A worm that passes itself off as a Microsoft security
bulletin poses a medium-to-high risk to corporate networks,
according to security company Aladdin Knowledge Systems.Win32.Swen.A, a variant of the Gibe worm,
poses as a Microsoft security patch, said Ken Dunham, malicious
code intelligence manager at iDefense. It has been intercepted in
66 countries so far, with well over 30,000 interceptions within the
first 24 hours noted on public tracking sites. The worm has gained
a solid foothold in the US, UK and the Netherlands.
"What's unique about this is that the older
one was written in Visual Basic, and this newer worm is a lot more
complicated - it is highly randomised and is written in C," Dunham
said, warning that the changes make the worm more difficult to
detect and filter out manually.
At present, the worm is primarily e-mail
based, but Swen can also spread through peer-to-peer and Internet
Relay Chat.
"When it's done, it might also display a
screen that's very official looking that tells users they may lose
functionality of Outlook and Outlook Express unless you fill in
certain information like your server name, your POP3, and your
account name and password," he said.
"Once that information is submitted, it
doesn't go to Microsoft or anybody else other than the attacker. So
they're acquiring a wide variety of e-mail information and that
sort of thing that they might want to use in a further attack or to
further compromise the affected computers."
Helsinki-based security company F-Secure rated
the worm as a "Level 2" threat, with the potential for a large
number of infections.
Computer Associates, in a statement on its
website, gave the Win32.Swen.A worm a "low" rating for
destructiveness, but described it as "high" for pervasiveness.
Linda Rosencrance writes for Computerworld