NOTE: The definitions that Symantec's Digital Immune System automatically
created previously detected W32.Swen@mm as Worm.Automat.AHB.
Due to an increase in submissions, Symantec Security Response has upgraded
W32.Swen.A@mm to Category 3, as of 6:30 PM Thursday, September 18, 2003.
W32.Swen.A@mm is a mass-mailing worm that uses its own SMTP engine to spread
itself. It attempts to spread through file-sharing networks, such as KaZaA and
IRC, and attempts to kill antivirus and personal firewall programs running on a
computer.
The worm can arrive as an email attachment. The subject, body, and From: address
of the email may vary. Some examples claim to be patches for Microsoft Internet
Explorer, or delivery failure notices from qmail.
W32.Swen.A@mm is similar to
W32.Gibe.B@mm in function, and is written in C++.
This worm exploits a vulnerability in Microsoft Outlook and Outlook Express in
an attempt to execute itself when you open or even preview the message.
Information and a patch for the vulnerability can be found at:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.
Symantec Security Response has developed a removal
tool to clean the infections of W32.Swen.A@mm.
Checks to see whether it has already been installed on the computer. If
so, the installation procedure will end and display the following message:
If the executed filename starts with the letter q, u, p, or i, the worm
will present the user with the following dialog box:
The worm will install itself regardless of the choice that is made. If you
click No, the worm will be installed silently. If you click Yes, the following
dialog boxes will be displayed while the worm is installed:
Attempts to end the following processes:
_avp
Azonealarm
avwupd32
avwin95
avsched32
avp
avnt
avkserv
avgw
avgctrl
avgcc32
ave32
avconsol
autodown
apvxdwin
aplica32
anti-trojan
ackwin32
bootwarn
blackice
blackd
claw95
cfinet
cfind
cfiaudit
cfiadmin
ccshtdwn
ccapp
dv95
espwatch
esafe
efinet32
ecengine
f-stopw
frw
fp-win
f-prot95
fprot95
f-prot
fprot
findviru
f-agnt95
gibe
iomon98
iface
icsupp
icssuppnt
icmoon
icmon
icloadnt
icload95
ibmavsp
ibmasn
iamserv
iamapp
jedi
kpfw32
luall
lookout
lockdown2000
msconfig
mpftray
moolive
nvc95
nupgrade
nupdate
normist
nmain
nisum
navw
navsched
navnt
navlu32
navapw32
nai_vs_stat
outpost
pview
pop3trap
persfw
pcfwallicon
pccwin98
pccmain
pcciomon
pavw
pavsched
pavcl
padmin
rescue
regedit
rav
sweep
sphinx
serv95
safeweb
tds2
tca
vsstat
vshwin32
vsecomr
vscan
vettray
vet98
vet95
vet32
vcontrol
vcleaner
wfindv32
webtrap
zapro
Drops a copy of itself to %Windir% with a randomly generated filename.
Note:
%Windir% is a variable. The worm locates the Windows installation
folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that
location.
Searches the .html, .asp, .eml, .dbx, .wab, and .mbx files on the hard
disk for email addresses.
Creates the file, %Windir%\Germs0.dbv, where it stores the email addresses
it has found.
Creates the file, %Windir%\Swen1.dat, where it stores a list of remote
news and mail servers.
Drops a %ComputerName%.bat file, which executes the worm and a randomly
named configuration file to store the local, machine-specific data.
Note:
%ComputerName% is a variable that represents the name of the infected
computer.
Adds the values:
"CacheBox Outfit"="yes"
"ZipName"="<random>"
"Email Address"="<The current users email address that the worm
retrieves from the registry>"
"Server"="<The IP address of the SMTP server that the worm retrieves
from the registry>"
"Mirc Install Folder"="<location of mirc client on system>"
to prevent the user from running regedit on the computer.
Periodically presents users with a fake MAPI32 Exception error:
prompting them to enter the details of their email account, including the
following:
Email address
Username
Password
POP3 server
SMTP server
Using the username and password, the worm will log into the POP3 server
and check the user's email. If the worm finds an email that the worm sent, it
will be deleted. The worm will only delete messages that have been sent from
the currently infected computer.
Intercepts the execution of any of the processes listed in step three,
preventing them from loading, and then presents the user with the following
fake error message:
Sends an HTTP Get request to a predefined HTTP server to retrieve counter
information when the worm runs for the first time. Then, the worm may display
the counter information.
For example:
Attempts to create one or more compressed copies of itself using the
Winzip file-compression utility, and then the Winrar file-compression utility.
The worm spreads through email, KaZaA, IRC, mapped drives, and newsgroups. The
following sections discuss how each of these transmission methods can occur.
Transmission through email W32.Swen.A@mm sends a copy of itself to the addresses found on the system
through various methods. The worm can vary the message it sends, as well as the
filename that it attaches itself as. The worm may use an incorrect MIME Header
exploit, mentioned in
Microsoft Security Bulletin MS01-020, to ensure that it is automatically
executed when the mail is viewed.
