Win32.Swen.A, a variant of the Gibe worm, poses as a Microsoft security patch, said Ken Dunham, malicious code intelligence manager at iDefense. It has been intercepted in 66 countries so far, with well over 30,000 interceptions within the first 24 hours noted on public tracking sites. The worm has gained a solid foothold in the US, UK and the Netherlands.
"What's unique about this is that the older one was written in Visual Basic, and this newer worm is a lot more complicated - it is highly randomised and is written in C," Dunham said, warning that the changes make the worm more difficult to detect and filter out manually.
At present, the worm is primarily e-mail based, but Swen can also spread through peer-to-peer and Internet Relay Chat.
"When it's done, it might also display a screen that's very official looking that tells users they may lose functionality of Outlook and Outlook Express unless you fill in certain information like your server name, your POP3, and your account name and password," he said.
"Once that information is submitted, it doesn't go to Microsoft or anybody else other than the attacker. So they're acquiring a wide variety of e-mail information and that sort of thing that they might want to use in a further attack or to further compromise the affected computers."
Helsinki-based security company F-Secure rated the worm as a "Level 2" threat, with the potential for a large number of infections.
Computer Associates, in a statement on its website, gave the Win32.Swen.A worm a "low" rating for destructiveness, but described it as "high" for pervasiveness.Linda Rosencrance writes for Computerworld