ William F. Pelgrin Director NYS Cyber Security and Critical Infrastructure Coordination 30 South Pearl Street Albany, New York 12207 518-473-4383 (Phone) 518-402-3799 (Fax) william.pelgrin@private
This archive was generated by hypermail 2b30 : Fri Sep 19 2003 - 10:14:31 PDT