Swen Mass-Mailing Worm Carries Fake Microsoft Patch

Even as the industry awaited the breakout of a new Blaster-style worm and the G version of Sobig, a variation on another familiar piece of malware began making the rounds on Thursday. A virus based on the well-worn social engineering trick of making an e-mail look like it comes from Microsoft's support team started hitting user mailboxes.

Like previous viruses and worms based on the ruse, the e-mail arrives with an executable attachment that the virus authors try to pass off as a patch. This time, however, virus authors have gone to the trouble of designing a convincing HTML e-mail that resembles a Microsoft Web page. The HTML e-mail contains legitimate links to different Microsoft pages in addition to the nasty attachment.

Anti-virus vendors call the virus Swen (F-Secure), W32.Swen.A@mm (Symantec) or W32/Gibe-F (Sophos). Swen bears similarities to the Gibe.B worm discovered in February. Symantec upgraded its threat assessment for W32.Swen.A@mm to Level 3 on its severity scale Thursday evening due to an increasing volume of submissions.

The worm can arrive under a number of different subject lines and the From address varies. Once a system is infected, Swen attempts to send itself to e-mail addresses, and also attempts to spread through file sharing networks such as KaZaa and IRC. It also attempts to kill anti-virus and personal firewall systems running on a computer.

In response to similar worms in the past, Microsoft has said that it never sends security patches via e-mail.

The new virus comes at a time when IT organizations are on highest alert for new worms. Security experts expect a worm to be released any day that will exploit the critical Windows security hole Microsoft patched earlier this month with MS03-039. Also, the highly damaging Sobig.F worm expired on Sept. 10, and a Sobig.G variant is expected to hit any day.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.