BANGALORE: This week stay alert for a new version of an old virus. W32/Swen.A-mm
(W32/Gibe.F-mm, W32/Swen.A-mm, W32/Gibe@mm, WORM_GIBE.A, W32/Gibe-A,
I-Worm.Gibe, W32/Gibe.A@mm, Win32.Gibe.A, W32/Gibe@MM) exploits a legacy
Internet Explorer, Outlook Express and Outlook vulnerability for which
an
href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet
/security/bulletin/MS01-020.asp" target="_blank">update was released
in March 2001.
The virus seems to originate from Slovakia, but then spread across US
(46%), UK (13%) and the Netherlands (7%). As this re-infection shows,
most users in corporate Europe and the US have yet to upgrade to a more
secure version of Windows or regularly patch their computers. The
re-infection also unmasks the efficacy (or rather lack of) corporate
security programs!
The virus-infected mail pretends to be a Microsoft security alert
containing a cumulative patch as attachment. Which is, for those even
slightly-aware about Internet security, a strict no-no for software
vendors who never send file attachments with email alerts. You always
have to visit a URL to download an update.
This Gibe virus variant also spreads through IRC (networks used for chat
where most users and client applications have near non-existent
security). And through P2P (peer-to-peer networks used most commonly for
music file sharing). The virus also enables file sharing creating a
shared folder into which it saves multiple infected copies of itself
using different (spoofed) filenames that pretend to be virus removal
software!
Although most anti-virus programs automatically detect this virus strain
which first surfaced in early-2002 its better to play safe and avoid
opening any email file attachments. Even when they arrive from a person
or mail address that you recognize.
Make sure to let everyone you correspond with -- at home and at work --
that files attached to mail messages should be compressed (e.g. Zip,
Rar, Sit formats) with a descriptive name that's exactly 8 characters
long. That way you can view the entire file name and choose to open/save
the attachment or delete it. As a rule, I save all attachments received
to a distinct folder, scan them and then only consider opening them. And
that's just for non-executable files. These are deleted on site.
There may be a second Internet-wide virus-induced shutdown this week
caused by a new version of the Blaster worm. While Microsoft issued an
PRC update last week, many users and administrators may be slow to
update their system. I recommend also installing Steve Gibson's
href="http://www.www.grc.com/dcom/" target="_secure1">DCOMbobulator
(29 kB, Windows, free), a revised version of which was released last
week. This tests if DCOM is enabled and can block the service. It can
also check (requires Internet connection) if Port 135 is in an open or
closed state.
Microsoft is also taking the security issues seriously. With a dedicated
target="_blank">Security & Privacy web site. This contains step-wise
guides to common security issues. There's also a free tool that can
check if Windows Update's auto-patch feature has been enabled and is
working. Of course to use this auto-notification service, Windows 2000
needs Service Pack-3 or later installed.
The weekend saw some more software releases. A landmark is MyIE2 v8
Final (
target="_blank">Build 0.8.2038) that includes several bug fixes and
OS incompatibility problems especially with Windows 2003 (Server). Opera
7.20 Beta 13 too was released for public testing. This ongoing public
Beta sequentially
href="http://my.opera.com/forums/showthread.php?s=d1f51a630d6fa2e632e459
36fc1e86d8&threadid=31229" target="_blank">fixes problems detected
with previous builds. The Beta process is going to extend for a while
because Opera 7.20 is a from-the-ground up build that doesn't use any
legacy code.
Also new this week is Trend Micro's Internet Security Beta 2. This suite
includes a virus scanner including mail (POP/SMTP/IMAP/Web mail)
scanner, spam detector with custom white listing, firewall, URL blocking
and more. A full review will be available next week.
Govind Menon
Disclaimer: These views are Govind Menon's and CIOL does not necessarily subscribe to the same.