Swen worm spreads quickly

ZDNet ^ | 9/19/2003 | Matthew Broersma

[B Knotts]

Security experts say that the Swen mass-mailing Windows worm appears to be spreading quickly, moving to the top of the virus charts a day after it first appeared--and even maintaining its own counter that supposedly monitors how many PCs have been infected.

For information on how to combat the worm, click here.

Antivirus companies warned on Thursday that the worm, variously known as I-Worm.Swen, W32/Swen.A@mm or W32/Gibe@MM.e, had the potential to spread quickly because it is well-disguised as a security update from Microsoft. It takes advantage of a two-year-old Internet Explorer flaw that allows it to execute directly from an e-mail message without the help of the user.

On Friday, e-mail provider Messagelabs said its e-mail servers had stopped more copies of Swen than any other worm, including Klez.H, the previous top threat. The largest proportion of the 35,450 copies of Swen stopped by Messagelabs originated from the US, followed by the UK.

The first time the worm executes on a system, it contacts a Web address and updates a counter that supposedly indicates how many machines are infected--although antivirus vendors doubt that the figure is correct. As of Thursday, the counter already listed more than 500,000 infected PCs.

Antivirus vendors upgraded their assessment of Swen's threat on Friday, due to the increase in infections. Symantec, for example, shifted Swen up to a category 3 virus.

Windows users are still reeling from a series of damaging virus attacks that have caused chaos in recent weeks, partly due to the large number of Internet-connected PCs that have not patched known vulnerabilities. Swen in part relies on a flaw Microsoft first disclosed in a 2001 security bulletin, although it can also be spread by duping users into executing its attachment.

The worm affects Windows 95, Windows NT, and all newer versions, and spreads via e-mail and through IRC, Kazaa and local area networks. It attempts to disable firewall and antivirus software.

One of the e-mails that Swen uses to spread is a professional-looking message that appears to come from "MS Technical Assistance", and contains a notification of a "September 2003, Cumulative Patch", along with the virus attachment. Microsoft does not spread updates via e-mail.

When executed, the worm continues to pose as a security update, launching a message window that states: "This will install Microsoft Security Update. Do you wish to continue?" If the user clicks "Yes", the worm shows a fake installation dialogue box, but also installs invisibly if the "No" button is pressed.

Swen installs various files to ensure that it is launched every time the system boots up. It also disables the user's ability to edit the Registry.

Users are advised not to launch attachments without first scanning them with antivirus software. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec, and Trend Micro.

[stanz]

This must be why Symantec sent me a virus upgrade this morning.

[JackOfVA]

I stopped counting after receiving 200 copies of the blasted thing in E-mail. And, that was as of early this morning.

Jack

[calcowgirl]

Be careful. Any .exe files may be the virus itself. I've been attacked with this thing (it started yesterday about noon, and I've received over 900 so far.) They're coming in at a rate of about 20/hour now. The titles of the emails change... most imply some sort of alert, patch, security issue. I have Norton... Symantec... and they haven't sent anything legit. If you need to upgrade your virus software, ONLY do it from the Symantec site... not from a program e-mailed to you.

I haven't opened any of them, so I didn't GET the virus (Norton is catching about half of them).

Good luck.

[browardchad]

a professional-looking message that appears to come from "MS Technical Assistance", and contains a notification of a "September 2003, Cumulative Patch", along with the virus attachment.

Yup, just deleted a variation from my server, supposedly from "MS Internet Security Dept." with the subject "Last Net Upgrade" talking about a "cumulative patch" file attached.

[browardchad]

Did the virus update come via e-mail or through NAV LiveUpdate?

[stanz]

Thanks.
Symantec sent me the update. Have to check when I get home to see if any of those e-mails you mentioned showed up. 20 an hour is a bit much. What I get all the time are those annoying Nigerian scams which I forward to the government task force. At least they can't disable my PC.

[stanz]

Through the Nav Line Update.

[stanz]

Make that "Live" update.

[Aliska]

it is well-disguised as a security update from Microsoft. It takes advantage of a two-year-old Internet Explorer flaw that allows it to execute directly from an e-mail message without the help of the user.

I thought so long as you didn't click on anything you would be ok. I don't use explorer for my email. I wonder what one would scan for to see if your system was infected. I got several of them.

I am not using a site to intercept my email so I can delete the ones I don't want to download to my machine.

[Savage Rider]

Ahoy mateys! How many times does Microsoft have to tell people they don't e-mail security updates to their customers? I have been getting these Microsoft patches e-mails for a couple of weeks. A scurvy pox on these virus-generating scoundrels.

[B Knotts]

Arrrr...keel'aul 'm! And then 'ang any that are left alive!

[sweetliberty]

Ping!

[GOP_Proud]

I've been getting that all day. I wondered why MS would suddenly be mailing me updates. Anyway it got caught. I couldn't download it if I had wanted to. The attachment was ghosted.

[calcowgirl]

LOL @ the Nigerian scams. It's kind of fun to engage those guys in discussion for a while.

Re: emails... if it has an attachment, my recommendation would be to not open it unless you know the person it is from. Unlike some email worms, this one doesn't disguise itself as someone you know (yet, anyway).

[stanz]

They annoy me. I just want them to go away. I forward their e-mails to that government site set up by the Better Business Bureau. Then I block future messages in Outlook Express so they can't bother me a second time. Unfortunately, there are so manmy of them out there that I get several new ones every day.

Yes, thanks for the advice. My daughter and I share the PC and I have instructed her not to open anything unless she knows the sender, either.

[ScuzzyTerminator]

The first time the worm executes on a system, it contacts a Web address and updates a counter that supposedly indicates how many machines are infected...

Does anybody have the URL for this site? What else do I have to do tonight?

[TechJunkYard]

I've seen the same thing posted to usenet.

[steve-b]

Virus writers and spammers should be chained in the pit of a public outhouse.

[Mannaggia l'America]

More stupid people opening attachments...