A new mass-mailing worm takes advantage of security fears by purporting to be a security update from Microsoft.
Written in Visual Basic, W32/Gibe-A arrives as an attachment to what appears to be an official Microsoft alert e-mail. The message prompts users to install the attached executable. It then takes them through what appears to be an authentic installation process. For example, if a user tries to install the file again, a message box comes up saying: "This update does not need to be installed on this system."
Users are in fact installing Gibe-A, which will then mail itself to all addresses in users' address books. The technical damage associated with the worm is minimal. "It does change a few things but it's definitely not like Chernobyl," said Chris Wraight, technical director with UK-based Sophos. On certain trigger dates, Chernobyl would delete an infected hard drive and try to overwrite a computer's BIOS chip, Sophos said.
Yet, there are public relations costs to worms like Gibe-A. "You really don't want to spread it to your customers and partners," said Mikko Hypponen, director of anti-virus research at Helsinki-based F-Secure.
Gibe-A is able to spread effectively by how real the carrying e-mail message appears, Hypponen said. For example, the message says:
From: Microsoft Corporation Security Center mailto:firstname.lastname@example.org
To: Microsoft Customer
Subject: Internet Security Update Attachment: q216309.exe
this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities, and is discussed in Microsoft Security Bulletin MS02-005?..
The first warning sign for users should have been the attachment. Microsoft has a strict policy against sending patches as attachments, Hypponen said. A good practice is always downloading patches and updates from vendors' Web sites.
"If you need an update for a Cisco router go to Cisco's Web site. If you need a Windows patch go to the Microsoft site," he said.
Cleaning an infected system only requires deleting all components of the worm.
Users should also be tipped off by where the message came from. "But most users don't know how to expand the header on messages," Wraight said.
As demonstrated by Gibe-A, social engineering play a part in how successful a worm will be. In January, the MyParty worm spread by disguising itself as a hyperlink to a Web site featuring photos from the sender's family vacation. Last week, a worm made the rounds by purporting to be pictures of pop star Britney Spears.
Gibe-A is not the first malicious code to cloak itself as an update from a reputable source, Wraight said. Just last month, the Yarner worm spread by claiming to be a newsletter about Trojan horses from a German security site.
Gibe-A may also have profited from extra concerns about security this week. The Klez-E worm was set to destroy data on infected machines on Wednesday. It's possible the worm writer could have planned it that way as everyone knew about the date, Wraight said.