A new virus has been doing the rounds in the last few days, masquerading as a security patch sent via email by Microsoft Corp.
The email, in HTML format, looks as if it has indeed been sent by the world's leading software maker. However, there is one catch: Microsoft never sends any security patches or updates via email.
The virus, called Gibe-F or Swen, affects machine running Windows 2000, Windows 95/98/Me, Windows NT, Windows Server 2003 and Windows XP.
According to Symantec Corp's website, W32.Swen.A@mm is a mass-mailing worm that uses its own SMTP engine to spread itself. It attempts to spread through file-sharing networks, such as KaZaA and IRC, and attempts to kill anti-virus and personal firewall programs running on a computer.
According to an expert quoted in a report on channelasia.com, the virus has infected hundreds of thousands of computers worldwide including several in the UAE and could spread to millions more. And Zdnet says the mass-mailing worm is being taken more seriously as it began a rapid spread.
Swen has already moved to the top of the virus charts.
The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message, according to Symantec, which manufactures the popular Norton Anti-Virus.
The latest email, which appears as if it has come from Microsoft Corp, reads: "This is the latest version of the security update which eliminates all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express. Install now to maintain the security of your computer."
According to the alert on the Sophos site, if an infected attachment is opened, the worm starts to spread. It covers its tracks by producing just the sort of message you might expect from a security patch, such as "Microsoft Internet Update Pack - This update does not need to be installed on this system", or "This will install Microsoft Security Update. Do you wish to continue?"
In the background, however, the worm searches your hard disk for email addresses and sends out a copy of itself to each of them. Gibe-F tries to switch off a range of security and anti-virus products.
Like all other anti-virus software makers, Sophos advices: Never accept security updates which arrive as email attachments.
Computer users are also advised to update their anti-virus software regularly so you can identify new worms and viruses effectively and accurately.
Gibe's jibe and its actionsGibe's jibe: The new worm called Gibe-F or Swen has been doing the rounds lately, making Symantec Corp upgrade the alert level to Category 3.
What itdoes: The virus affects machines running Windows 2000, Windows 95/98/Me, Windows NT, Windows Server 2003 and Windows XP.
Once active, the virus attempts to shut down any antivirus or personal firewall applications that may be running on the infected system.
Swen will appear to download a patch from the Microsoft site while it is actually changing the system registry files such that the virus runs every time the system is rebooted. The virus also mails itself to addresses it finds on the victim's computer.
How it spreads: The virus spreadsthrough email messages containing references from Microsoft to a critical patch for Internet Explorer or as an undeliverable email notice. It exploits the vulnerability of MS Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message.
On shared networks, the virus spreads by leaving a copy of itself in the startup folders of individual Windows machines found on the network.
For Internet relay chat users, Swen adds a file called script.ini to the mIRC program folder and then spreads to other IRC users' machines.
Prevention: Do not open any attachment without scanning it for viruses. Most anti-virus programmes do this. Get a legal copy of any anti-virus programme.
On the web: http://www.symantec.com/avcenter/venc/data/w32.swen.a@mm.htmlhttp://www.sophos.com/virusinfo/articles/gibef.htmlhttp://vil.nai.com/vil/content/v_100662.htmhttp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWEN.A
Gulf News
