Security Forums

ShaolinTiger · Last edited by ShaolinTiger on Tue Sep 23, 2003 5:59 pm; edited 2 times in total

As a follow on from: http://www.security-forums.com/forum/viewtopic.php?t=8446

Known as W32/Gibe-F - I-Worm.Swen - W32/Swen.A@mm W32/Gibe.C.worm W32.Swen-A

Unusually Messagelabs currently has nothing on this one, only stats for W32/Gibe-E not W32/Gibe-F which is this variant.

Looks realistic too has a nice icon and installs as below:

It's an exe attachment with a HTML e-mail so as always, if you've taken our advice before and blocked all executable extensions at the e-mail gateway this wont effect you Twisted Evil

_________________
Share your knowledge, it's a
way to achieve Immortality.

Quit Smoking - Darknet Hacking

Kung-Fu Geekery

werem00se · Posted: Fri Sep 19, 2003 2:04 am Post subject:

I've had numerous calls on this today. (content filtering at the firewall is cool Razz

). The attachments vary a bit in name. Clever bit of effort involved in the social engineering end...
_________________
#include <stdio.h>
int main(void)
{
int count;
for(count=1;count<=500;count++);
printf("I will play nice with others.");
return 0;
}

PhiBer · Posted: Fri Sep 19, 2003 2:16 am Post subject:

Ya, i think alot of people who dont know much about computers are gunna open this one!!! Confused

Our district is still getting flooded with spam mail that has virus attachments!
_________________
"The ultimate measure of a man is not where he stands in moments of comfort, but where he stands at times of challenge and controversy" –Martin Luther King

hugo · Posted: Fri Sep 19, 2003 9:00 am Post subject:

I've also read that the virus /worm in question hits a web-counter everytime it infects a machine, which is on itself quite interesting.

The URL of the counter was also posted on Full-Disclosure, but as visiting it also increases the hits, the number it states does not really represent the number of actual infections..
_________________
-- sig!

Rottz · Last edited by Rottz on Wed Sep 24, 2003 10:15 pm; edited 1 time in total

New virus alert: W32/Gibe.E-mm (aka W32/Swen.A-mm) - HIGH LEVEL

On 14th September 2003, MessageLabs the email security company intercepted several copies of a
new mass-mailing virus, which were initially identified as a new variant of the Gibe family of
viruses.

The initial copies all originated from Slovakia, and some later copies originated from the Netherlands.

The proportion of emails carrying this virus have risen to 1 in 355 in the last 24-hours, and
MessageLabs have therefore classified this as a high-level outbreak situation.

Name: W32/Swen.A-mm
Aliases: W32/Gibe.F-mm, W32/Swen.A-mm
Number of copies intercepted so far: 616,665
Time & Date first Captured: 14 Sep 2003 19:30 GMT
Peak infection date: 23 Sep 2003
Origin of first intercepted copy: Slovak Republic
Countries stopped in: 172
Most affected countries: USA (36%), UK (39%), Netherlands (9%)
Peak infection ratio: 1 / 86

Stats as of: 9/24/03 4:10pm EST

Characteristics

Initial analysis would suggest that this strain is a mass-emailing virus, and is similar to the
earlier Gibe strain of viruses, however, there latterly may be sufficient differences to give
rise to a new family and further analysis will be required. The emails appear to be different,
and the attachment name may vary.

MessageLabs detected all strains of this virus proactively, using its unique and patented
Skeptic predictive technology. This virus was also detected heuristically by NAI.

More Info: W32/Swen.A-mm
--------------------------------------------------------------------------------------
AusCERT Update AU-2003.015
New email virus/worm "Swen" masquerades as Microsoft Update

Users and system administrators should be aware of a new mass-mailer worm
that purports to be the "September 2003, Cumulative Patch" for MS Internet
Explorer, MS Outlook and MS Outlook Express. The worm arrives as an
attachment with a .exe extension. In addition to email vectors, Swen will
attempt to spread through file-sharing networks and will attempt disable
antivirus programs and personal firewall programs on an infected computer.

This particular executable may be detected by anti-virus systems as the
W32/Gibe-F virus. It may also arrive in an email message appearing to be
a qmail delivery failure notice.

Some email subject lines that Swen may use are:

New Internet Security Update
net security upgrade
New Net Critical Update
Mail: User unknown

REFERENCES:

[1] Protecting your computer from malicious code
http://www.auscert.org.au/render.html?it=3352

[2] Information on Bogus Microsoft Security Bulletin E-mails
http://www.microsoft.com/technet/security/news/patch_hoax.asp

[3] F-Secure Virus Descriptions
http://www.europe.f-secure.com/v-descs/swen.shtml

[4] Symantec Security Response - W32.Swen.A@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html

[5] Computer Associates Virus - Win32.Swen.A
http://www3.ca.com/virusinfo/virus.aspx?ID=36939

[6] McAfee Security
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100662

[7] Trend Micro
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWEN.A&VSect=T

[8] Sophos virus analysis: W32/Gibe-F
http://www.sophos.com/virusinfo/analyses/w32gibef.html

[9] MessageLabs
http://www.messagelabs.com/viruseye/info/default.asp?virusname=W32%2FGibe%2EE%2Dmm

When possible, upgrade all anti-virus software to use the latest definition
files as soon as they become available.

Ensure that all network file shares are disabled unless necessary and if
possible ensure that active shares are password protected.

AusCERT advises members to disseminate and take action on this information
to prevent any undesirable activity by this virus within their sites. Users
should be again reminded that unsolicited attachments should not be opened.

