[Dshield] New email worm...
Jon R. Kibler
Jon.Kibler at aset.com
Thu Sep 18 18:47:17 GMT 2003
NAI just did an emergency release of their virus signatures due to a new email worm called W32/Swen at MM:
A few low lights from their web summary:
> Sometimes purporting to be a Microsoft Security Update, this worm is intended to
> propagate via various mechanisms:
> * mailing itself to recipients extracted from the victim machine
> * copying itself over network shares (mapped drives)
> * sharing itself over the KaZaa P2P network
> * sending itself via IRC
> The worm is written in MSVC. Though in a different HLL, it bears similarities to
> W32/Gibe.b at MM (original Gibe variants were written in VB).
> The worm terminates processes relevant to various security and anti-virus products
> Mail Propagation
> The virus contains its own SMTP engine to construct outgoing messages.
> Various outgoing messages are created. Some make use of an IE exploit to ensure
> the worm attachment is run upon viewing the email. See Microsoft Security Bulletin
> (MS01-020) . One such message bears the following characteristics:
> Subject : Returned Response
> From : Email Delivery Service (kmailengine at yahoo.com)
> Body : Undeliverable mail to (email address )
Anyway, above URL has more details.
Jon R. Kibler
Charleston, SC USA
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the list