[PBARC] Virus Masquerades as Microsoft E-Mail

E. Glenn Wolf, Jr. [email protected]
Fri, 19 Sep 2003 02:45:30 -0500 

Virus Masquerades as Microsoft E-Mail
By Dennis Fisher
September 18, 2003



A new mass-mailing virus is on the loose on the Internet, this one
masquerading as a message from Microsoft Corp. about a cumulative security
patch. Known as either Swen or Gibe, the virus is mainly found in Europe
right now, but anti-virus experts say it has the potential to spread
quickly and widely.
Like some other recent worms and viruses, Swen attempts to spread through
several different methods, including peer-to-peer file sharing networks
and IRC channels. It takes advantage of a two-year-old flaw in Microsoft
Outlook and is capable of automatically executing the infected attachment
once the message is opened.
ADVERTISEMENT


Swen arrives in an e-mail message with a subject line of "Microsoft
Critical Patch" and an executable attachment with a random file name. The
message body itself is a somewhat realistic looking HTML message that
includes Microsoft's logo and links to the company's Web site. The body
instructs the user to install the included attachment, which is described
as the "February 2003, Cumulative Patch" for Outlook, Outlook Express and
Internet Explorer.
The virus then copies itself to the folder used to share files on the
Kazaa network, if it exists on the infected machine. Swen applies names to
the infected files in the Kazaa folder that make the files appear to be
patches for other viruses, such as Bugbear and SoBig, according to an
analysis of the virus by iDefense Inc., in Reston, Va.
Swen was first discovered early Thursday morning and has yet to make much
of a mark in North America. But, rare is the mass-mailing worm that goes
away quietly without enticing a few thousand people into opening the
infected e-mail.


--- StripMime Report -- processed MIME parts ---
multipart/alternative
  text/plain (text body -- kept)
  text/html
The reason this message is shown is because the post was in HTML
or had an attachment.  Attachments are not allowed.  To learn how
to post in Plain-Text go to: http://www.expita.com/nomime.html  ---