Microsoft "Swen" Worm Squiggles Into Sight

greenhide writes "As forecast in this story, a new Microsoft worm has indeed wriggled to the surface. The W32.Swen's claim to fame is its professional looking email advertisement that pretends to be a fake Microsoft patch. Earlier viruses have made the claim, but none of them looked this good. It appears to have infected over 1.5 million machines. "

it also mines usenet

[poptones]

I have never had a virus sent to my home machine because I jealously protect my email domain (every individual gets an email address and if it leaks they never hear from me again). Most commercial sites even seem to respect this. But I made a "junk" address for groups.google.com and, although I have only posted through there a couple of times many months ago, the virus found this address. Apparently it is also crawling usenet, or at least the groups served by google.

Five of'em in one day. Of course, the rest will go into the trash automatically, but it was an interesting experience finally catching a taste of the "commoner" internet.

Re:Heh

[Anonymous Coward]

"Users whose PCs are not patched against the Microsoft flaw this worm exploits will be infected just by viewing the message, as will protected users who click on the e-mail attachment."

--> http://www.mozilla.org

Old idea new spin

[Stonent1]

This type of trojan has been around for a while. I've been getting fake MS e-mails for almost a year now. Official Microsoft statement that we give people on the phone "Microsoft never sends you files via e-mail unless you are on the phone with support personel and they specifically say they are e-mailing you something" 99.99999999% of the time, if MS e-mails you it will only direct you to their site to READ about the purpose of the patch and then download it. Also all MS security bulletins are digitally signed.

80+

[craig2787]

I've gotten this over 80 times now. It has a few typos though, so falling for it would be dumb, to the point where if you did, you deserve it.

The installer looks genuine too

[Stonent1]

Network Assocaites has some screenshots of the installer http://vil.nai.com/vil/content/v_100662.htm [nai.com]

Reject Executable Attachements

[KidSock]

It's a very good idea these days to just reject all executable attachments at "the gates" so to speak. I use postfix 1.1 so I added:

body_checks = pcre:/etc/postfix/mime_header_checks

to /etc/main.cf where the file referenced came from here:

http://www.securitysage.com/files/mime_header_chec ks [securitysage.com]

but there are many regular expression filters like this one. Note, with 2.x you need to use the 'mime_header_checks' directive rather than 'body_checks'.

If you want to send someone an executable, send it to them in a zip or tar.gz.

Re:Huh?

[WhiteBandit]

Um no. You could defend against the RPC worm a variety of ways.

1.) Applying the patch
2.) Using *any* software firewall. Even WinXP's own firewall. ZoneAlarm is trash in my opinion. But it isn't your only protection.
3.) Using a hardware firewall which blocks the RPC port anyway.

The only defense is to stay vigilant and be smart about computers. Just because someone is using linux doesn't make it secure. No matter what Operating System you are on, you have to be somewhat proactive in protecting your computer.

Re:It's not a worm, it's a virus

[prandal]

It uses the exploit described in MS01-020 [microsoft.com]. Reading it or viewing in in Outlook's "Preview Pane" will execute it on vulnerable systems. I've had about 20 copies reach my home email address - that's the worst I've ever seen.

Don't allow dangerous attachments

[rossz]

If you are running Exim 4.x, get the Exiscan patch and configure it to refuse (at the connection) dangerous attachments. Here's what to add to your acl_smtp_data section:

# First unpack MIME containers and reject serious errors.
deny message = This message contains a MIME error ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}

# Reject typically wormish file extensions. There is almost no
# sense in sending such files by email.
deny message = This message contains an unwanted file extension ($found_extension) that is commonly used to send viruses and worms. If this file is expected and desired by the receipient, you must put it in a zip or other standard archive format.
demime = ade:adp:bas:bat:chm:cmd:com:cpl:crt:exe:hlp\
:hta :inf:ins:isp:js:jse:lnk:mdb:mde:msc:msi:msp:mst\
:pcd:pif:reg:scr:sct:shs:shb:url:vb:vbe:vbs:wsc:ws f:wsh

The advantage to refusing attachments here is you won't generate a bounce message that will almost always end up going to an innocent third party since the viruses/worms usually forge the headers.

I'm sure there is an equilvent fix for sendmail. If you are running MS Exchange, the best way to fix your server is by taking a knife to its network cable.

W32Swen infection rate

[Anonymous Coward]

Some guy tracked the hidden counter inside the virus and posted the numbers: http://smharr4.dnsalias.net/security/index.html [dnsalias.net] Pretty neat.

Re:Fascinating isn't it?

