New Category 3 Worm/Virus: Swen.A (Yes, that's 'news' backwards)

Symantec Security Response ^ | 9/18/2003 | John Canavan

[FourPeas]

Due to an increase in submissions, Symantec Security Response has upgraded W32.Swen.A@mm to Category 3, as of 6:30pm Thursday, September 18, 2003.

W32.Swen.A@mm is a mass-mailing worm that attempts to spread through file-sharing networks, such as KaZaA and IRC, and attempts to kill antivirus and personal firewall programs running on a computer.

The worm arrives as an email attachment. The subject, body, and From: address of the email may vary. Some examples claim to be patches for Microsoft Internet Explorer, or delivery failure notices from qmail.

W32.Swen.A@mm is similar to W32.Gibe.B@mm in function, and is written in C++.

Also Known As:	Swen [F-Secure], W32/Swen@mm [McAfee], W32/Gibe-F [Sophos], Worm Swen.A
Infection Length:	106496
Systems Affected:	Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected:	DOS, Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 3.x

• Virus Definitions (Intelligent Updater) *

September 18, 2003

• Virus Definitions (LiveUpdate™) **

September 18, 2003

*	Intelligent Updater definitions are released daily, but require manual download and installation. Click here to download manually.
**	LiveUpdate virus definitions are usually released every Wednesday. Click here for instructions on using LiveUpdate.

Wild:

• Number of infections: 50 - 999
• Number of sites: More than 10
• Geographical distribution: High
• Threat containment: Easy
• Removal: Difficult

Threat Metrics
Wild: Medium			Damage: Low			Distribution: High

---

Notes:

• Beta definitions numbered 24954 or higher will detect this threat as W32.Swen.A@mm.
• This threat was previously detected as Worm.Automat.AHB by definitions automatically created by the Digital Immune System.

---

When W32.Swen.A@mm is executed, it performs the following actions:

1. If the executed filename starts with the letter q, u, p, or i, the worm will present the user with dialog boxes that pretend to be a "Microsoft Internet Update Pack."
   
   

   ---

   Note: The worm will install itself regardless of the choices that the user makes at this point.

   ---

   
   
2. Attempts to end the following processes:
   
   • Azonealarm
   • zapro
   • wfindv32
   • webtrap
   • vsstat
   • vshwin32
   • vsecomr
   • vscan
   • vettray
   • vet98
   • vet95
   • vet32
   • vcontrol
   • vcleaner
   • tds2
   • tca
   • sweep
   • sphinx
   • serv95
   • safeweb
   • rescue
   • regedit
   • rav
   • pview
   • pop3trap
   • persfw
   • pcfwallicon
   • pccwin98
   • pccmain
   • pcciomon
   • pavw
   • pavsched
   • pavcl
   • padmin
   • outpost
   • nvc95
   • nupgrade
   • nupdate
   • normist
   • nmain
   • nisum
   • navw
   • navsched
   • navnt
   • navlu32
   • navapw32
   • nai_vs_stat
   • msconfig
   • mpftray
   • moolive
   • luall
   • lookout
   • lockdown2000
   • kpfw32
   • jedi
   • iomon98
   • iface
   • icsupp
   • icssuppnt
   • icmoon
   • icmon
   • icloadnt
   • icload95
   • ibmavsp
   • ibmasn
   • iamserv
   • iamapp
   • gibe
   • f-stopw
   • frw
   • fp-win
   • f-prot95
   • fprot95
   • f-prot
   • fprot
   • findviru
   • f-agnt95
   • espwatch
   • esafe
   • efinet32
   • ecengine
   • dv95
   • claw95
   • cfinet
   • cfind
   • cfiaudit
   • cfiadmin
   • ccshtdwn
   • ccapp
   • bootwarn
   • blackice
   • blackd
   • avwupd32
   • avwin95
   • avsched32
   • avp
   • avnt
   • avkserv
   • avgw
   • avgctrl
   • avgcc32
   • ave32
   • avconsol
   • autodown
   • apvxdwin
   • aplica32
   • anti-trojan
   • ackwin32
   • _avp
     
     
3. Drops a copy of itself to %Windir% with a randomly generated filename.
   
   

   ---

   Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

   ---

   
   
4. Creates the file, %Windir%\Germs0.dbv, where it stores the email addresses it has found.
   
   
5. Creates the file, %Windir%\Swen1.dat, where it stores a list of remote news and mail servers.
   
   
6. Drops a %ComputerName%.bat file, which executes the worm and a randomly named configuration file to store the local, machine-specific data.
   
