INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | A new worm named Swen appeared this morning masquerading as a patch for a Microsoft Windows patch. The spread of the worm is being helped along by computer users who dutifully install the patch (worm) and pass it on. |
| PLATFORM: | Windows |
| DAMAGE: | Helpful users install and pass on the worm. |
| SOLUTION: | 1. Keep your antivirus software up to date. 2. Do not execute attachments that you are not expecting. 3. Do not install patches received as e-mail attachments. |
| VULNERABILITY ASSESSMENT: |
The risk is HIGH. Current viruses and worms install backdoors in systems that allow remote intruders to take over and use those systems. Usage includes spying, industrial espionage, e-mail spamming, creation of porno sites, proxy servers, etc. |
A new worm named W32.Swen.A@mm appeared this morning masquerading as a patch for a Microsoft vulnerability. The e-mail appears to come from security at Microsoft and has an attached executable file that is supposed to be a patch for the vulnerability. In fact, the patch is the virus and double clicking on the patch installs the virus on your system.
A few copies managed to get into at least one site before e-mail virus scanners were updated. While this in itself is not noteworthy (we see new worms appearing almost daily) we would like to reiterate to DOE computer users three security items.
Anitvirus scanners must be kept up to date. You should update your scanners on a weekly basis to insure that you have the most up-to-date virus definitions. If you hear of a new virus making the rounds, update your antivirus definitions immediately before reading mail or downloading any files. Most scanners can be set to automatically update themselves on a regular schedule. Don’t depend on corporate antivirus scanners to protect you as new malicious code can sneak by them before new scan signatures are available.
One of the most common methods for the current viruses and worms to spread is as e-mail attachments. If you get an attachment from someone, even someone you know, don’t simply double click on it to see what it is. Virus scanners can miss things or be out of date for a while such as the when a new worm hits so you must be on the alert for malicious code that gets past them.
Before opening an attachment, determine if it is a document or picture, or if it is an executable file, batch file, or script file. On Windows systems the file type is determined by the file extension. The extensions for files that can execute code are:
.ade, .adp, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .hta, .inf, .ins, .isp, .js, .jse, .lnk, .mdb, .mde, .msc, .msi, .msp, .mst, .pcd, .pif, .reg, .scr, .sct, .shs, .url, .vb, .vbe, .vbs, .wsc, .wsf, .wsh
(See the following article for more information on these types: http://office.microsoft.com/assistance/preview.aspx?AssetID=HA010550011033&CTT=6&Origin=EC010553071033
To see file extensions, you must turn off the explorer option “Hide extensions for known file types.”
To turn it off,
Some malicious code tries to hide the file type by using a double extension. For example, mypictures.jpg.exe appears to be a picture file (.jpg). This is especially true if “Hide file extensions for known file types” is checked, in which case you will only see the .jpg extension. Be sure you can see extensions and look at the right-most extension as that is the one that is the true file type. Look also at the icon as it is determined by the file type and the application used to open that file.
The .lnk file type is always hidden, even when you uncheck “Hide file extensions for known file types.” Look at the icon displayed for the file. If it is a .lnk file the icon has a square box containing a bent arrow superimposed on the lower-left corner of the icon. For example, the following icon is a link to a spreadsheet.
You can also right click on the file and select properties. On the General tab the Type of File is Shortcut. Normally, .lnk files are links to other files but if they are executable code instead of a link, they run when double clicked.
Software vendors, antivirus vendors, and incident response teams (such as CIAC) do not send patches as attachments to e-mail messages. All will send messages describing the problem and then provide an online link where you can go to get and verify a patch or update. Be sure you check the link to be sure it is really the company you want to get the patch from. Better yet, type the url for the company yourself instead of clicking on the link. We have seen links in fraudulent messages that look like the following:
http://www.paypal.com@az.ru
You might think that this is a link to www.paypal.com but it is not. In this case, www.paypal.com is the username at the az.ru site.
As we stated in the beginning, a new worm has been seen that is entering sites via an e-mail attachment. While this is not a unique event, it is a good time to review what you should do when you receive a file with an attachment.
Remember:
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org