I-Worm.Swen

Discussion in 'malware problems & news' started by DolfTraanberg, Sep 19, 2003.

Thread Status:
Not open for further replies.
  1. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    I-Worm.Swen



    Swen is a very dangerous worm-virus that spreads across the Internet via email (in the form of an infected file attachment), the Kazaa file sharing network, IRC channels, and open network resources.

    Swen is written in Microsoft Visual C++ and is 105KB (106496 Bytes) in size.

    The worm activates when a victim launches the infected file (double clicking on the file attachment) or when a victim machine's email application is vulnerable to the IFrame.FileDownload vulnerability (also exploited by the Internet worms Klez and Tanatos). Once run, Swen installs itself in the system and begins its propogation routine.

    You can download the patch released in March 2001 for the IFrame vulnerability: Microsoft Security Bulletin MS01-20.

    The worm blocks many anti-virus programs and firewalls. Its algorithm and parts of the code text are almost identical to that of another Internet worm called I-Worm.Gibe, although the programming language used is different.

    http://www.viruslist.com/eng/viruslist.html?id=88029
    http://vil.nai.com/vil/content/v_100662.htm
    http://sophos.com/virusinfo/analyses/w32gibef.html
    http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html
     
  2. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    :( FYI...a friendly reminder, since this worm may come in the form of a -bogus- e-mail from "Microsoft", with an attachment:

    http://www.microsoft.com/technet/security/policy/swdist.asp?frame=true
    "...Microsoft -never- distributes software directly via e-mail...
    We occasionally send e-mail to customers to inform them that upgrades are available. However, the e-mail will only provide links to the download sites -- we will -never- attach the software itself to the e-mail. The links will always lead to either our web site or our FTP site, never to a third-party site..."


    ;) - IMHO, you can "pre-screen" your e-mail (i.e.: using "MailWasher"), looking for those bogus e-mails from "Microsoft" with an attachment (NOT!) and delete them before your e-mail client loads them onto your system.

    EDIT/ADD: It appears the Header info from these e-mails probably contains a "spoofed" address, so don't bother to "bounce" it...you may "bounce" it to someone who never sent it!
     
  3. libbo1

    libbo1 Registered Member

    Joined:
    May 28, 2003
    Posts:
    123
    Location:
    florida
    I'm on the select list!!! Got the impressive looking and official appearing email today. Shredded it and sent the abuse notice!! :cool:
     
  4. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
  5. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    :( FYI...
    http://story.news.yahoo.com/news?tmpl=story&cid=74&ncid=74&e=2&u=/cmp/20030920/tc_cmp/15000773
    Sat Sep 20, 2003

    "Less than 24 hours after first being detected, the Swen blended-threat worm picked up steam Friday, gained a foothold in the U.S. and the U.K., and accounted for over 35,000 interceptions by e-mail filtering firm MessageLabs...
    - The worm...now leads all other viruses and worms in the wild...Swen also presents problems for users who haven't deployed a two-and-a-half-year-old patch for a vulnerability in Internet Explorer 5.01 (but not 5.01 with SP2 installed) and IE 5.5. (The vulnerability stems from a flaw in how IE handles MIME types in HTML-based e-mail.) Windows systems still vulnerable to this flaw are especially at risk, since Swen exploits the security gaffe to automatically--without user intervention--execute the worm. Users who haven't rolled out this patch should do so immediately."

    :eek: - Affected IE versions download URL for patch Q290108 <-- click here!
     
  6. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    ;) FYI...

    Disinfection Tool available:

    - https://www.europe.f-secure.com/v-descs/swen.shtml

    - http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.removal.tool.html

    EDIT: (Sorry, you'll have to do a copy/paste for the 2nd URL here - Board post/editor doesn't like the "@" sign in the URL...)
     
  7. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    ;) FYI...for those still curious about it...
    - from the Internet Storm Center, you can go here for "Everything you ever wanted to know about the Swen Virus":

    http://isc.sans.org/management/Swen.pdf
     
  8. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    o_O No MSBlaster II...Worm Writers Lying Low
    http://www.techweb.com/wire/story/TWB20030926S0011
    September 26, 2003
    "Over a week ago, several security experts noticed that exploit code for a recently-disclosed vulnerability in Microsoft Windows was circulating throughout the hacker underground, and said that another MSBlaster-style worm was only days away. No such worm appeared. What gives?...
    - 'The people who create worms are lying low,' said Ken Dunham, an analyst with security firm iDefense. 'When worm authors are quickly prosecuted and held accountable, that impacts development. They're thinking, 'It's just not worth it if I'm going to jail'...
    - Alfred Huger, the senior director of engineering at Symantec's security response center: 'Unfortunately, we don't always nail a [time] window on an exploit,' he explained. Although there's a danger of destroying credibility in the long term by 'crying wolf,' Huger noted that there's a very fine line between disclosing that an exploit exists and saying nothing. Security firms can get slammed either way..."
     
  9. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    FYI...
    http://www.silicon.com/news/500013/14/6244.html
    2 October 2003
    "...The most commonly received virus for September...Swen worm, which fools users into opening an attachment by masquerading as a Microsoft security update email...23.5 per cent of all reported viruses last month..."
     
  10. FukenFooser 007.5

    FukenFooser 007.5 Registered Member

    Joined:
    Sep 28, 2003
    Posts:
    118
    Location:
    High Mnt West. Idaho
    :mad:
    Maybe "norton" can measure the # infected because they snipped - no software bashing allowed


    just a thought, norton let my 60G drive get hosed this last weekend and I have been spending every free moment to get sys back up!
    Norton and a other anti clashed and locked it up ! Am very pissed @ norton!
    :mad: :mad: :mad:
     
  11. rudders

    rudders Guest

    doing this via proxy - a friends pc has bin infected with this worm (SwenA.) ran her Virus protection , and it found 5 results , she then fixes the problem (so she thought) next time she switches her pc on ,alot of files of disappeared , Mail aint working , and the System Tray has emptied :eek: and other things are failing , she then contacted the shop where she bought the pc ,and they suggested DL a MS Patch - which bought me here, coz between me & you, i dint have a ruddy clue which patch to look for :p (i`m waffling , i do apologise ) i spotted the one posted earlier MS01-020
    found here http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp now, is this all i need to install, and all my troubles will be solved :eek: or will i need to do summat else ... i do apologise if this is all abit bloody vague , but as i said i`m doing this *on request - so to speak , and i aint the brighest when it comes to all this Techie stuff :oops:

    ffs ! be gentle with me :D
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi rudders,

    Please continue in your own thread: http://www.wilderssecurity.com/showthread.php?t=14654

    Regards,

    Pieter
     
  13. rudders

    rudders Guest

    bugger me , i`m getting re-directed all over the shop :D
     
  14. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    :( FYI...

    http://www.f-secure.com/v-descs/swen.shtml
    "...
    - VARIANT: Swen.B
    This minor variant was found on 9th of October, 2003. It has been created by compressing the original virus with UPX. This has shrunk the virus from 106496 bytes to 52224 bytes, making it undetectable to some antivirus programs. In addition, many references to Microsoft in the original virus have been changed to references to Tiscali, an Italian ISP...

    - VARIANT: Swen.C
    This minor variant was also found on 9th of October, 2003. Like the previous variant this one is also compressed with UPX file compressor. The packed file size is 52224. Swen.C has a bit different set of text strings mentioning both Tiscali and Microsoft and also the name of Tiscali's CEO Renato Soru. A few Tiscali links that were present in the B variant were slightly modified..."
     
Loading...
Thread Status:
Not open for further replies.