[W1SMH] Another (Groan) Computer Virus!

David Bodman [email protected]
Fri, 19 Sep 2003 11:51:27 -0400 

Woody's WINDOWS Watch


Woody Leonhard has a warning about the latest virus  pretending to come from
Microsoft    ...
19 September 2003 - Vol 6 No. 19


Avoiding Swen




Well, it's a day ending in the letter 'y' so it must be time for another
security scare.

We don't send an issue for every one of these nasties but this one has
prompted a lot of questions from readers in the last 12 hours and appears to
come from Microsoft so we decided it deserved a special note to Woody's
Windows Watch readers.

This one goes by the name of W32.Swen.A@mm and while the software itself
isn't anything particularly new, the format of delivery is.


Getting Swen


What's attracted so much attention and questions is the way this virus
arrives.  It generally comes disguised as a message purporting to be from
Microsoft.  Unlike previous attempts (which were plain text and primitive),
this one is HTML formatted to look like the MS web site design right down to
links to the real Microsoft web site.  It's similar in concept to the
'phishing' messages apparently from Paypal or banks that we've warning
<http://www.woodyswatch.com/windows/archtemplate.asp?6-17> you about.

The trick is that there's a phony patch attached to the message.  We've
warned readers about this before but based on questions we've been getting
the word hasn't got through:


Microsoft does NOT send software updates via email!!!


No reputable company would do it these days if for no other reason than you
can't tell the difference between real and fake patches.  Companies may send
out warnings and suggestions that you update your computer but the updates
themselves are separately downloaded from the company's web site. In
Microsoft's case it's via the Windows Update system.

However it is done it is NEVER by sending a patch as an email attachment.
Any email you get, however sincere it might look, is bogus if it has an
attachment.

As well as the fake Microsoft notice, Swen can also arrive as a fake mail
delivery notice with a message like "I'm sorry I wasn't able to deliver your
message to one or more destinations" plus an infected attachment.

We've not included a copy of the fake message here but the online version of
this issue has a copy - click
<http://www.woodyswatch.com/windows/archtemplate.asp?6-19> here.  The exact
wording of the From and Subject lines does vary.

It can also be distributed via Kazza shared folders (using a variety of file
names), IRC, network shares and some newsgroups.


If you get such a message - delete it.


Simple as that - hit the DEL key and get on with your life.

The FROM: address is faked so there's no point warning the sender.  Don't
waste your time notifying Microsoft, they know already, in any event there's
little they can do.

  _____


About Swen


W32.Swen.A@mm isn't that clever but, like many of these variants the reason
they spread is because of the ways they are disguised.

But it does have some points of interest.  If it runs on a computer it will
try to protect itself by disabling some anti-virus programs that might be
running.  Swen also disables access to the Registry Editor.

If infected you may also see a fake MAPI error message that asks for various
email details.

But there's nothing technically new.  The standard precautions that we and
everyone else have been recommending will protect you, in short:

*	Have an up-to-date antivirus package.  Set it to scan regularly and
also monitor what happens on your computer.
In this case 'up-to-date' means get the most recent update now -- they've
probably been revised in the last 24 hours due to Swen.

*	Don't open email attachments unless you're very sure what they are
and who they come from.  This is a no brainer for most people because recent
versions of Outlook stop you. While this can be annoying it does have
advantages.


More information


As usual Symantec has done a good job of going into the details of the
attack.  Much more information than most people will ever need is here
<http://securityresponse.symantec.com/avcenter/venc/data/[email protected]>
.

There's some suggestions for blocking ports using a firewall to prevent
future attacks and that's tempting to do in the heat of the moment.  However
those ports can be necessary for you to do your work so make sure you know
what you're doing.