Interesting People mailing list archives
**Virus Alert -- W32.Swen.A@mm**
From: Dave Farber <dfarber () cs cmu edu>
Date: Fri, 19 Sep 2003 11:16:42 -0400
From the UPenn folks. Hi folks -- This is an alert regarding W32.Swen.A, a mass-mailing worm that has begun spreading worldwide. This worm affects machines running Windows 95, 98, ME, NT, 2000, and XP. The worm can spread through email via a randomly named attachment. In these cases the subject, body, and From: address of the email may vary as well. Some examples claim to be patches for Microsoft Internet Explorer, or delivery failure notices. It can also spread through KaZaA, IRC, Network Shares, and newsgroups. If the worm is executed, will attempt to email itself to addresses found on the local machine. The worm also has a destructive payload where it searches for and deletes files associated with security and anti-virus applications, including Norton AntiVirus and Zone Alarm. Symantec definitions dated 9/18/2003 will detect W32.Swen.A. There have been several reports of W32.Swen.A appearing on campus already. Characteristics --------------- When arriving via email, the message will contain a random subject, randomly configured message body, and a randomly named attachment. Many of the messages claim to be updates from Microsoft, although the worm can also impersonate mail delivery failure notices, attaching itself as a randomly named executable. More specific details about the types of messages it sends, including an example message, can be found off the W32.Swen.A write-up linked off the Virus Alerts page. The worm sometimes uses an incorrect MIME Header exploit, mentioned in Microsoft Security Bulletin MS01-020, to ensure that it is automatically executed when the mail is viewed. A patch for this exploit was published on March 29, 2001 and can be found below in the Recovery section. When the attachment is executed, the worm will do the following: -- copy itself to %Windir% with a randomly generated filename. -- send itself to email addresses found on the local machine -- terminate a number of processes that are associated with security and anti-virus applications, including NAV and ZoneAlarm (see the W32.Swen.A write-up linked off the Virus Alerts page for full details) -- create the file, %Windir%\Germs0.dbv, where it stores the email addresses it has found. -- create the file, %Windir%\Swen1.dat, where it stores a list of remote news and mail servers. -- drop a %ComputerName%.bat file, which executes the worm and a randomly named configuration file to store the local, machine-specific data. -- modifies and adds several registry values (see the W32.Swen.A write-up linked off the Virus Alerts page for full details) -- periodically presents users with a fake MAPI32 Exception error prompting them to enter the details of their email account, including the following: Email address, Username, Password, POP3 server, SMTP server -- intercepts the execution of any of the processes that it is programmed to terminate, preventing them from loading, and then presents the user with the following fake error message: Exception error occured: Memory access violation in module kernel32 at %random.memory.address% -- sends an HTTP Get request to a predefined HTTP server to retrieve counter information when the worm runs for the first time. Then, the worm may display the counter information. -- attempts to create one or more compressed copies of itself using the Winzip file-compression utility, and then the Winrar file-compression utility. Recovery ------------ Symantec has not posted a removal tool for this worm yet. We expect one to be coming shortly and will send out a message announcing it when it has been created. In the meantime, please follow the following instructions to remove the worm. -- run LiveUpdate to install the 09/18/2003 (or later) version of NAV virus definition file -- run a full system scan of the user's hard drive -- delete all files detected as W32.Swen.A@mm -- modify the values that refer to worm file in the registry (see "Recovery" section of the W32.Swen.A write-up linked off the Virus Alerts page for full details) Protection ------------- Symantec definitions dated 9/18/2003 will detect W32.Swen.A. Make sure you've installed the update for the incorrect MIME Header exploit, mentioned in Microsoft Security Bulletin MS01-020. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp Instructions on how to update NAV definition files are located at: http://www.upenn.edu/computing/help/doc/virus/nav/winnavupdate.html Further information on the W32.Swen.A worm can be found at: http://www.symantec.com/avcenter/venc/data/w32.swen.a () mm html http://www.europe.f-secure.com/v-descs/swen.shtml http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWEN.A http://vil.nai.com/vil/content/v_100662.htm http://www.sophos.com/virusinfo/analyses/w32gibef.html Updated info will be posted shortly to the Virus Alert Web Page: http://www.upenn.edu/computing/help/doc/virus/alert.html Please contact: -- the Provider Desk at 573-4017 or prodesk@isc with questions regarding virus repair or detection -- the Virus Alert team at virus@isc with questions and reports of virus infections -- ISC Provider Desk prodesk () isc upenn edu(215) 573-4017
------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- **Virus Alert -- W32.Swen.A@mm** Dave Farber (Sep 19)