   

   ---

   Note: %ComputerName% is a variable that represents the name of the infected computer.

   ---

   
   
7. Adds the values:
   
   • "CacheBox Outfit"="yes"
   • "ZipName"="<random>"
   • "Email Address"="<The current users email address that the worm retrieves from the registry>"
   • "Server"="<The IP address of the SMTP server that the worm retrieves from the registry>"
   • "Mirc Install Folder"="<location of mirc client on system>"
   • "Installed"="...by Begbie"
   • "Install Item"="<random>"
   • "Unfile"="<random>"
     
     to the key:
     
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\*
     
     where * is a random set of letters.
     
     
8. Adds a randomly named value to:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   so that the worm starts when Windows starts.
   
   
9. Modifies the following registry keys:
   
   • HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command
   • HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command
   • HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command
   • HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command
   • HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command
   • HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command
     
     which hooks the worm to each of these file types.
     
     
10. Modifies the value:
    
    "DisableRegistryTools" = "1"
    
    in the registry key:
    
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    
    to prevent the user from running regedit on the system.
    
    
11. Periodically presents users with a fake MAPI32 Exception error:
    
    
    
    
    
    prompting them to enter the details of their email account, including the following:
    
    • Username
    • Password
    • POP3 server
    • SMTP server
      
      
12. Presents the user with the following fake error message, and then quits when certain executables, such as regedit, are run:
    
    Exception error occured:
    Memory access violation in module kernel32 at %random.memory.address%
    
    
13. Sends an HTTP Get request to a predefined HTTP server to retrieve counter information when the worm runs for the first time. Then, the worm may display the counter information.
    
    For example:
    
    

The worm spreads through email, KaZaA, IRC, Network Shares, and newsgroups. The following sections discuss how each of these transmission methods can occur.

Transmission through email
W32.Swen.A@mm sends a copy of itself to the addresses found on the system through various methods. The worm can vary the message it sends, as well as the filename that it attaches itself as. The worm uses an incorrect MIME Header exploit, mentioned in Microsoft Security Bulletin MS01-020, to ensure that it is automatically executed when the mail is viewed.

One of the messages, as shown below, pretends to be a critical message from Microsoft, suggesting that the users update their system with the attached "Patch***.exe", where *** is a series of three numbers:





The worm can also impersonate mail delivery failure notices, attaching itself as a randomly named executable.

One example is:

"I'm sorry I wasn't able to deliver your message to one or more destinations."


Transmission through KaZaA
When attempting to spread through KaZaA, W32.Swen.A@mm performs the following actions:

1. Drops a copy of itself into a randomly named subdirectory of %Temp% on the system.
   
   

   ---

   Note: %Temp% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

   ---

   
   
2. Adds the values:
   
   "Dir99"= 012345:"<random folder name>"
   "DisableSharing"="0"
   
   to the registry key:
   
   HKEY_CURRENT_USER\Software\Kazaa\LocalContent
   
   which adds this folder to the list of shared folders in KaZaA.
   
   

   ---

   Note: <random folder name> is the folder created under %Temp% in step 1 above.

   ---

   
   
3. Some of the possible dropped filenames include:
   
   • Virus Generator
   • Magic Mushrooms Growing
   • Cooking with Cannabis
   • Hallucinogenic Screensaver
   • My naked sister
   • XXX Pictures
   • Sick Joke
   • XXX Video
   • XP update
   • Emulator PS2
   • XboX Emulator
   • Sex
   • HardPorn
   • Jenna Jameson
   • 10.000 Serials
   • Hotmail hacker
   • Yahoo hacker
   • AOL hacker
   • fixtool
   • cleaner
   • removal tool
   • remover
   • Klez
   • Sobig
   • Sircam
   • Gibe
   • Yaha
   • Bugbear
   • installer
   • upload
   • warez
   • hacked
   • hack
   • key generator
   • Windows Media Player
   • GetRight FTP
   • Download Accelerator
   • Mirc
   • Winamp
   • WinZip
   • WinRar
   • KaZaA
   • KaZaA media desktop
   • Kazaa Lite
     
     

Transmission through IRC
When attempting to spread through IRC, W32.Swen.A@mm performs the following actions:

1. Searches for a \Mirc folder.
   
   
2. Creates a Script.ini file in this folder, which the worm uses to send itself to other mIRC users, who are connected on the same channel as the infected computer.