[Anonymous Coward]

Plenty of english words that end in us are pluralized with an i, not just latin words.

For example: stimulus -> stimuli
syllabus -> syllabi

The plural of virus, however, is viruses.

Uhh, this was *NOT* forecast

[menscher]

The story was forecasting a worm that would infect Windoze boxen via a second RPC DCOM vulnerability. Swen is an email virus, and, while nasty, is nothing like the worm that was being forcasted.

A little reading comprehension would help, guys. There's a big difference between an annoying virus that gives you lots of email and a worm that takes out the internet.

Re:Huh?

[riscthis]

Disable DCOM? [microsoft.com].

Re:It's not a worm, it's a virus

[Anonymous Coward]

Some people call it a worm-virus [viruslist.com]. It requires user intervention to execute, but once executing, does not require further user intervention to spread (like sending around infected files) -- it has its own mail transport code and will transmit itself to other computers.

Re:Notice they aren't calling it DRM

[StarHeart]

In classic Microsoft style it is hidden under a non-obvious name. Try Personalize Windows Updates. I just learned about it the other day from a co-worker.

Re:Notice they aren't calling it DRM

[dissy]

> And on another issue, where's the button in Windows Update that says, "I don't
> want to add this patch ever, so stop bothering me!"?

On the windows update page after it scans for files to download, on the left hand side is a link called "Personalize windows update"
In there it lists all patches not yet installed but listed.
Turn off the checkbox for any of them you dont want to see.

Have fun.

Re:Wow

[NanoGator]

"I suggest all Windows users go to http://www.knoppix.net/ and burn the CD."

I know this is marked as funny, but Knoppix is pretty damn useful. I've never particularly liked Linux, but I can tell you that my respect for that OS went way up after trying Knoppix out. I burned a couple of copies to keep around the office in case something like a worm lays waste to the network.

On a side note, it'd be nice if other Linux distros paid more attention to how Knoppix works. It auto-detects everything and doesn't require an install. Just pop in the disc, have it copy a few files over as read-only, and reboot. System corrupt? No prob, just copy the disc over again.

How did that get mod'ed "insightful"?

[Population]

Seems to me that certain moderators don't have any idea what security means.

Windows has a lot of viruses because it is so easy to execute a program and infect the operating system.

The more restrictions you put on that access, the more difficult you make it for a virus to spread.

Unless you're running a root, 99% of Linux users have nothing to worry about from viruses. The viruses cannot effectively spread themselves. That is why the "Linux viruses" you see are only in the labs of the anti-virus vendors.

It doesn't matter how many people are writing how many viruses.

All that matters is whether a virus can infect and spread.

A well designed operating system security model will prevent the infection.

If the infection is prevented, the virus cannot spread.

That is a "trojan".

[Population]

If you run an app and it does that, then it is a "trojan". No operating system will ever be free of trojans.

But trojans have trouble spreading themselves. Anyone can write a Linux trojan (cd ~ ; rm -R), but it will not spread far. While you may think that the damage is bad because it happened to your machine, you represent less than 1/10,000,000'th of the total.

More people will have lost data because of hard drive failure than lose data because of Linux viruses or trojans.

Yes, if a hole is found in pine or mutt or Evolution that allows email viruses such as you describe is found, then email viruses such as you describe can be written for that application.

But an exploit for pine would not affect someone running mutt or Evolution.

Linux has a better designed security system than Windows does.

A hole in one application will only affect those people running that application and it will have to find some way of spreading to those people.

Without the means of spreading, the virus will be contained.

Without the ability to infect machines it has contact with, the virus will be contained.

Which is why there aren't any Linux viruses in the wild. Not because people aren't writing them. But because they cannot spread the infection.

Norton Ghost

[KalvinB]

After installing any system it's an excellent idea to use Norton Ghost (free with Soyo and possibly other MBs) to image the system. Then, if anything bad happens or if you just want to move the OS to a new drive, you just blast it over and 30 minutes later or less you're up and running as though nothing changed.

My 2000 system was on an old 2GB drive that was about to fail and with ghost I was up and running much faster on a 13GB drive in less than an hour. I also have an image of my web-server's OS/app drive in case it ever fails.

Knoppix and what I do is basically what prebuilt system manufacturers have been doing for years. It's just that HP, et al, add a lot of crap to the image.

Ben

Re:Wow

[wang33]

actually the worm exploits an outlook security flaw to run itself. [symantec.com] Thats how i got infected at work :-( damn outlook and your wonderful autopreview feature.

wang33

Re:Huh?

