FRAMINGHAM (09/18/2003) - A new worm that masks itself within fake Microsoft Corp. security bulletins poses a medium to high risk to corporate networks, according to security vendor Aladdin Knowledge Systems Inc.
The Win32.Swen.A worm quickly infects computers by disguising itself within fake Microsoft security bulletins sent to unsuspecting users, according to a statement from the Chicago-based Aladdin.
Swen, a variant of the Gibe worm, acts like it comes from Microsoft as a patch for a vulnerability against a certain virus, said Ken Durham, malicious code intelligence manager at iDefense Inc. in Reston, Va.
"What's unique about this is that the older one was written in Visual Basic, and this newer worm is a lot more complicated -- it is highly randomized and is written in C," Durham said. "So it looks like the guy reworked it, or shared the code with someone who reworked it in C and beefed up the code quite a bit to make it more difficult to detect and to filter out manually."
Durham said that, at the moment, it's primarily an e-mail worm. But Swen can also spread through peer-to-peer and Internet Relay Chat.
"When it's done, it might also display a screen that's very official looking that tells users they may lose functionality of Outlook and Outlook Express unless you fill in certain information like your server name, your POP3 stuff, and your account name and password," he said. "But once that information is submitted, it doesn't go to Microsoft or anybody else other than the attacker. So they're actively acquiring a wide variety of e-mail information and that sort of thing that they might want to use in a further attack or to further compromise the affected computers."
Helsinki-based security company F-Secure Inc. described the worm as a "Level 2" threat, with the potential for a large number of infections, although those infections could be regional.
And Islandia, N.Y.-based Computer Associates International Inc. in a statement on its Web site, gave the Win32.Swen.A worm a "low" rating for destructiveness, but described it as "high" for pervasiveness.