Full Advisory: http://www.auscert.org.au/render.html?it=3455&cid=1
--------------------------------------------------------------------------------------
The Email about the Web Counter from Richard M Smith is [url=lists.netsys.com/pipermail/full-disclosure/2003-September/010442.html]here[/url].

Virus in the News:

New Internet worm targets e-mail, P2P software
New worm offers false "Windows Updates"
[url=news.zdnet.co.uk/internet/security/0,39020375,39116520,00.htm]Swen worm tops virus charts[/url]
Nasty worm poses as MS security update
New E-Mail Worm Targets Hole in Internet Explorer
[url=searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci928518,00.html]Swen worm purports to be Microsoft alert, hits Europe hard[/url]
New worm exploits ancient IE flaw
Microsoft security update is a worm
Beware the fake security patch
Computer virus W32.Swen.A priliferates in Viet Nam
[url=australianit.news.com.au/articles/0,7204,7357680%5E15331%5E%5Enbv%5E15306-15319,00.html]Sharpened wits thwart email virus[/url]
How To Protect Yourself Against Swen and MSBlaster II

Updated 9/24: Updated MessageLab Stats and Name, Added More Virus News

Rottz · Posted: Wed Sep 24, 2003 10:03 pm Post subject: Responds from Microsoft

Today I had my usual bunch of emails with the Swen virus, and I'm getting sick of receiving them like everyone else, so I decided to follow the advice of Jason Coombs in his Swen Really Sucks post on Full Disclosure list, and forward all of them to secure@microsoft.com just to annoy them like I am annoyed! Evil or Very Mad

Then I actually got a reply! Surprised

Here it is:

Anub!$ · Posted: Fri Sep 26, 2003 3:01 am Post subject: Responds from Microsoft

A friend of mine said that this week his works e-mail accounts recieved many e-mails with attachments which were detected as Worm.Automat.AHB.

Which as you know is the W32/Swen.A-mm, But it just goes to show how vulnerable many networks are from this sort of thing.

simple lesson is never open an e-mail attachment unless you know what it is for absolute certian.

browolf · Trusted SF Member Joined: 19 Apr 2002 Posts: 590

i never previously got emails with virus in at work and now i'm getting like 20 a day of these. They're harmless but the time they reach here as our upstream provided virus checks all mail.

they all arrive looking like:
------------------ Virus Warning Message (on sweeper3) Found virus WORM_SWEN.A in file Install.exe The uncleanable file is deleted. ---------------------------------------------------------

Smile

_________________
azjol nerub 60 rogue

oeb · Posted: Fri Sep 26, 2003 10:20 am Post subject:

Ha, you think you are bad.

I got 111 emails between 7pm last night and 9am this morning

18 were spam
2 were from clients
91 were gibe.

This sucks.
_________________
Quidquid latine dictum sit, altum viditur
http://www.4o3.net - A work in progress

NTidd · New Member Joined: 11 Sep 2003 Posts: 27 Location: Office

I nearly had to reload my machine, somehow it got infected, after I deleted the infected file, most of my executables wouldn't run. After I finally figured it out, I just had to change some values back in the registry. I think that I had a variant of some sort because I never received any of those Microsoft messages until after I somehow got infected. The virus also didn't do everything that the AV sites said. It also did some extra stuff. My antivirus wouldn't detect it at the time even tho my defs were up to date, but the process may of not been running at all.

Anub!$

Do you use kazaa or anything Question

It spreads through that aswell.

Mongrel · Trusted SF Member Joined: 30 May 2002 Posts: 1347

I've been getting dozens of these disguised as undeliverable E Mail.

The recipient is led to believe they sent an emiai to some fictitious
address. Since most mail systems treat the original undelivered message
as an attachment, the user is tricked into opening what they think will be
an E Mail they sent when in actuality they are installing the virus.

Many many variations. Here's a few examples:

This one was from "mail delivery service <lmailbot@microsoft.com>"
addressed to "mail user <receiver@smtpserver.net>" with a subject
of "Failure Advice"

"This is the qmail program

I'm afraid the message returned below could not be delivered to the
following addresses:

Undelivered message to elrsnp@microsoft.com

Message follows:"

This one was from "Admin <umaildaemon@freemail.com>" addressed
to "Network Client <recipient@emaildomain.com>"
with a subject of "Mail Returned To Sender"

"This is the qmail program

I'm sorry to have to inform you that I wasn't able to deliver your
message to one or more destinations.

Undelivered message to lzsuwea@freemail.com

Message follows:"

NTidd · New Member Joined: 11 Sep 2003 Posts: 27 Location: Office

Rottz

NTidd · New Member Joined: 11 Sep 2003 Posts: 27 Location: Office

Yeah, I am part of the IT Department, we do consulting for other businesses, anyways, I don't have any mapped drives on my pc, nobody else in the office is having problems, this was last Wednesday when it all happened. I sometimes toy with different things like that on my pc, but wasn't doing anything in particular that day, who knows what happened, I was just glad that I found out what virus it was before I decided to reload it. Just had to fix some of the registry keys, it was modified to open a particular executable when any executable is ran, after I deleted that, then nothing would run unless I ran it from a command prompt.

Mongrel · Trusted SF Member Joined: 30 May 2002 Posts: 1347

NTidd - yeh - aint it fun to play around at work and ... errrr .

Recently I was bringing up the network after the blackout - and one
server would not connect to the outside. Long story short, I temporarily
opened up the firewall as a test. It stayed open for long enough to let mr.
blaster in.

Doooooh!

Security Forums

Special offer!

Featured Links*

Community Area

Featured Products

TechGenix Sites

	Security Forums Index -> Viruses // Worms	All times are GMT + 2 Hours Goto page 1, 2 Next
Page 1 of 2