[AstroDrabb]

Yup, Lindows is crap. Lindows would be open to all sorts of attacks if it ever became popular. As far as SuSE goes and Red Hat as well, they prompt you for the root password when you need to run certain programs as root. This doesn't work with just any program, only a few administrative type programs. It also does not "save" the root password, it caches that you successuflly entered the password and won't prompt you again for 2-5 minutes, similar to sudo. Though agian, this is only for a handful of administrative programs so a user can admin their PC without needing to log in as root.

Re:I actually got that stupid email

[cscx]

Actually the latest Outlook doesn't even allow you to save an .exe unless you turn the filtering off (setting in the registry).

Swen

[tiny69]

I first saw the virus on the evening of the 18th. Running 'strings' on the attachment turned up two URL's.

GET http://ww2.fce.vutbr.cz/bin/counter.gif/link=bacil lus&width=6&set=cnt006 HTTP/ 1.0
ww2.fce.vutbr.cz

The first was a counter. At the time I checked it had well over a million hits and was going up FAST. At the time I'd been hit by about 20 copies of the virus. The next morning the counter was taken down and replaced with a warning. At that time I'd been "hit" over 70 times by the virus.

There seems to be variations to the emails that contain the virus. The main one is a 160K email that contains an attachmentwith a content type of Application/X-MSDOWNLOAD. The second is about 148K is size and the attachment has the content type of Audio/X-WAV. There are some emails that are 16K in size but the attachment is a zero length file. I've also been getting emails claiming to be "bounces" from Yahoo and other ISP's saying I'm trying to send a virus infected email to someone. But the Received lines show the the email is not from Yahoo. So far I've received over 170 of these damn things.

Then there are all of the real ISP's who are not helping the problem. I keep getting warnings claiming that someone I don't know tried to send me an email with a virus. Thank you, but your anti-virus software just sent out a useless email and just accomplished one of the goals of swen, to clog up email servers. Send an email to the moron who is currently infected and stop sending out thousands of emails telling everyone else about it.

This may sound harsh, but I'm really hoping the next big Microsoft worm or virus will disable the infected comupters.

Re:Huh?

[mad flyer]

-install XP -ok
-reboot
-install SP1 and after patch -ok
-reboot
-install ATI all in wonder drivers -ok
-reboot
computer farked to death...

so:

-install XP -ok
-reboot
-setup the video driver to "standard vga adapter"
-install ATI All in Wonder drivers (ati version not microsoft)
-install SP1 and after patch -ok
-reboot
-update ATI all in wonder drivers -ok
-reboot
-install battlefield 1942
-update battelfield
-install road to rome
-update road to rome
-install Thrustmaster tactical board driver
-reboot
-computer screwed...

go back to line one, changed order advitam eternam...
Maybe one day I will be able to play this game... seemed to be nice on the pictures of the box...
Actually i'm having a lot of fun with the GBA... insert cartdrigde... oups, remove cartdridge flip over and insert cartdridge in the good direction, turn on, play... eat chips, drink coke, and watch tv at the same time...

By the way, having an uptime of six weeks on an XP box means you didn't patch it for 6 weeks, which is between irresponsability and plain stupidity... have fun while you can, stop trolling and remove your keyboard from the TV, you're not funny anymore.

Re:Wow

[dakryx]

Would you believe that some people don't have administrative priveledges on their computers at work? That means they can't patch it themselves, don't go calling people names all willy nilly.

Re:Norton Ghost

[berzerke]

Norton Ghost is not Free Software. Are there not any OSS alternatives to Ghost??

Well, there is partimage [partimage.org]. However, I still find I prefer a tar gz ball. This way different partition sizes don't matter as they do with ghost and partimage. More work on the setup though. BTW, ghost has the same NTFS problems partimage does. Knoppix includes partimage.

Re:Huh?

[DJayC]

2.) Using *any* software firewall. Even WinXP's own firewall. ZoneAlarm is trash in my opinion. But it isn't your only protection.

Agreed. I have found that Kerio Personal Firewall has been great. It's also free for non-commercial use.. good stuff. Everyone should use a firewall as it really would protect them from just about every one of these worms.

Re:Wow

[Geek of Tech]

Thanks Overly Critical Guy (663429)!

+1 (Informative) for catching the goof in the summery.
-1 (Troll) for not reading the article. According to it (of course, they could be wrong)... "Swen represents a high level of sophistication in its ability to execute code automatically"... and "Users whose PCs are not patched against the Microsoft flaw this worm exploits will be infected just by viewing the message, as will protected users who click on the e-mail attachment"....

For an overall +/- 0.