Transmission through network shares
When attempting to spread through network shares, W32.Swen.A@mm attempts to locate the Startup folder on all the mapped network drives as follows:

• Windows 2000:
  
  Attempts to copy itself to:
  
  \Documents and Settings\%Infected Computer User Name%\Start Menu\Programs\Startup
  
  on the remote computer.
  
  

  ---

  Note: %Infected Computer User Name% is a variable. For example, if the logged-in user of the infected computer is "Administrator," then the worm will copy itself to:
  
  \Documents and Settings\Administrator\Start Menu\Programs\Startup
  

  ---

  
  
• Windows 98:
  
  Attempts to copy itself to:
  
  \Windows\Start Menu\Programs\Startup
  
  on the remote computer.
  
  
• Windows NT:
  
  Attempts to copy itself to:
  
  \Winnt\Profiles\%Infected Computer User Name%\Start Menu\Programs\Startup
  
  on the remote computer.
  
  

  ---

  Note: %Infected Computer User Name% is a variable. For example, if the logged-in user of the infected computer is "Administrator," then the worm will copy itself to:
  
  \Documents and Settings\Administrator\Start Menu\Programs\Startup
  

  ---

  
  

Transmission through newsgroups
W32.Swen.A@mm may also attempt to distribute itself to predetermined newsgroups whose addresses are contained within the worm.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan and delete all the files detected as W32.Swen.A@mm.
4. Delete the value that was added to the registry.
   

For specific details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

• "How to disable or enable Windows Me System Restore"
• "How to turn off or turn on Windows XP System Restore"

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

• Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
• Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
  
  The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

3. Scanning for and deleting the infected files

1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
   • For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
   • For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
2. Run a full system scan.
3. If any files are detected as infected with W32.Swen.A@mm, click Delete.

4. Deleting the value from the registry

---

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

---

1. Click Start, and then click Run. (The Run dialog box appears.)
   
   
2. Type:
   
   notepad
   
   and then click OK. (Notepad opens a text file.)
   
   
3. Type, or copy and paste, the following text into the text file:
   
   REGEDIT4
   
   [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   "DisableRegistryTools"=dword:00000000
   
   
4. Save the file as:
   
   repair.reg
   
   in the root folder (usually C:\).
   
   
5. Click Start, then Run.
   
   
6. Type:
   
   regedit -s \repair.reg
   
   and then click OK.
   
   
7. Click Start, and then click Run.
   
   
8. Type regedit
   
   Then click OK. (The Registry Editor opens.)
   
   
9. Navigate to the key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   
10. In the right pane, delete the randomly named value that the worm created.
    
    
11. Navigate to each of the following keys:
    
    • HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command
    • HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command
    • HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command
    • HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command
    • HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command
    • HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command
      
      
12. Double-click the (Default) value in the right pane.
    
    
13. Delete the current value data, and then type, or copy and paste:
    
    "%1" %*
    
    
14. Exit the Registry Editor.

Write-up by: John Canavan

[CheneyChick]

Systems Not Affected:
DOS, Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 3.x

YAY!

[PackerBoy]

I received a bunch of these this evening -- all seemingly from Microsoft. What a pain these virus-spreading jerks are. Cutting off their hands seems pretty reasonable to me these days.

[ChadGore]

Do you run OSx ? How is it ?

[FourPeas]

This particular worm sometimes makes itself look like a Microsoft patch.

And, to make this one even better, Mr. FourPeas (who works in IT Security) just had a discussion today with various members of the company's IT department because they'd just started e-mailing Microsoft patches out ot all the various machines. (They couldn't get Marimba to work....) Mr. FourPeas argument: an e-mail can be spoofed and cause someone, thinking they were installing a patch, to instead release a virus.

[CheneyChick]

I love OS X. It is solid. I switched my parents to it as well and the 'tech support' calls have dropped off almost completely!

