Skip to comments.
New Category 3 Worm/Virus: Swen.A (Yes, that's 'news' backwards)
Symantec Security Response ^
| 9/18/2003
| John Canavan
Posted on 09/18/2003 8:28:21 PM PDT by FourPeas
Due to an increase in submissions, Symantec Security Response has upgraded W32.Swen.A@mm to Category 3, as of 6:30pm Thursday, September 18, 2003.
W32.Swen.A@mm is a mass-mailing worm that attempts to spread through file-sharing networks, such as KaZaA and IRC, and attempts to kill antivirus and personal firewall programs running on a computer.
The worm arrives as an email attachment. The subject, body, and From: address of the email may vary. Some examples claim to be patches for Microsoft Internet Explorer, or delivery failure notices from qmail.
W32.Swen.A@mm is similar to W32.Gibe.B@mm in function, and is written in C++.
Also Known As: |
Swen [F-Secure], W32/Swen@mm [McAfee], W32/Gibe-F [Sophos], Worm Swen.A |
|
|
|
|
Infection Length: |
106496 |
|
|
|
|
|
|
Systems Affected: |
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP |
Systems Not Affected: |
DOS, Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 3.x |
|
|
|
|
|
|
|
|
September 18, 2003 |
|
|
September 18, 2003 |
|
* |
Intelligent Updater definitions are released daily, but require manual download and installation. Click here to download manually. |
** |
LiveUpdate virus definitions are usually released every Wednesday. Click here for instructions on using LiveUpdate. |
|
|
Notes:
- Beta definitions numbered 24954 or higher will detect this threat as W32.Swen.A@mm.
- This threat was previously detected as Worm.Automat.AHB by definitions automatically created by the Digital Immune System.
When W32.Swen.A@mm is executed, it performs the following actions:
- If the executed filename starts with the letter q, u, p, or i, the worm will present the user with dialog boxes that pretend to be a "Microsoft Internet Update Pack."
Note: The worm will install itself regardless of the choices that the user makes at this point.
- Attempts to end the following processes:
- Azonealarm
- zapro
- wfindv32
- webtrap
- vsstat
- vshwin32
- vsecomr
- vscan
- vettray
- vet98
- vet95
- vet32
- vcontrol
- vcleaner
- tds2
- tca
- sweep
- sphinx
- serv95
- safeweb
- rescue
- regedit
- rav
- pview
- pop3trap
- persfw
- pcfwallicon
- pccwin98
- pccmain
- pcciomon
- pavw
- pavsched
- pavcl
- padmin
- outpost
- nvc95
- nupgrade
- nupdate
- normist
- nmain
- nisum
- navw
- navsched
- navnt
- navlu32
- navapw32
- nai_vs_stat
- msconfig
- mpftray
- moolive
- luall
- lookout
- lockdown2000
- kpfw32
- jedi
- iomon98
- iface
- icsupp
- icssuppnt
- icmoon
- icmon
- icloadnt
- icload95
- ibmavsp
- ibmasn
- iamserv
- iamapp
- gibe
- f-stopw
- frw
- fp-win
- f-prot95
- fprot95
- f-prot
- fprot
- findviru
- f-agnt95
- espwatch
- esafe
- efinet32
- ecengine
- dv95
- claw95
- cfinet
- cfind
- cfiaudit
- cfiadmin
- ccshtdwn
- ccapp
- bootwarn
- blackice
- blackd
- avwupd32
- avwin95
- avsched32
- avp
- avnt
- avkserv
- avgw
- avgctrl
- avgcc32
- ave32
- avconsol
- autodown
- apvxdwin
- aplica32
- anti-trojan
- ackwin32
- _avp
- Drops a copy of itself to %Windir% with a randomly generated filename.
Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
- Creates the file, %Windir%\Germs0.dbv, where it stores the email addresses it has found.
- Creates the file, %Windir%\Swen1.dat, where it stores a list of remote news and mail servers.
- Drops a %ComputerName%.bat file, which executes the worm and a randomly named configuration file to store the local, machine-specific data.
Note: %ComputerName% is a variable that represents the name of the infected computer.
- Adds the values:
- "CacheBox Outfit"="yes"
- "ZipName"="<random>"
- "Email Address"="<The current users email address that the worm retrieves from the registry>"
- "Server"="<The IP address of the SMTP server that the worm retrieves from the registry>"
- "Mirc Install Folder"="<location of mirc client on system>"
- "Installed"="...by Begbie"
- "Install Item"="<random>"
- "Unfile"="<random>"
to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\*
where * is a random set of letters.