One of the messages, as shown below, pretends to be a critical message from
Microsoft, suggesting that the users update their system with the attached file.
The attachment name is created by:
Selecting one of the following predetermined names:
Patch
Upgrade
Update
Installer
Install
Pack
Q
Followed by a series of random numbers.
And a file extension that is either .exe or .zip.
The worm can also impersonate mail delivery failure notices, attaching itself as
a randomly named executable.
One example is:
I'm sorry I wasn't able to deliver your message to one or more destinations.
Transmission through KaZaA
When attempting to spread through KaZaA, W32.Swen.A@mm performs the following
actions:
Drops a .zip or .rar copy of itself into a randomly named subdirectory of
%Temp% on the computer.
Note:
%Temp% is a variable. The worm locates the Windows installation folder
(by default, this is C:\Windows or C:\Winnt) and copies itself to that
location.
which adds this folder to the list of shared folders in KaZaA.
Note:
<random folder name> is the folder created under %Temp% in step 1
above.
Some of the possible dropped filenames include:
Virus Generator
Magic Mushrooms Growing
Cooking with Cannabis
Hallucinogenic Screensaver
My naked sister
XXX Pictures
Sick Joke
XXX Video
XP update
Emulator PS2
XboX Emulator
Sex
HardPorn
Jenna Jameson
10.000 Serials
Hotmail hacker
Yahoo hacker
AOL hacker
fixtool
cleaner
removal tool
remover
Klez
Sobig
Sircam
Gibe
Yaha
Bugbear
installer
upload
warez
hacked
hack
key generator
Windows Media Player
GetRight FTP
Download Accelerator
Mirc
Winamp
WinZip
WinRar
KaZaA
KaZaA media desktop
Kazaa Lite
Transmission through IRC
When attempting to spread through IRC, W32.Swen.A@mm performs the following
actions:
Searches for a \Mirc folder.
Creates a Script.ini file in this folder, which the worm uses to send
.zip, .rar, or .exe files of itself to other mIRC users, who are connected on
the same channel as the infected computer.
Transmission through mapped drives
When attempting to spread through mapped drives, W32.Swen.A@mm does so to the
following locations:
\Win98\Start menu\Programs\Startup
\Win95\Start menu\Programs\Startup
\WinMe\Start menu\Programs\Startup
\Windows\Start menu\Programs\Startup
\Documents and Settings\All Users\Start menu\Programs\Startup
\Documents and Settings\Administrator\Start menu\Programs\Startup
\Documents and Settings\Default User\Start menu\Programs\Startup
Transmission through newsgroups
The worm will enumerate the registry looking for newsgroup server addresses,
then attempt to contact that newsgroup server. If a newsgroup server is not
configured on the system, the worm will randomly select one from a predefined
list. The worm will download the available groups and post messages to randomly
selected groups. The messages posted to the newsgroups are generated according
to the same routine used for sending email.
Symantec Security Response encourages all users and administrators to adhere
to the following basic security "best practices":
Turn off and remove unneeded services. By default, many operating systems
install auxiliary services that are not critical, such as an FTP server,
telnet, and a Web server. These services are avenues of attack. If they are
removed, blended threats have less avenues of attack and you have fewer
services to maintain through patch updates.
If a
blended threat exploits one or more network services, disable, or block
access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that
host public services and are accessible through the firewall, such as HTTP,
FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack
password files on compromised computers. This helps to prevent or limit damage
when a computer is compromised.
Configure your email server to block or remove email that contains file
attachments that are commonly used to spread viruses, such as .vbs, .bat,
.exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your
organization. Perform a forensic analysis and restore the computers using
trusted media.
Train employees not to open attachments unless they are expecting them.
Also, do not execute software that is downloaded from the Internet unless it
has been scanned for viruses. Simply visiting a compromised Web site can cause
infection if certain browser vulnerabilities are not patched.
Attention: Due to the numerous changes
that the worm makes to the Windows registry, it can be somewhat difficult to
remove if it has already run, and your
Symantec antivirus product subsequently quarantined or deleted it.
Follow the instructions in the section below that describes your situation. We
strongly advise that you read all the instructions in the appropriate sections
before you start.
W32.Swen.A@mm has not been quarantined or deleted
If your Symantec antivirus product has not quarantined or deleted W32.Swen.A@mm,
and you suspect or know that W32.Swen.A@mm is on your system, follow these
steps:
After the tool has run, update the virus definitions. Symantec Security
Response fully tests all the virus definitions for quality assurance before
they are posted to our servers. There are two ways to obtain the most recent
virus definitions:
Running LiveUpdate, which is the easiest way to obtain virus
definitions: These virus definitions are posted to the LiveUpdate servers
once each week (usually on Wednesdays), unless there is a major virus
outbreak. To determine whether definitions for this threat are available by
LiveUpdate, refer to the Virus
Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater: The
Intelligent Updater virus definitions are posted on U.S. business days
(Monday through Friday). You should download the definitions from the
Symantec Security Response Web site and manually install them. To determine
whether definitions for this threat are available by the Intelligent
Updater, refer to the Virus Definitions (Intelligent
Updater).
