I-Worm.Swen

I-Worm.Swen



Swen is a very dangerous worm-virus that spreads across the Internet via email (in the form of an infected file attachment), the Kazaa file sharing network, IRC channels, and open network resources.

Swen is written in Microsoft Visual C++ and is 105KB (106496 Bytes) in size.

The worm activates when a victim launches the infected file (double clicking on the file attachment) or when a victim machine's email application is vulnerable to the IFrame.FileDownload vulnerability (also exploited by the Internet worms Klez and Tanatos). Once run, Swen installs itself in the system and begins its propogation routine.

You can download the patch released in March 2001 for the IFrame vulnerability: Microsoft Security Bulletin MS01-20.

The worm blocks many anti-virus programs and firewalls. Its algorithm and parts of the code text are almost identical to that of another Internet worm called I-Worm.Gibe, although the programming language used is different.

http://www.viruslist.com/eng/viruslist.html?id=88029
http://vil.nai.com/vil/content/v_100662.htm
http://sophos.com/virusinfo/analyses/w32gibef.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html

 

FYI...a friendly reminder, since this worm may come in the form of a -bogus- e-mail from "Microsoft", with an attachment:

http://www.microsoft.com/technet/security/policy/swdist.asp?frame=true
"...Microsoft -never- distributes software directly via e-mail...
We occasionally send e-mail to customers to inform them that upgrades are available. However, the e-mail will only provide links to the download sites -- we will -never- attach the software itself to the e-mail. The links will always lead to either our web site or our FTP site, never to a third-party site..."

- IMHO, you can "pre-screen" your e-mail (i.e.: using "MailWasher"), looking for those bogus e-mails from "Microsoft" with an attachment (NOT!) and delete them before your e-mail client loads them onto your system.

EDIT/ADD: It appears the Header info from these e-mails probably contains a "spoofed" address, so don't bother to "bounce" it...you may "bounce" it to someone who never sent it!

 

I'm on the select list!!! Got the impressive looking and official appearing email today. Shredded it and sent the abuse notice!!

 

FYI...

http://story.news.yahoo.com/news?tmpl=story&cid=1804&e=2&u=/washpost/a35735_2003sep19

"...The worm is spreading at a rate of nearly 800 machines per hour, according to Symantec..."

(How -do- they measure that, anyway?)

 

FYI...
http://story.news.yahoo.com/news?tmpl=story&cid=74&ncid=74&e=2&u=/cmp/20030920/tc_cmp/15000773
Sat Sep 20, 2003

"Less than 24 hours after first being detected, the Swen blended-threat worm picked up steam Friday, gained a foothold in the U.S. and the U.K., and accounted for over 35,000 interceptions by e-mail filtering firm MessageLabs...
- The worm...now leads all other viruses and worms in the wild...Swen also presents problems for users who haven't deployed a two-and-a-half-year-old patch for a vulnerability in Internet Explorer 5.01 (but not 5.01 with SP2 installed) and IE 5.5. (The vulnerability stems from a flaw in how IE handles MIME types in HTML-based e-mail.) Windows systems still vulnerable to this flaw are especially at risk, since Swen exploits the security gaffe to automatically--without user intervention--execute the worm. Users who haven't rolled out this patch should do so immediately."

- Affected IE versions download URL for patch Q290108 <-- click here!

 

FYI...

Disinfection Tool available:

- https://www.europe.f-secure.com/v-descs/swen.shtml

- http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.removal.tool.html

EDIT: (Sorry, you'll have to do a copy/paste for the 2nd URL here - Board post/editor doesn't like the "@" sign in the URL...)

 

FYI...for those still curious about it...
- from the Internet Storm Center, you can go here for "Everything you ever wanted to know about the Swen Virus":

http://isc.sans.org/management/Swen.pdf

 

No MSBlaster II...Worm Writers Lying Low
http://www.techweb.com/wire/story/TWB20030926S0011
September 26, 2003
"Over a week ago, several security experts noticed that exploit code for a recently-disclosed vulnerability in Microsoft Windows was circulating throughout the hacker underground, and said that another MSBlaster-style worm was only days away. No such worm appeared. What gives?...
- 'The people who create worms are lying low,' said Ken Dunham, an analyst with security firm iDefense. 'When worm authors are quickly prosecuted and held accountable, that impacts development. They're thinking, 'It's just not worth it if I'm going to jail'...
- Alfred Huger, the senior director of engineering at Symantec's security response center: 'Unfortunately, we don't always nail a [time] window on an exploit,' he explained. Although there's a danger of destroying credibility in the long term by 'crying wolf,' Huger noted that there's a very fine line between disclosing that an exploit exists and saying nothing. Security firms can get slammed either way..."

 

FYI...
http://www.silicon.com/news/500013/14/6244.html
2 October 2003
"...The most commonly received virus for September...Swen worm, which fools users into opening an attachment by masquerading as a Microsoft security update email...23.5 per cent of all reported viruses last month..."

 

Maybe "norton" can measure the # infected because they snipped - no software bashing allowed


just a thought, norton let my 60G drive get hosed this last weekend and I have been spending every free moment to get sys back up!
Norton and a other anti clashed and locked it up ! Am very pissed @ norton!

 

doing this via proxy - a friends pc has bin infected with this worm (SwenA.) ran her Virus protection , and it found 5 results , she then fixes the problem (so she thought) next time she switches her pc on ,alot of files of disappeared , Mail aint working , and the System Tray has emptied and other things are failing , she then contacted the shop where she bought the pc ,and they suggested DL a MS Patch - which bought me here, coz between me & you, i dint have a ruddy clue which patch to look for (i`m waffling , i do apologise ) i spotted the one posted earlier MS01-020
found here http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp now, is this all i need to install, and all my troubles will be solved or will i need to do summat else ... i do apologise if this is all abit bloody vague , but as i said i`m doing this *on request - so to speak , and i aint the brighest when it comes to all this Techie stuff

ffs ! be gentle with me

 

Hi rudders,

Please continue in your own thread: http://www.wilderssecurity.com/showthread.php?t=14654

Regards,

Pieter

 

bugger me , i`m getting re-directed all over the shop

 

FYI...

http://www.f-secure.com/v-descs/swen.shtml
"...
- VARIANT: Swen.B
This minor variant was found on 9th of October, 2003. It has been created by compressing the original virus with UPX. This has shrunk the virus from 106496 bytes to 52224 bytes, making it undetectable to some antivirus programs. In addition, many references to Microsoft in the original virus have been changed to references to Tiscali, an Italian ISP...

- VARIANT: Swen.C
This minor variant was also found on 9th of October, 2003. Like the previous variant this one is also compressed with UPX file compressor. The packed file size is 52224. Swen.C has a bit different set of text strings mentioning both Tiscali and Microsoft and also the name of Tiscali's CEO Renato Soru. A few Tiscali links that were present in the B variant were slightly modified..."