New Swen Worm Poses as MS Patch, Spreads

Despite the recent success of computer worms, such as Blaster, that have pounced on newly discovered vulnerabilities, a new threat that looks remarkably like a legitimate security e-mail from Microsoft (Nasdaq: MSFT) is using a two-year-old vulnerability to infect thousands of computers.

Known as "Swen" or "Gibe," the mass-mailing worm has hit thousands of Windows machines -- mostly home or small business users -- through e-mail , Internet Relay Chat (IRC) and peer-to-peer (P2P) networks. The worm, which automatically executes an attachment to infect and also attempts to steal e-mail account data, appears to be seizing on heightened security awareness by spoofing a message and patch from Microsoft.

The impersonation of correspondence from Microsoft -- which stresses it never delivers patches via e-mail but instead directs its users to a Web site -- is nothing new, but Swen represents a fake that could be hard to spot, iDefense malicious code intelligence manager Ken Dunham told TechNewsWorld.

"It's really slick how it pretends to be a Microsoft e-mail," Dunham said. "It makes it all look very official."

Old Issue, New Threat

Swen, a variant of the Gibe worm rewritten in C++, takes advantage of a vulnerability in Internet Explorer 5.01 and 5.5 that allows an incorrect MIME header to cause execution of an e-mail attachment.

While Microsoft released a patch for the problem when it was announced in March 2001, the issue has been the basis of several viral outbreaks, including such big-name threats as Klez, Nimda, Badtrans and BugBear, according to Dunham.

"There's been an average of three or four big viruses exploiting this every year since it was discovered," he said. "It's still popular, and it still works."

As the Worm Turns

First discovered nearly a week ago, Swen began with only a few infections but used its automated execution to account for one in every 355 e-mails as of Friday, MessageLabs chief technology officer Mark Sunner told TechNewsWorld.

The worm, which Sunner described as "highly complex," communicates with a remote Web site to track its own infection reach, which as of Friday morning was at more than 1.4 million computers. Dunham said that although that number might be skewed by noninfected visitors to the site, Swen's self-assessment of the number of victims is probably accurate.

Sunner, who was critical of traditional antivirus measures that failed to stem the worm's spread, did not classify Swen as a large outbreak yet, but he said the worm could be a "slow burner" and is still guaranteed to make the top 10 list of viruses.

Like SoBig, So Tricky

Swen, a so-called "blended threat" because of its ability to infect and spread via different available channels, can be triggered automatically through e-mail, IRC, P2P and other network-sharing scenarios. The worm uses its own simple mail transfer protocol (SMTP) engine to send out e-mails using addresses on infected computers.

Dunham, who reported Swen's solid foothold in the United States, Great Britain and The Netherlands, likened the worm to SoBig in its rapid spread and ability to trick users by changing identifiable information.

"It's tricky, highly randomized social engineering," Dunham said, referring to Swen's bogus error message warning that e-mail functionality could be lost if users do not plug in critical data.

Disabler and Thief

With a variety of components and complexities, Swen is similar to previous threats in its attempts to disable antivirus and firewall programs on targeted computers, according to antivirus vendor Symantec (Nasdaq: SYMC), which upgraded Swen's severity rating because of increased submissions.

The worm also attempts to steal confidential information with a phony error message that requests e-mail server and password information to avoid loss of e-mail functionality, according to Dunham.

"This component of the attack could lead to a full compromise of a user's e-mail account or computer," said Dunham, who referred to a growing number of computers that attackers "know they can count on."

So Long, Swen

Users who have not patched the problem, despite the availability of a fix for more than two years from Microsoft, are urged to do so now.

Other methods to ward off Swen include blocking executable files at the gateway and avoidance of instant messaging, P2P software and other network-sharing applications.

If already infected, users are advised to seek removal tools for the worm, which are available from several antivirus vendors.