If any files are detected as infected with W32.Swen.A@mm, click Delete.
W32.Swen.A@mm has already been quarantined or deleted
If your Symantec antivirus product has already detected and then quarantined or
deleted W32.Swen.A@mm, you will not be able to run the .exe, .com, and other
executable files. Follow the instructions for your operating system.
For Windows 95/98
Restart the computer.
Do one of the following:
Windows 95. When "Starting Windows 95..." appears on the screen,
press F8. The Windows 95 Startup Menu appears.
Windows 98. As the computer restarts, press and hold down the
Ctrl key until the Windows 98 Startup Menu appears.
Note: On some computers, a keyboard or other error may appear
during restart as you hold down the Ctrl key. If so, then follow the prompts
to press a key to continue (for example, the message may prompt you to press
the Esc key), then immediately press the Ctrl key again.
Select "Command Prompt only."
Type the following and press Enter after typing each line:
cd\
c:\windows
edit repair.reg
The DOS text editor opens.
Type the following lines into the DOS text editor exactly as shown here:
Press Alt and F at the same time to access the File menu, and then press X
to exit the DOS text editor. When prompted, press Enter to confirm that you
want to save the file. This returns you to the command prompt.
Type the following and press Enter after typing each line. You must type
them exactly as shown here:
After the tool has run, update the virus definitions. Symantec Security
Response fully tests all the virus definitions for quality assurance before
they are posted to our servers. There are two ways to obtain the most recent
virus definitions:
Running LiveUpdate, which is the easiest way to obtain virus
definitions: These virus definitions are posted to the LiveUpdate servers
once each week (usually on Wednesdays), unless there is a major virus
outbreak. To determine whether definitions for this threat are available by
LiveUpdate, refer to the Virus
Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater: The
Intelligent Updater virus definitions are posted on U.S. business days
(Monday through Friday). You should download the definitions from the
Symantec Security Response Web site and manually install them. To determine
whether definitions for this threat are available by the Intelligent
Updater, refer to the Virus Definitions (Intelligent
Updater).
If any files are detected as infected with W32.Swen.A@mm, click Delete.
For Windows Me
To perform this procedure on Windows Me, you must have a Windows Me boot disk.
If you cannot locate the Me boot disk that came with your computer, you may be
able to obtain one from the PC vender or a local computer store.
Insert the Windows Me boot disk in the floppy disk drive and restart the
computer. The computer opens to a MS-DOS prompt.
Type the following and then press Enter after typing each line:
c:
cd\
c:\windows
edit repair.reg
The DOS text editor opens.
Type the following lines into the DOS text editor exactly as shown here:
Press Alt and F at the same time to access the File menu, and then press X
to exit the DOS text editor. When prompted, press Enter to confirm that you
want to save the file. This returns you to the command prompt.
Type the following and then press Enter after typing each line. You must
type them exactly as shown here:
After the tool has run, update the virus definitions. Symantec Security
Response fully tests all the virus definitions for quality assurance before
they are posted to our servers. There are two ways to obtain the most recent
virus definitions:
Running LiveUpdate, which is the easiest way to obtain virus
definitions: These virus definitions are posted to the LiveUpdate servers
once each week (usually on Wednesdays), unless there is a major virus
outbreak. To determine whether definitions for this threat are available by
LiveUpdate, refer to the Virus
Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater: The
Intelligent Updater virus definitions are posted on U.S. business days
(Monday through Friday). You should download the definitions from the
Symantec Security Response Web site and manually install them. To determine
whether definitions for this threat are available by the Intelligent
Updater, refer to the Virus Definitions (Intelligent
Updater).
If any files are detected as infected with W32.Swen.A@mm, click Delete.
For Windows NT/2000/XP
Download the
W32.Swan.A@mm Removal Tool and begin to follow the instructions in the
W32.Swan.A@mm Removal Tool document. However, when you get to step 5,
which instructs you to "Double-click the FixSwen.exe file," stop. Do not
double click the file. Instead:
Right-click the downloaded FixSwen.exe file, and then click Rename.
Rename the file to:
FixSwen.cmd
When you are asked whether you want to change the file extension, click
Yes.
Double-click the FixSwen.cmd file and continue with the steps in the
Removal Tool document.
After the tool has run, update the virus definitions. Symantec Security
Response fully tests all the virus definitions for quality assurance before
they are posted to our servers. There are two ways to obtain the most recent
virus definitions:
Running LiveUpdate, which is the easiest way to obtain virus
definitions: These virus definitions are posted to the LiveUpdate servers
once each week (usually on Wednesdays), unless there is a major virus
outbreak. To determine whether definitions for this threat are available by
LiveUpdate, refer to the Virus
Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater: The
Intelligent Updater virus definitions are posted on U.S. business days
(Monday through Friday). You should download the definitions from the
Symantec Security Response Web site and manually install them. To determine
whether definitions for this threat are available by the Intelligent
Updater, refer to the Virus Definitions (Intelligent
Updater).
.htm_cmp_blank000_vbtn.gif){kind=small}
