Date: Mon, 29 Sep 2003 16:51:28 -0400 (EDT) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: More Viruses Disguised As Microsoft Updates ------------------------------------------------------ MORE VIRUSES DISGUISED AS MICROSOFT PATCHES OR UPDATES ------------------------------------------------------ In a BCPL.NET News message dated 21 Aug 2003 I described a worm called the Gibe Worm that spreads via e-mail disguised as a security update from Microsoft Corporation. There are now two more e-mail worms in wide distribution that use the same disguise: the Dumaru Worm and the Swen Worm. Judging by the number of BCPL.NET customers whose PCs have become infected by Gibe, Dumaru and Swen, my earlier warning must not have sunk in very well. Here it is again: > Microsoft does not distribute patches or updates via e-mail. > Any e-mail containing a file attachment claiming to be a > Microsoft patch or update is not from Microsoft, and is most > likely a worm or virus. > > For Microsoft's official statement on this see: > http://www.microsoft.com/technet/security/policy/swdist.asp > > If you receive e-mail that appears to be from Microsoft with a > file attachment disguised as a security patch or update, delete > the message and do not open the file attachment! The Swen Worm also disguises itself as an e-mail delivery error report. The wording of the fake error report varies but is always very short, typically similar to (but not limited to) the following examples: Example #1: > Hi. > > Undeliverable message to hkbkhstsfg@puremail.com > > Message follows: Example #2: > This is the qmail program > > Undeliverable to qkbqipk@america.com > > Message follows: Real mail delivery error reports are almost always much longer and much more informative. Don't let these fake error reports fool you into opening the infected file attachment accompanying the message. For More Information: -------------------- I'll forego my usual detailed virus description. If you're interested, here are links to detailed information about the Dumaru Worm and the Swen Worm on several well-known virus information web sites: Dumaru Worm: http://us.mcafee.com/virusInfo/default.asp?id=helpCenter&hcName=dumaru http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100560 http://securityresponse1.symantec.com/sarc/sarc.nsf/html/w32.dumaru@mm.html http://www.F-Secure.com/v-descs/dumaro.shtml Swen Worm: http://us.mcafee.com/virusInfo/default.asp?id=helpCenter&hcName=swen http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100662 http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html http://www.F-Secure.com/v-descs/swen.shtml If Your PC Becomes Infected: --------------------------- If your PC becomes infected with Dumaru or Swen, we recommend that you download and run the "Stinger" virus removal utility from McAfee. Use your Web browser to go to the following URL: http://us.mcafee.com/virusInfo/default.asp?id=stinger Read the instructions on that page carefully, then download Stinger and run it on your PC. If you donloaded Stinger at some time in the past and still have it on your PC, it is probably too old to know how to deal with Dumaru and Swen. You need version 1.8.6 or newer. Also note that Stinger is virus removal software, not virus prevention software. It is designed to detect and destroy a limited set of viruses and worms on a PC that is already infected. It is not designed to protect against future infections. For that you need full-featured anti-virus software like McAfee Virus Scan or Norton AntiVirus. -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. CONTACTS: -------- Web Site: http://www.bcpl.net Administration & Policy: ispadmin@bcpl.net 410-887-6180 Sales, Renewals, Account Status: accounts@bcpl.net 410-887-4172 Technical Support (Help Desk): help@bcpl.net 410-887-3297 Usenet News Newsgroup Requests news-admin@bcpl.net 410-887-6180 E-Mail & Newsgroup Abuse Reports: abuse@bcpl.net 410-887-6180 Domain Name Service Issues: dnsadmin@bcpl.net 410-887-6180 FAX: 410-887-2091