- Adds a randomly named value to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm starts when Windows starts.
- Modifies the following registry keys:
- HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command
- HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command
- HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command
- HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command
- HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command
- HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command
which hooks the worm to each of these file types.
- Modifies the value:
"DisableRegistryTools" = "1"
in the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
to prevent the user from running regedit on the system.
- Periodically presents users with a fake MAPI32 Exception error:
prompting them to enter the details of their email account, including the following:
- Username
- Password
- POP3 server
- SMTP server
- Presents the user with the following fake error message, and then quits when certain executables, such as regedit, are run:
Exception error occured:
Memory access violation in module kernel32 at %random.memory.address%
- Sends an HTTP Get request to a predefined HTTP server to retrieve counter information when the worm runs for the first time. Then, the worm may display the counter information.
For example:
The worm spreads through email, KaZaA, IRC, Network Shares, and newsgroups. The following sections discuss how each of these transmission methods can occur.
Transmission through email
W32.Swen.A@mm sends a copy of itself to the addresses found on the system through various methods. The worm can vary the message it sends, as well as the filename that it attaches itself as. The worm uses an incorrect MIME Header exploit, mentioned in Microsoft Security Bulletin MS01-020, to ensure that it is automatically executed when the mail is viewed.
One of the messages, as shown below, pretends to be a critical message from Microsoft, suggesting that the users update their system with the attached "Patch***.exe", where *** is a series of three numbers:
The worm can also impersonate mail delivery failure notices, attaching itself as a randomly named executable.
One example is:
"I'm sorry I wasn't able to deliver your message to one or more destinations."
Transmission through KaZaA
When attempting to spread through KaZaA, W32.Swen.A@mm performs the following actions:
- Drops a copy of itself into a randomly named subdirectory of %Temp% on the system.
Note: %Temp% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
- Adds the values:
"Dir99"= 012345:"<random folder name>"
"DisableSharing"="0"
to the registry key:
HKEY_CURRENT_USER\Software\Kazaa\LocalContent
which adds this folder to the list of shared folders in KaZaA.
Note: <random folder name> is the folder created under %Temp% in step 1 above.
- Some of the possible dropped filenames include:
- Virus Generator
- Magic Mushrooms Growing
- Cooking with Cannabis
- Hallucinogenic Screensaver
- My naked sister
- XXX Pictures
- Sick Joke
- XXX Video
- XP update
- Emulator PS2
- XboX Emulator
- Sex
- HardPorn
- Jenna Jameson
- 10.000 Serials
- Hotmail hacker
- Yahoo hacker
- AOL hacker
- fixtool
- cleaner
- removal tool
- remover
- Klez
- Sobig
- Sircam
- Gibe
- Yaha
- Bugbear
- installer
- upload
- warez
- hacked
- hack
- key generator
- Windows Media Player
- GetRight FTP
- Download Accelerator
- Mirc
- Winamp
- WinZip
- WinRar
- KaZaA
- KaZaA media desktop
- Kazaa Lite
Transmission through IRC
When attempting to spread through IRC, W32.Swen.A@mm performs the following actions:
- Searches for a \Mirc folder.
- Creates a Script.ini file in this folder, which the worm uses to send itself to other mIRC users, who are connected on the same channel as the infected computer.
Transmission through network shares
When attempting to spread through network shares, W32.Swen.A@mm attempts to locate the Startup folder on all the mapped network drives as follows:
- Windows 2000:
Attempts to copy itself to:
\Documents and Settings\%Infected Computer User Name%\Start Menu\Programs\Startup
on the remote computer.
Note: %Infected Computer User Name% is a variable. For example, if the logged-in user of the infected computer is "Administrator," then the worm will copy itself to:
\Documents and Settings\Administrator\Start Menu\Programs\Startup
- Windows 98:
Attempts to copy itself to:
\Windows\Start Menu\Programs\Startup
on the remote computer.
- Windows NT:
Attempts to copy itself to:
\Winnt\Profiles\%Infected Computer User Name%\Start Menu\Programs\Startup
on the remote computer.
