E-Musings Mon Immorata

Old Worms New Attack as Swen virus is a re-named Gibe version taking advantage of an Windows flaw resolved in March 2001! This week stay alert for a new version of an old virus. W32/Swen.A-mm (W32/Gibe.F-mm, W32/Swen.A-mm, W32/Gibe@mm, WORM_GIBE.A, W32/Gibe-A, I-Worm.Gibe, W32/Gibe.A@mm, Win32.Gibe.A, W32/Gibe@MM) exploits a legacy Internet Explorer, Outlook Express and Outlook vulnerability for which an update was released in March 2001. The virus seems to originate from Slovakia, but then spread across US (46%), UK (13%) and the Netherlands (7%). As this re-infection shows, most users in corporate Europe and the US have yet to upgrade to a more secure version of Windows or regularly patch their computers. The re-infection also unmasks the efficacy (or rather lack of) corporate security programs! The virus-infected mail pretends to be a Microsoft security alert containing a cumulative patch as attachment. Which is, for those even slightly-aware about Internet security, a strict no-no for software vendors who never send file attachments with email alerts. You always have to visit a URL to download an update. This Gibe virus variant also spreads through IRC (networks used for chat where most users and client applications have near non-existent security). And through P2P (peer-to-peer networks used most commonly for music file sharing). The virus also enables file sharing creating a shared folder into which it saves multiple infected copies of itself using different (spoofed) filenames that pretend to be virus removal software! Although most anti-virus programs automatically detect this virus strain which first surfaced in early-2002 its better to play safe and avoid opening any email file attachments. Even when they arrive from a person or mail address that you recognize. Make sure to let everyone you correspond with -- at home and at work -- that files attached to mail messages should be compressed (e.g. Zip, Rar, Sit formats) with a descriptive name that's exactly 8 characters long. That way you can view the entire file name and choose to open/save the attachment or delete it. As a rule, I save all attachments received to a distinct folder, scan them and then only consider opening them. And that's just for non-executable files. These are deleted on site. There may be a second Internet-wide virus-induced shutdown this week caused by a new version of the Blaster worm. While Microsoft issued an PRC update last week, many users and administrators may be slow to update their system. I recommend also installing Steve Gibson's DCOMbobulator (29 kB, Windows, free), a revised version of which was released last week. This tests if DCOM is enabled and can block the service. It can also check (requires Internet connection) if Port 135 is in an open or closed state. Microsoft is also taking the security issues seriously. With a dedicated Security & Privacy web site. This contains step-wise guides to common security issues. There's also a free tool that can check if Windows Update's auto-patch feature has been enabled and is working. Of course to use this auto-notification service, Windows 2000 needs Service Pack-3 or later installed. The weekend saw some more software releases. A landmark is MyIE2 v8 Final (Build 0.8.2038) that includes several bug fixes and OS incompatibility problems especially with Windows 2003 (Server). Opera 7.20 Beta 13 too was released for public testing. This ongoing public Beta sequentially fixes problems detected with previous builds. The Beta process is going to extend for a while because Opera 7.20 is a from-the-ground up build that doesn't use any legacy code. Also new this week is Trend Micro's Internet Security Beta 2. This suite includes a virus scanner including mail (POP/SMTP/IMAP/Web mail) scanner, spam detector with custom white listing, firewall, URL blocking and more. A full review will be available next week. That wraps up this week, so until next time. Click Here to Email Me