Virus masked as Microsoft security patch spreads

Virus masked as Microsoft security patch spreads

An Internet worm, known as Swen, is spreading rapidly, with email filtering company MessageLabs reporting over 35,000 interceptions in the space of 24 hours.

The virus, also called W32/Swen.A@mm and W32/Gibe-F, is disguised as an email from Microsoft and purports to be offering the recipient a security update contained within an attachment.

A statement by security firm Symantec, which upped its threat rating from two to three on a scale of five (five being highest), said "W32.Swen.A@mm is a mass-mailing worm that uses its own SMTP engine to spread itself. It attempts to spread through file-sharing networks, such as KaZaA and IRC, and attempts to kill antivirus and personal firewall programs running on a computer.

"The worm can arrive as an email attachment. The subject, body, and From: address of the email may vary. Some examples claim to be patches for Microsoft Internet Explorer, or delivery failure notices from qmail."

Users opening the email are presented with a message that asks whether they wish to install Microsoft Security Update. according to security experts, even if the recipient clicks "No," the worm still installs itself.

According to antivirus software vendor Sophos, in the background, Swen searches your hard disk for email addresses and sends out a copy of itself to each of them. Gibe tries to switch off a range of security and anti-virus products, opening up the recipient to re-infection by older viruses.

Graham Cluley, of Sophos, commented that the worm should be easy to deal with, as Microsoft and other firms "never send out security patches by email."

Related Article:

Complacency - not complexity - the killer in IT security