Note: %Infected Computer User Name% is a variable. For example, if the logged-in user of the infected computer is "Administrator," then the worm will copy itself to:
\Documents and Settings\Administrator\Start Menu\Programs\Startup
Transmission through newsgroups
W32.Swen.A@mm may also attempt to distribute itself to predetermined newsgroups whose addresses are contained within the worm.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
- Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
- If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
- Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
- Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
- Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
- Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
- Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
- Disable System Restore (Windows Me/XP).
- Update the virus definitions.
- Run a full system scan and delete all the files detected as W32.Swen.A@mm.
- Delete the value that was added to the registry.
For specific details on each of these steps, read the following instructions.
1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.
2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
- Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
- Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.
3. Scanning for and deleting the infected files
- Start your Symantec antivirus program and make sure that it is configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with W32.Swen.A@mm, click Delete.
4. Deleting the value from the registry
WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
- Click Start, and then click Run. (The Run dialog box appears.)
- Type:
notepad
and then click OK. (Notepad opens a text file.)
- Type, or copy and paste, the following text into the text file:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
- Save the file as:
repair.reg
in the root folder (usually C:\).
- Click Start, then Run.
- Type:
regedit -s \repair.reg
and then click OK.
- Click Start, and then click Run.
- Type regedit
Then click OK. (The Registry Editor opens.)
- Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- In the right pane, delete the randomly named value that the worm created.
- Navigate to each of the following keys:
- HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command
- HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command
- HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command
- HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command
- HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command
- HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command
- Double-click the (Default) value in the right pane.
- Delete the current value data, and then type, or copy and paste:
"%1" %*
- Exit the Registry Editor.
Write-up by: John Canavan
TOPICS: Breaking News; Business/Economy; Crime/Corruption; Culture/Society; Front Page News; News/Current Events
KEYWORDS: computersecurity; lowqualitycrap; microsoft; symantec; virus; windows; worm
Navigation: use the links below to view more comments.
first 1-20, 21-23 next last
1
posted on
09/18/2003 8:28:22 PM PDT
by
FourPeas
To: FourPeas
Systems Not Affected:
DOS, Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 3.xYAY!
2
posted on
09/18/2003 8:30:56 PM PDT
by
CheneyChick
(Kah-lee-fohr-nyah)
To: FourPeas
I received a bunch of these this evening -- all seemingly from Microsoft. What a pain these virus-spreading jerks are. Cutting off their hands seems pretty reasonable to me these days.
3
posted on
09/18/2003 8:32:15 PM PDT
by
PackerBoy
(Just my opinion ....)
To: CheneyChick
Do you run OSx ? How is it ?
4
posted on
09/18/2003 8:34:02 PM PDT
by
ChadGore
(Kakkate Koi!)
To: FourPeas
This particular worm sometimes makes itself look like a Microsoft patch.
And, to make this one even better, Mr. FourPeas (who works in IT Security) just had a discussion today with various members of the company's IT department because they'd just started e-mailing Microsoft patches out ot all the various machines. (They couldn't get Marimba to work....) Mr. FourPeas argument: an e-mail can be spoofed and cause someone, thinking they were installing a patch, to instead release a virus.
5
posted on
09/18/2003 8:34:38 PM PDT
by
FourPeas
(Syntax, schmintax.)
To: ChadGore
I love OS X. It is solid. I switched my parents to it as well and the 'tech support' calls have dropped off almost completely!
Cheers, CC :)
6
posted on
09/18/2003 8:37:37 PM PDT
by
CheneyChick
(Kah-lee-fohr-nyah)
To: All
How many of you folks have been having network probs?
Two worms have managed to get past the network protection/firewalls etc. here at my college, causing the internet in the dorms to go down half the time...very annoying.
I have heard of this happening at other colleges.
Anybody having such problems at work networks or anything?
7
posted on
09/18/2003 8:38:59 PM PDT
by
rwfromkansas
("Men stumble over the truth, but most pick themselves up as if nothing had happened." Churchill)
To: rwfromkansas
A local news station did a story last week about a nearby college that distributed anti-virus software to each student in on-campus housing. They'd had so many problems in the past that it was cheaper to purchase licenses for all the students' PCs rather than fight the fires later.
8
posted on
09/18/2003 8:42:48 PM PDT
by
FourPeas
(Syntax, schmintax.)
To: FourPeas
One of the messages, as shown below, pretends to be a critical message from Microsoft, suggesting that the users update their system with the attached "Patch***.exe", where *** is a series of three numbers:
When will these virus writers ever learn? Don't make something so easy to block.
