[Dshield] New email worm...

Jon R. Kibler Jon.Kibler at aset.com
Thu Sep 18 18:47:17 GMT 2003


NAI just did an emergency release of their virus signatures due to a new email worm called W32/Swen at MM:

A few low lights from their web summary:
> Sometimes purporting to be a Microsoft Security Update, this worm is intended to
> propagate via various mechanisms: 
>  * mailing itself to recipients extracted from the victim machine 
>  * copying itself over network shares (mapped drives) 
>  * sharing itself over the KaZaa P2P network 
>  * sending itself via IRC 
> The worm is written in MSVC. Though in a different HLL, it bears similarities to
> W32/Gibe.b at MM   (original Gibe variants were written in VB).
> The worm terminates processes relevant to various security and anti-virus products

> Mail Propagation 
> The virus contains its own SMTP engine to construct outgoing messages.
> Various outgoing messages are created. Some make use of an IE exploit  to ensure
> the worm attachment is run upon viewing the email. See Microsoft Security Bulletin
> (MS01-020) . One such message bears the following characteristics:
> Subject : Returned Response
> From : Email Delivery Service (kmailengine at yahoo.com)
> Body : Undeliverable mail to (email address )

Anyway, above URL has more details.

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list