Andrew Gordon, managed services architect at anti-virus software vendor Trend Micro, said that despite attacks by Worm_Swen.A declining since the first notification on 18 September, Australia had one of the highest rates of infection at 4.3 percent. The worm also goes by the names of W32/Swen@MM, Gibe and W32/Gibe-F.
Out of 10 countries assessed, the US had the highest total number of infections, while Australia came second, he added.
“Probably we're concerned about the new techniques we see coming from viruses. Some of the forms actually ask you for user information, so we can almost see that it's using it like a spam database harvest,” Gordon said.
The worm spreads by mass-mailing itself to contacts in infected Outlook address books or by propagating itself over Internet Relay Chat or peer-to-peer networks such as Kazaa, and tries to steal usernames and passwords.
Gordon said one of Trend Micro's technology partners in the US had been attacked some 100,000 times by Worm_Swen.A. Trend Micro had picked up about 86,000 Swen.A incidents with its free “house-call” service, he said.
“The first couple of days you get the most ... and then it has been gradually decreasing the last week or two,” Gordon added.
One of the emails, sighted by CRN (after removal of the virus), claimed to be from MS Security Support -– at firstname.lastname@example.org. Official Microsoft emails are usually @microsoft.com. The subject headline was 'Current Security Patch'. A number of Microsoft URLs were pasted into the email body, which read:
'Microsoft User this [sic] is the latest version of security update, the "September 2003, Cumulative Patch" update which eliminates all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three newly discovered vulnerabilities. Install now to help maintain the security of your computer from these vulnerabilities. This update includes the functionality of all previously released patches...'
Ben English, security and management product manager at Microsoft Australia, said Microsoft never sent out emails with executable-type attachments, so anyone receiving such an email purporting to be from Microsoft support should delete it without opening any such attachments.
“That's how it exploits a flaw in early versions of Outlook in particular, that can run the executable [without the user opening the attachment],” he said. “We never have attachments that are programs for exactly that reason. If you're using the email and it has an attachment, it generally is not from Microsoft.”
English was surprised that Australia had appeared to have a higher rate of infection of the worm than many countries. A patch for the vulnerability, which had been known about for around two years, had been available for some time.
He suggested that lack of bandwidth may make it more difficult for Australian customers to apply security patches, generally downloaded off the internet, in a timely manner.
“And we get charged per MB [of bandwidth] here, which is unusual. I don't think there's an inherent inertia in Australia. People here are generally pretty aware of the security vulnerabilities,” he said.
English said Microsoft Australia had been made aware of the Swen.A threat around 18 September when it first appeared. The company was working hard to improve communications and education of customers, partners and users around need to apply patches. “We have to make it easier for people to patch, because it's a problem,” said English.