Virus Posing As Microsoft E-Mail Spreads Fast

Less than 24 hours after first being detected, the Swen blended-threat worm picked up steam Friday, gained a foothold in the United States and the United Kingdom, and accounted for more than 35,000 interceptions by E-mail filtering firm MessageLabs.

Swen, also called W32/Swen@MM, Gibe, and W32/Gibe-F, masquerades as E-mail from Microsoft and purports to carry a security update as its file attachment. The worm can also propagate over Internet Relay Chat and peer-to-peer files sharing networks such as Kazaa, as well as over network shares within the firewall if a machine inside a company is infected.

"It is highly effective in spreading because it looks very official and masquerades as a legitimate E-mail from Microsoft or as a fix tool for a well-known virus," said Ken Dunham, an analyst with security firm iDefense.

Most security firms reacted to the fast-spreading worm by boosting their threat levels. Symantec, for instance, increased its ranking for Swen from a "2" to a "3" on its 1-through-5 scale, while Network Associates revised its rating from "low" to "medium."

MessageLabs, a U.K.-based message filtering company, said it has detected more than 35,000 instances of the worm, which now leads all other viruses and worms in the wild.

After additional analysis, iDefense's Dunham called the new worm "eerily similar to Sobig," the worm that clogged in-boxes last month.

Not only does Swen attempt to steal confidential information from an infected computer--leading in the most dire situation to theft of E-mail and other computer account data--but it also communicates with 230 remote IP addresses, as well as to a remote Web site to track infections.

So far, the reasons why the worm communicates with the 200-some other computers isn't known.

Swen also presents problems for users who haven't deployed a 2-1/2-year-old patch for vulnerability in Internet Explorer 5.01 (but not 5.01 with SP2 installed) and IE 5.5. The vulnerability stems from a flaw in how IE handles MIME types in HTML-based E-mail. Windows systems still vulnerable to this flaw are especially at risk, since Swen exploits the security gaffe to automatically, without user intervention, execute the worm. Users who haven't rolled out this patch should do so immediately.