Cheers, CC :)

[rwfromkansas]

How many of you folks have been having network probs?

Two worms have managed to get past the network protection/firewalls etc. here at my college, causing the internet in the dorms to go down half the time...very annoying.

I have heard of this happening at other colleges.

Anybody having such problems at work networks or anything?

[FourPeas]

A local news station did a story last week about a nearby college that distributed anti-virus software to each student in on-campus housing. They'd had so many problems in the past that it was cheaper to purchase licenses for all the students' PCs rather than fight the fires later.

[lelio]

One of the messages, as shown below, pretends to be a critical message from Microsoft, suggesting that the users update their system with the attached "Patch***.exe", where *** is a series of three numbers:

When will these virus writers ever learn? Don't make something so easy to block.

[martin_fierro]

FREE PC PROTECTION (not an exhaustive list): Alternative browsers: Mozilla Opera AVG Anti-Virus Free Edition: Free anti-viral protection Bayden Systems Popup Popper: Blocks popup ads well in MSIE Spyware removers: Spybot S&D AdAware MailWasher: Good for pre-screening & bouncing SPAM Windows Update: At least install the critical ones ZoneAlarm: Excellent Firewall Test your firewall from without with ShieldsUP! Test your firewall from within with LeakTest

[Ramius]

Stopping this one (or many of them) is reasonably easy... strip off .exe attachments to mail messages at the server.

There's no real reason for most people to be sending executables to each other. Take 'em at the server. It solves a whole world of problems.

[Robert_Paulson2]

It's linux ten...

Unix for mac daddies.
everyone I know who uses it... either says it okay... or they found the "goodies" on it... and now they say it's dynamite!

Folks are really upset with the ongoing sieve in microsoft over the friggin HOLE in outlook and outlook express.
If folks have windows, they really ought to consider using a "NON AFFECTED" email client.

and anything that has a PIF, EXE or BAT or SCR attached... is in my opinion.. a bomb. Be wary of Zips and other self extracting compression utilities as well, it is only a matter of time before someone figures out how to insert an executable something in a zip, arch, or sit file...

I am a little concerned that this virus hits win 2000 as hard as it supposedly does... I understand a little with win 98,or perhaps even xp... but 2000 I had thought, was pretty well plugged of viral leak orifices... after four years.

[Critter]

I know squat about computers, really, but I never had a virus infect mine, in all the years I've been online. I simply do not open any attachments that are suspicious, until I reply to sender and get confirmation that they intended to send it.

[FourPeas]

Not opening attachments will get a large percentage of viruses, worms and other exploits, however there are others that spread in other ways. Blaster and Welchia, both major exploits, were spread through means other than e-mail. That's why a firewall is a good idea. ZoneAlarm is an excellent FREE personal firewall.

[w1andsodidwe]

Stopping this one (or many of them) is reasonably easy... strip off .exe attachments to mail messages at the server.

Exactly, we allow no .exe attachment whatsoever.

[Revelation 911]

I know squat about computers, really, but I never had a virus infect mine, in all the years I've been online. I simply do not open any attachments that are suspicious, until I reply to sender and get confirmation that they intended to send it.

same here - I surf news only with drudge etc.. some ebay and swap pictures of local hot rods with other klub members - never had a virus until my wifes prof said her email to him had two - so I bought Norton and sure enough a trojan and a worm - I suspect my kids got them from the head banger websites as they download music clips etc

Its smart money - PS - i delete anything I get from people I do not know -

[Tunehead54]

That's why a firewall is a good idea. ZoneAlarm is an excellent FREE personal firewall.

---

Available at http://www.zonelabs.com

;-)

[finnman69]

Yuck. I just hard a hard time eradicating a nasty Cool Web Search CWS hijack program.


Adaware would not kill it and I had to download a shredder.

[Salo]

This is not to criticize, you seem to be doing quite well, but you are very much more likely to get a virus by opening an attachment from someone you know ie, someone who has you in their address book.

Its smart money - PS - i delete anything I get from people I do not know

[LayoutGuru2]

I like ZoneAlarm so much that after two years of using the free version (guilt creeping in?) I finally sent them $29.95 and grabbed the Pro version, primarily for the pop-up stopper that is not included in the free version. I can't understand why folks think they can get by without this protection, FREE is a very good price!!!