Virus Masquerades as Microsoft E-Mail

UPDATE: Virus spreading steadily Friday afternoon and making inroads in the United States after causing headaches in Europe for the last couple of days.

A new mass-mailing virus is on the loose on the Internet, this one masquerading as a message from Microsoft Corp. about a cumulative security patch. Known as either Swen or Gibe, the virus is mainly found in Europe right now, but anti-virus experts say it has the potential to spread quickly and widely.

Like some other recent worms and viruses, Swen attempts to spread through several different methods, including peer-to-peer file sharing networks and IRC channels. It takes advantage of a two-year-old flaw in Microsoft Internet Explorer and is capable of automatically executing the infected attachment once the message is opened.

Swen arrives in an e-mail message with a subject line of "Microsoft Critical Patch" and an executable attachment with a random file name. The message body itself is a somewhat realistic looking HTML message that includes Microsofts logo and links to the companys Web site. The body instructs the user to install the included attachment, which is described as the "February 2003, Cumulative Patch" for Outlook, Outlook Express and Internet Explorer.

The virus then copies itself to the folder used to share files on the Kazaa network, if it exists on the infected machine. Swen applies names to the infected files in the Kazaa folder that make the files appear to be patches for other viruses, such as Bugbear and SoBig, according to an analysis of the virus by iDefense Inc., in Reston, Va.

Swen, which was first discovered early Thursday morning, was spreading steadily Friday afternoon and making inroads in the United States after causing headaches in Europe for the last couple of days.

However, it does not seem likely to rise to the level of SoBig.F, Klez or any of the other large-scale infections of the last year, experts said.

As of late Friday, MessageLabs Inc., an e-mail security company based in New York, had stopped about 36,000 copies of Swen. Although those numbers are nothing to laugh at, MessageLabs stopped nearly 30 times that many copies of SoBig.F during its first 24 hours of life. Still, the social engineering aspects of Swen, which is disguised as an e-mail coming from Microsoft Corp., are apparently drawing in plenty of victims. The virus is likely to be most successful in infecting home users, who tend to be less knowledgeable about security practices and are more apt to be duped into opening the purported patch from Microsoft.


"Reading e-mail today has certainly become the digital equivalent of a contact sport. Users are continually bombarded by spam, mailing list, hoaxes and viral messages, potentially leaving them a little punch drunk when trying to find the legitimate email amongst the malicious bits," said Ian Hameroff, eTrust security strategist at Computer Associates International Inc. in Islandia, N.Y. "Virus writers often exploit this, and thats why we see techniques like spoofed Microsoft support messages in Swen."

Anti-virus experts said Swen has an interesting characteristic that is drawing researchers attention. Every time the virus infects a new machine, it is programmed to visit a specific Web site that is nothing more than a counter that logs the number of hits the site receives. Aside from providing an idea of how many PCs have been infected, the site could also prove useful if investigators were able to get a look at the Web servers logs, said security expert Richard Smith. As of 4:30 p.m. Eastern time Thursday, the counter stood at about 810,000.

Discuss this in the eWeek forum.