9
posted on
09/18/2003 8:44:32 PM PDT
by
lelio
|
FREE PC PROTECTION (not an exhaustive list):
|
10
posted on
09/18/2003 8:47:22 PM PDT
by
martin_fierro
(Great Googlymoogly!)
To: FourPeas
Stopping this one (or many of them) is reasonably easy... strip off .exe attachments to mail messages at the server.
There's no real reason for most people to be sending executables to each other. Take 'em at the server. It solves a whole world of problems.
11
posted on
09/18/2003 10:10:06 PM PDT
by
Ramius
To: ChadGore
It's linux ten...
Unix for mac daddies.
everyone I know who uses it... either says it okay... or they found the "goodies" on it... and now they say it's dynamite!
Folks are really upset with the ongoing sieve in microsoft over the friggin HOLE in outlook and outlook express.
If folks have windows, they really ought to consider using a "NON AFFECTED" email client.
and anything that has a PIF, EXE or BAT or SCR attached... is in my opinion.. a bomb. Be wary of Zips and other self extracting compression utilities as well, it is only a matter of time before someone figures out how to insert an executable something in a zip, arch, or sit file...
I am a little concerned that this virus hits win 2000 as hard as it supposedly does... I understand a little with win 98,or perhaps even xp... but 2000 I had thought, was pretty well plugged of viral leak orifices... after four years.
To: FourPeas
I know squat about computers, really, but I never had a virus infect mine, in all the years I've been online. I simply do not open any attachments that are suspicious, until I reply to sender and get confirmation that they intended to send it.
13
posted on
09/19/2003 5:46:22 AM PDT
by
Critter
(Going back to sleep til the next revolution.)
To: Critter
Not opening attachments will get a large percentage of viruses, worms and other exploits, however there are others that spread in other ways. Blaster and Welchia, both major exploits, were spread through means other than e-mail. That's why a firewall is a good idea. ZoneAlarm is an excellent FREE personal firewall.
14
posted on
09/19/2003 5:53:43 AM PDT
by
FourPeas
(Syntax, schmintax.)
To: Ramius
Stopping this one (or many of them) is reasonably easy... strip off .exe attachments to mail messages at the server. Exactly, we allow no .exe attachment whatsoever.
15
posted on
09/19/2003 7:07:48 AM PDT
by
w1andsodidwe
(recycling is a waste of time for hardworking taxpayers, hire the homeless to sort garbage)
To: Critter
I know squat about computers, really, but I never had a virus infect mine, in all the years I've been online. I simply do not open any attachments that are suspicious, until I reply to sender and get confirmation that they intended to send it. same here - I surf news only with drudge etc.. some ebay and swap pictures of local hot rods with other klub members - never had a virus until my wifes prof said her email to him had two - so I bought Norton and sure enough a trojan and a worm - I suspect my kids got them from the head banger websites as they download music clips etc
Its smart money - PS - i delete anything I get from people I do not know -
16
posted on
09/19/2003 8:02:03 AM PDT
by
Revelation 911
(proudly taunting calvinists (my Christian brothers) since 2001)
To: FourPeas
That's why a firewall is a good idea. ZoneAlarm is an excellent FREE personal firewall.
Available at
http://www.zonelabs.com ;-)
17
posted on
09/19/2003 8:10:47 AM PDT
by
Tunehead54
(Support our President!)
To: FourPeas
Yuck. I just hard a hard time eradicating a nasty Cool Web Search CWS hijack program.
Adaware would not kill it and I had to download a shredder.
18
posted on
09/19/2003 8:55:54 AM PDT
by
finnman69
(!)
To: Revelation 911
This is not to criticize, you seem to be doing quite well, but you are very much more likely to get a virus by opening an attachment from someone you know ie, someone who has you in their address book.
Its smart money - PS - i delete anything I get from people I do not know
19
posted on
09/19/2003 9:55:06 AM PDT
by
Salo
(Are you a man, or a mouse-user?)
To: Tunehead54
I like ZoneAlarm so much that after two years of using the free version (guilt creeping in?) I finally sent them $29.95 and grabbed the Pro version, primarily for the pop-up stopper that is not included in the free version. I can't understand why folks think they can get by without this protection, FREE is a very good price!!!
20
posted on
09/19/2003 9:56:24 AM PDT
by
LayoutGuru2
(Call me paranoid but finding '/*' inside this comment makes me suspicious)
Navigation: use the links below to view more comments.
first 1-20, 21-23 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson