Alert: Virus Masquerades as Microsoft Security Update

New worm targets old IE vulnerability.

Too good not to be true? That’s the threat from Swen, a new worm that targets a two-year-old Microsoft vulnerability. It arrives attached to an HTML e-mail cut from the same graphic design cloth as Microsoft.com and is labeled as an important security update—two more incentives for users to click on it.

Of course, Microsoft never sends security updates via e-mail. Experts believe the worm is the work of whomever created Gibe, since the two are similar.

The worm exploits a known Windows flaw; a patch has been available since March 2001. Once it infects a PC, the worm can spread via its own SMTP software, as well as through peer-to-peer and chat software.

The flaw affects versions of Microsoft Internet Explorer 5.01 and 5.5. Though anti-virus vendors updated their software to catch Swen, if a user is first infected, they may not be able to run any executable files at all. The problem arises because while the anti-virus programs can delete the executable file (installed by the worm), the registry entry for the worm can still exist. Sometimes Windows gets stuck trying to find the relevant file on the hard drive when it’s no longer there. Users affected by that problem can download a workaround from anti-virus vendors’ Web sites.

Here’s how the worm works: If a user clicks on the attachment and the system is vulnerable to the flaw, an installation box pops up, asking the user if they want to install the security update. If they click yes, they get an installation bar. If they click no, the worm proceeds with installation anyway, without notifying the user.

The worm installs a randomly named file to the hard drive and creates a registry entry for it, then makes life difficult for users, blocking any attempts to run the Regedit utility or to import REG file data. It also alters the registry of the Kazaa file-sharing program (if installed), enables file-sharing (if disabled) in the program, copies and renames several versions of itself to a hard drive on the folder, then boots and shares the folder via Kazaa. Similarly, the worm also adjusts the registry settings of Internet Relay Chat (IRC) programs, making them send copies of the worm to any people the user chats with. The worm also searches for any Windows processes with names possibly related to anti-virus software, and deactivates the processes.

From time to time, the worm scans a variety of files on the user’s computer—HTML, ASP, .EML, .DBX, .MBX, and .WAB—to harvest e-mail addresses. It can also scan online newsgroups for e-mail addresses, and e-mail itself to harvested addresses, including newsgroups.

A Microsoft security update that prevents Swen from causing havoc can be found at:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.