**Virus Alert -- W32.Swen.A@mm**

[Dave Farber <dfarber () cs cmu edu>]

From the UPenn folks.


Hi folks --

This is an alert regarding W32.Swen.A, a mass-mailing worm that has begun
spreading worldwide.  This worm affects machines running Windows 95, 98,
ME, NT, 2000, and XP.  The worm can spread through email via a randomly
named attachment.  In these cases the subject, body, and From: address of
the email may vary as well. Some examples claim to be patches for
Microsoft Internet Explorer, or delivery failure notices.  It can also
spread through KaZaA, IRC, Network Shares, and newsgroups.

If the worm is executed, will attempt to email itself to addresses found
on the local machine.  The worm also has a destructive payload where it
searches for and deletes files associated with security and anti-virus
applications, including Norton AntiVirus and Zone Alarm.  Symantec
definitions dated 9/18/2003 will detect W32.Swen.A.  There have been
several reports of W32.Swen.A appearing on campus already.


Characteristics
---------------

When arriving via email, the message will contain a random subject,
randomly configured message body, and a randomly named attachment.  Many
of the messages claim to be updates from Microsoft, although the worm can
also impersonate mail delivery failure notices, attaching itself as a
randomly named executable.  More specific details about the types of
messages it sends, including an example message, can be found off the
W32.Swen.A write-up linked off the Virus Alerts page.

The worm sometimes uses an incorrect MIME Header exploit, mentioned in
Microsoft Security Bulletin MS01-020, to ensure that it is automatically
executed when the mail is viewed.  A patch for this exploit was published
on March 29, 2001 and can be found below in the Recovery section.

When the attachment is executed, the worm will do the following:

-- copy itself to %Windir% with a randomly generated filename.
-- send itself to email addresses found on the local machine
-- terminate a number of processes that are associated with security and
anti-virus applications, including NAV and ZoneAlarm (see the W32.Swen.A
write-up linked off the Virus Alerts page for full details)
-- create the file, %Windir%\Germs0.dbv, where it stores the email
addresses it has found.
-- create the file, %Windir%\Swen1.dat, where it stores a list of remote
news and mail servers.
-- drop a %ComputerName%.bat file, which executes the worm and a randomly
named configuration file to store the local, machine-specific data.
-- modifies and adds several registry values (see the W32.Swen.A write-up
linked off the Virus Alerts page for full details)
-- periodically presents users with a fake MAPI32 Exception error
prompting them to enter the details of their email account, including the
following:
Email address, Username, Password, POP3 server, SMTP server
-- intercepts the execution of any of the processes that it is programmed
to terminate, preventing them from loading, and then presents the user
with the following fake error message:
Exception error occured:
Memory access violation in module kernel32 at %random.memory.address%
-- sends an HTTP Get request to a predefined HTTP server to retrieve
counter information when the worm runs for the first time. Then, the worm
may display the counter information.
-- attempts to create one or more compressed copies of itself using the
Winzip file-compression utility, and then the Winrar file-compression
utility.


Recovery
------------

Symantec has not posted a removal tool for this worm yet.  We expect one
to be coming shortly and will send out a message announcing it when it
has been created.  In the meantime, please follow the following
instructions to remove the worm.

-- run LiveUpdate to install the 09/18/2003 (or later) version of NAV
virus definition file
-- run a full system scan of the user's hard drive
-- delete all files detected as W32.Swen.A@mm
-- modify the values that refer to worm file in the registry (see
"Recovery" section of the W32.Swen.A write-up linked off the Virus Alerts
page for full details)


Protection
-------------

Symantec definitions dated 9/18/2003 will detect W32.Swen.A.  Make sure
you've installed the update for the incorrect MIME Header exploit,
mentioned in Microsoft Security Bulletin MS01-020.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp

Instructions on how to update NAV definition files are located at:

http://www.upenn.edu/computing/help/doc/virus/nav/winnavupdate.html

Further information on the W32.Swen.A worm can be found at:

http://www.symantec.com/avcenter/venc/data/w32.swen.a () mm html
http://www.europe.f-secure.com/v-descs/swen.shtml
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWEN.A
http://vil.nai.com/vil/content/v_100662.htm
http://www.sophos.com/virusinfo/analyses/w32gibef.html

Updated info will be posted shortly to the Virus Alert Web Page:

http://www.upenn.edu/computing/help/doc/virus/alert.html

Please contact:

-- the Provider Desk at 573-4017 or prodesk@isc with questions regarding
virus repair or detection
-- the Virus Alert team at virus@isc with questions and reports of virus
infections


--
ISC Provider Desk
prodesk () isc upenn edu
(215) 573-4017 

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/