New worm exploits ancient IE flaw

Posted on 19 Sep 2003 at 12:24

Sophos yesterday alerted users to the presence of a new worm, under the name of Gibe-F or Swen.A@mm.

The worm exploits a vulnerability in MIME components of Internet Explorer, for which a patch was first issued in March 2001. The same vulnerability was exploited by the Klez virus, which dominated the top ten virus reports for more than a year.

Gibe-F contains its own SMTP engine which it mails to addresses found on the infected computer as an email with randomly constructed To:, From:, Subject:, and Message: texts but clearly intended to give the impression of a security bulletin from Microsoft.

The worm copies itself as a randomly-named file to the Windows Folder and edits to Registry so that it is run on startup and makes further edits so that it is run prior to EXE, COM, PIF, BAT, SCR files, It will additionally display a false error message (e.g. "Error occurred Memory access violation in module kernel32 at :") when REG files are opened.

It also copies itself to the KaZaA shared folder and will attempt to spread to IRC and possibly Usenet newsgroups too.

However, the vulnerability exploited allows executable attachments to run automatically when the message is viewed. On unpatched systems the worm may display a series of dialog boxes or installation routines again designed to give the impression that a security update is being applied.

Microsoft maintains it never sends round security updates via email but will always direct customers to its website.

Gibe-F also attempts to knock out a number of antivirus and firewall products if they are found running on the machine.

Although the damage to infected machines appears relatively minimal, antivirus companies are reporting that the worm is already widespread. And there are plenty of reasons why, according to Graham Cluley, Senior Technology Consultant at Sophos.

Appearing as an update from Microsoft, this virus works through both social as well as technical engineering, he told us. 'Users may still double-click the attachment, even if their computer is patched against it executing automatically,' he said. 'And despite the automatic update feature of Windows XP, users of older versions may not have turned this on.'

Even people with new machines may find themselves vulnerable, he said, as the system vendor uses the same image of operating system and other software on every computer sold, and that image may not be up to date.

He suggested that companies decide on a policy of how or even if its employees can receive executable attachments and that ISPs should offer customers the option of turning off such attachments destined for their accounts.

For more information on the MIME vulnerability, visit the Microsoft website.

For more information on Gibe-F visit the Sophos website.

Author: Matt Whipp