Sophos, a world leader in anti-virus protection for businesses,
has issued a warning of a new Windows worm, named W32/Gibe-F (also known as
Swen), which arrives as an email attachment masquerading as a
security patch.
The emails sent out by the worm include a message which is
randomly constructed from a wide range of realistic-sounding
phrases, so there is no fixed text to watch out for. But companies
such as Microsoft never send out security patches by email, which
makes the Gibe worm a dead giveaway.
If an infected attachment is opened, the Gibe worm starts to
spread. It covers its tracks by producing just the sort of message
you might expect from a security patch, such as "Microsoft Internet
Update Pack - This update does not need to be installed on this
system", or "This will install Microsoft Security Update. Do you
wish to continue?".
In the background, however, Gibe searches your hard disk for
email addresses and sends out a copy of itself to each of them.
Gibe tries to switch off a range of security and anti-virus
products - which may open you up to reinfection by older viruses
against which you thought yourself safe.
Gibe also attempts to spread using peer-to-peer networking by
copying itself to KaZaA shared folders. Here, it disguises itself
with the sort of filename that has become typical amongst virus
writers, implying it has something to do with porn, drugs, hacking
and even virus cleanup.
"Recent virus outbreaks such as Blaster, Nachi and Sobig-F have raised many
users' awareness of computer security," said Graham Cluley, senior
technology consultant for Sophos Anti-Virus. "Users may think it is
a good idea to install any security patch which is sent to them.
Unfortunately, they may be falling straight into the virus writer's
hands."
Sophos offers the following advice:
- Never accept security updates which arrive as email
attachments. (For that matter, don't blindly follow web links which
arrive by email, either, especially if they take you directly to a
software download.)
- If you have a mail server which can block attachments (such as
Sophos MailMonitor for SMTP), disallow
the sending or receiving of attachments which contain programs. It
is almost impossible to make a business case for using email to
distribute programs, on account of the associated dangers.
- Update your anti-virus software regularly so you can identify
new worms and viruses effectively and accurately.
- Emails which sound too strange to be true, or sound too good to
be true, or are just too conveniently-timed to be true, probably
aren't true. You don't need to be cynical or paranoid to exercise
caution!
- If you have peer-to-peer file sharing programs installed on
your company's network, consider removing them. It is almost
impossible to make a business case for unregulated file sharing
across the internet, on account of the associated dangers.
- Doing nothing about viruses and worms is not an option. Once
infected by a worm like Gibe, your computer will try to send the
worm to as many other potential victims as it can. Even if you
don't care about your computer, be considerate of the effect that
your carelessness might have on other internet users.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.