1 / 15

Swen/Gibe.F Virus A mass-mailing virus appears to be a memo from Microsoft

Swen/Gibe.F Virus A mass-mailing virus appears to be a memo from Microsoft. Briefing for Senior IT Managers. Marcus H. Sachs, P.E. The SANS Institute September 24, 2003. What is Swen/Gibe.F?. A mass mailing email virus First reported on September 18, 2003

jescie-stein
Download Presentation

Swen/Gibe.F Virus A mass-mailing virus appears to be a memo from Microsoft

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Swen/Gibe.F VirusA mass-mailing virus appears to be a memo from Microsoft Briefing for Senior IT Managers Marcus H. Sachs, P.E. The SANS Institute September 24, 2003

  2. What is Swen/Gibe.F? • A mass mailing email virus • First reported on September 18, 2003 • The most common version appears as an email from Microsoft directing users to download a “cumulative patch” • The attachment is, of course, a virus • Virus spreads when users run the infected attachment, or when the email is opened if MS01-020 has not been applied (MS01-027 is a more recent bulletin that also fixes this problem)

  3. What should I do about it? • This type of mass-mailing virus only spreads when two conditions are met: • The victim’s computer is vulnerable to the issue discussed in MS01-020, or the victim’s email client allows users to run executable attachments; and, • The victim has no anti-virus software or it is not up to date • Stopping Swen/Gibe.F is an educational problem: • Teach users to not open suspicious attachments • Teach users to use up to date anti-virus products • Teach users to keep their systems updated

  4. Swen/Gibe.F’s Impact • Virus depends on gullible users to propagate • Spreads via email, IRC, KaZaA, shared file systems, and news groups • Attempts to kill anti-virus and firewall programs on the victim’s computer • Some organizations have reported over ten thousand received Swen/Gibe.F emails in a single day, clogging email servers • Virus adds to the already high system administrator and user frustration levels

  5. What systems are affected? Microsoft Systems: • Windows 95, 98, 98SE • Windows Millennium Edition • Windows NT • Windows 2000 • Windows XP • Windows Server 2003

  6. A Typical Swen/Gibe.F E-mail

  7. Indications of a Forgery Executable attachment (in this case, blocked by the Outlook client) Return address is not Microsoft Multiple spelling and grammar errors in body text

  8. Swen/Gibe.F’s Payload Swen/Gibe.F installs itself with a typical Microsoft dialogue box such as this:

  9. Installation Complete The virus installs itself regardless of the choice offered in the previous slide

  10. Account Harvesting • As an additional bonus, Swen/Gibe.F periodically presents this screen to the victim to harvest email account information • Notice the spelling and grammar errors

  11. Damage to Victim Computers • Anti-virus or firewall software is disabled • Registry modification by the user is prevented • Multiple registry keys are modified • CPU may run at near 100% as virus attempts to spread • No files are deleted or modified other than those needed for spreading

  12. Additional Details • Virus has its own SMTP engine • Harvests new email addresses from the victim computer’s registry • Outgoing email has forged headers • Virus also uses the file-swapping capability of mIRC and KaZaA if those programs are available on the victim’s computer • Can spread via mapped drives and newsgroups

  13. What else do I need to know? • Swen/Gibe.F emails are pretty good forgeries and have fooled a number of unsuspecting users • Microsoft and other vendors NEVER send patches or updates as an attachment to an email • In general, computer users should always be suspicious of attachments, even those from trusted friends • The “from” address of any email should never be trusted as authentic – it is too easy to forge

  14. Awareness Lessons Learned • This is a security awareness issue - does everyone in your organization know thatMicrosoft and other vendors never send updates by email? • If not, that should be your awareness tidbit of the month and definitely added to your regular security awareness curriculum

  15. Where do I get more information? • Major anti-virus vendors have instructions for cleaning Swen/Gibe.F on their web sites • Details on the issue that allows for automatic infection when an email is opened are available from Microsoft at: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp • Microsoft issued an additional fix to this problem, details are at: http://www.microsoft.com/technet/security/bulletin/MS01-027.asp

More Related