Re: New virus disguised as Microsoft patch?

["Duston Sickler" <dustons () charter net>]

I too have been receiving some of these emails from as far away as France.
The virus is w32.swen.a@mm (Symantec).  It comes via email in two forms.

1. The very polished Microsoft email. (Complete with working links)

2.  A fake message undeliverable response.

This particular virus also spreads via p2p networks, open shares, and IRC.
It could have been far more malicious in it's activity but whoever wrote it
put a lot of time into it.  It will even keep infected users from editing
the registry to remove the start commands.  This definitely wasn't someone's
first attempt.

Read more at your leisure here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a () mm html

Duston Sickler
CompTIA A+ Certified
"Cedo nulli."
----- Original Message ----- 
From: "David Gillett" <gillettdavid () fhda edu>
To: <incidents () securityfocus com>
Sent: Friday, September 19, 2003 12:22 PM
Subject: New virus disguised as Microsoft patch?


>   No, this isn't the crude "500,000 already infected!"
> garbage.  This is an extremely polished and convincing
> looking html email which claims to be a "September 2003,
> Cumulative Patch" and includes an attached "patch8678.exe".
>
>   I've got four of these overnight, from broadband users
> as far away from Microsoft as Greece.  Each is followed by
> an odd little NDR, presumably reporting failed delivery of
> a delivery confirmation message.
>
> David Gillett
>
>
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
--
>


---------------------------------------------------------------------------
----------------------------------------------------------------------------