Chronic W32.Swen Virus Attack - Anyone Else Getting It?

The Vanity Virus Times | 10/22/03 | Michael

[sinkspur]

I'd be interested in the responses, too. I'm getting the same damned thing on mine.

[Egon]

What does this virus look like? I haven't heard of it yet. Is it a specific subject-line?

[Cicero]

No. I've had epidemics of virus attacks in the past, but nothing right now.

These things email themselves from infected computers as well as from the original spammers, so maybe you're one or two degrees of separation from a friend with an infected computer.

[Oldeconomybuyer]

W32/Swen@MM

W32/Swen@MM, I-Worm.Swen (AVP), W32/Gibe.e@MM, Win32.HLLM.Gibe.2 (DialogueScience) is a Medium Risk mass-mailing worm for home users. Sometimes posing as a Microsoft Security Update, this worm is intended to spread via the following methods:

• Mailing itself to recipients extracted from the victim's machine
• Copying itself over network shares (mapped drives)
• Sharing itself over the KaZaa P2P network
• Sending itself via IRC

The worm terminates processes relevant to various security and anti-virus products. Additionally, the worm contains its own SMTP engine to create outgoing messages to harvested email addresses from the victim's machine.

Various outgoing messages are created, with multiple subject lines and attachment names. Some make use of an Internet Explorer vulnerability to ensure the worm attachment is run upon viewing the email. See Microsoft Security Bulletin (MS01-020) . Messages created to take advantage of this vulnerability will be detected as Exploit-MIME.gen.exe with the 4215 DATs or greater (and earlier as Exploit-MIME.gen).

When the worm is run on the victim's machine, a series of fraudulent message boxes are displayed. The worm installs itself (using a random filename) into %WinDir%, for example: C:\WINDOWS\ZNFUL.EXE.

W32/Swen@MM modifies various registry keys and disables the execution of REGEDIT.EXE on the victim's machine. Additionally, the worm terminates various processes on the victim's machine.

What are the common subject lines, attachment names and message content associated with W32/Swen@MM emails?

Subject:
Returned Response

From:
Email Delivery Service (kmailengine@yahoo.com)

Body:
Undeliverable mail to (email address)

How do you know if you've been infected?

• Display of a series of dialog boxes
• Unexpected termination of various security and anti-virus products
• Inability to run RegEdit on the victim's machine

How do you clean your system if it’s already infected?

Ensure that your virus definition DAT files are current. Detection is included in the Daily DAT files (beta). W32/Swen@MM disables the execution of REGEDIT.EXE. The UNDO.REG tool will reverse the changes made by the virus and allow the user to execute REGEDIT.EXE as normal.

Additional Windows ME/XP removal considerations

[martin_fierro]

Nothing here yet. Will keep on the lookout, tho.

[lodwick]

Nothing here - thank goodness.

[martin_fierro]

FR Tech Tips List

FREE PC PROTECTION (not an exhaustive list): Alternative browsers: Mozilla Opera AVG Anti-Virus Free Edition: Free anti-viral protection Bayden Systems Popup Popper: Blocks popup ads well in MSIE Shoot the Messenger: Close that *#$($#$) Messenger in Windows XP Spyware removers: Spybot S&D AdAware MailWasher: Good for pre-screening & bouncing SPAM Windows Update: At least install the critical ones ZoneAlarm: Excellent Firewall Test your firewall from without with ShieldsUP! Test your firewall from within with LeakTest

[PoorMuttly]

Muttly eat virus.

No problem.

[Maigrey]

With Norton AntiVirus 2002, click on Options, click on Email on the left-hand side, and select the option "Repair then silently quarantine if unsuccessful" under "How to Respond when a Virus is Found".

- Maigrey's husband

[C210N]

I just changed my settings yesterday, so the jury is still out if this change "takes", but fwiw I havn't seen any more since then... here is the procedure:

On the "System Tray", right-click on the Norton Antivirus Icon, and then left-click on the "Configure Norton Antivirus" option. Open the Internet/Email tab, and switch from your current setting "Ask me what to do" to be "Repair, and silently quarantine if unsuccessful"

[sinkspur]

Thanks. I'll give that one a try.

[Wright is right!]

"With Norton AntiVirus 2002, click on Options, click on Email on the left-hand side, and select the option "Repair then silently quarantine if unsuccessful" under "How to Respond when a Virus is Found"."

Seems like I tried that once before but I've just done that procedure again to see if it will work this time.

Fortunately, I'm using Forte Agent 1.9 for email (it's a fab news / Usenet reader but it also does mail really well and is IMPERVIOUS to virii, and I've got Zone Alarm going, too.

michael

[Damocles]

It's been around for a while.

See previous posts here.

[Wright is right!]

OK, got another question - see if you know the answer to this.

I've got a paid copy of Norton A/V 2002 on the desktop. I also used the Norton CD to install 2002 to my laptop, but this was before I renewed the subscription. Now, everytime I open the laptop, Norton nags me to renew. Is there a clean way to make "Norton On The Laptop" know that I've renewed via "Norton On The Desktop?" Or do I have to pay twice?

Michael

[goodnesswins]

THIS is the one I KEEP getting.....on weekends, mostly it seems......

X-Symantec-TimeoutProtection: 0

FROM: "MS Corporation Internet Security Center"

TO: " "

SUBJECT: Current Security Update

Date: Sun, 19 Oct 2003 10:35:54 +0300

[JoJo Gunn]

Ever seen this, Martin?

http://www.javacoolsoftware.com/spywareblaster.html

[Keith in Iowa]

>>Fortunately, I'm using Forte Agent 1.9 for email (it's a fab news / Usenet reader but it also does mail really well and is IMPERVIOUS to virii, and I've got Zone Alarm going, too.

Dittos. The only virii that my ISP's mail server's scanning didn't nail, Norton did.

[Maigrey]

Is there a clean way to make "Norton On The Laptop" know that I've renewed via "Norton On The Desktop?" Or do I have to pay twice?

The license "limits" the user to one user/one computer. I don't know of a way around that.

-- Maigrey's husband

[martin_fierro]

Thanks for the link -- will check it out.