Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Chronic W32.Swen Virus Attack - Anyone Else Getting It?
The Vanity Virus Times | 10/22/03 | Michael

Posted on 10/22/2003 12:44:35 PM PDT by Wright is right!

I am currently getting about 20 emails a day with the W32.Swen.A@mm virus, which Norton is heading off at the pass, but it's still annoying because everytime it happens, Norton A/V covers up most of my screen with a billboard proudly announcing that it's nipped a virus in the bud and would I like to quarantine it. It says ON the billboard, "We recommend that you let us quarantine all of the infections automatically," but there is no way to make the process automatic. You have to manually approve each quarantine.

This virus, which I don't recall seeing anything about, either here on FR or in the media, has been hitting me fast and furious via email for the last month or so, 20-30 per day. Anyone else getting it?

And does anyone have a way of making Norton Anti-Virus 2002 quarantine auto instead of having it interrupt me every time a virus comes in?

Michael


TOPICS: News/Current Events
KEYWORDS: lowqualitycrap; microsoft; virus; w32swen; windows
Navigation: use the links below to view more comments.
first 1-2021-26 next last

1 posted on 10/22/2003 12:44:36 PM PDT by Wright is right!
[ Post Reply | Private Reply | View Replies]

To: Wright is right!
I'd be interested in the responses, too. I'm getting the same damned thing on mine.
2 posted on 10/22/2003 12:46:09 PM PDT by sinkspur (Adopt a dog or a cat from a shelter! Save a life, and maybe you'll save your own, too!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Wright is right!
What does this virus look like? I haven't heard of it yet. Is it a specific subject-line?
3 posted on 10/22/2003 12:48:27 PM PDT by Egon (Safety Tip: You can get AIDS by sitting at a public toilet before the previous person vacates!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Wright is right!
No. I've had epidemics of virus attacks in the past, but nothing right now.

These things email themselves from infected computers as well as from the original spammers, so maybe you're one or two degrees of separation from a friend with an infected computer.
4 posted on 10/22/2003 12:48:44 PM PDT by Cicero (Marcus Tullius)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Wright is right!
W32/Swen@MM
W32/Swen@MM, I-Worm.Swen (AVP), W32/Gibe.e@MM, Win32.HLLM.Gibe.2 (DialogueScience) is a Medium Risk mass-mailing worm for home users. Sometimes posing as a Microsoft Security Update, this worm is intended to spread via the following methods:
  • Mailing itself to recipients extracted from the victim's machine
  • Copying itself over network shares (mapped drives)
  • Sharing itself over the KaZaa P2P network
  • Sending itself via IRC

The worm terminates processes relevant to various security and anti-virus products. Additionally, the worm contains its own SMTP engine to create outgoing messages to harvested email addresses from the victim's machine.

Various outgoing messages are created, with multiple subject lines and attachment names. Some make use of an Internet Explorer vulnerability to ensure the worm attachment is run upon viewing the email. See Microsoft Security Bulletin (MS01-020) . Messages created to take advantage of this vulnerability will be detected as Exploit-MIME.gen.exe with the 4215 DATs or greater (and earlier as Exploit-MIME.gen).

When the worm is run on the victim's machine, a series of fraudulent message boxes are displayed. The worm installs itself (using a random filename) into %WinDir%, for example: C:\WINDOWS\ZNFUL.EXE.

W32/Swen@MM modifies various registry keys and disables the execution of REGEDIT.EXE on the victim's machine. Additionally, the worm terminates various processes on the victim's machine.

 
What are the common subject lines, attachment names and message content associated with W32/Swen@MM emails?
Subject:
Returned Response

From:
Email Delivery Service (kmailengine@yahoo.com)

Body:
Undeliverable mail to (email address)

 
How do you know if you've been infected?
  • Display of a series of dialog boxes
  • Unexpected termination of various security and anti-virus products
  • Inability to run RegEdit on the victim's machine
 
How do you clean your system if it’s already infected?
Ensure that your virus definition DAT files are current. Detection is included in the Daily DAT files (beta). W32/Swen@MM disables the execution of REGEDIT.EXE. The UNDO.REG tool will reverse the changes made by the virus and allow the user to execute REGEDIT.EXE as normal.

Additional Windows ME/XP removal considerations


5 posted on 10/22/2003 12:49:39 PM PDT by Oldeconomybuyer (The democRATS are near the tipping point.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Wright is right!
Nothing here yet. Will keep on the lookout, tho.
6 posted on 10/22/2003 12:49:41 PM PDT by martin_fierro (A v v n c v l v s M a x i m v s)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Wright is right!
Nothing here - thank goodness.
7 posted on 10/22/2003 12:50:17 PM PDT by lodwick
[ Post Reply | Private Reply | To 1 | View Replies]

FR Tech Tips List
FREE PC PROTECTION (not an exhaustive list):

8 posted on 10/22/2003 12:50:18 PM PDT by martin_fierro (A v v n c v l v s M a x i m v s)
[ Post Reply | Private Reply | To 1 | View Replies]

To: martin_fierro
Muttly eat virus.

No problem.
9 posted on 10/22/2003 12:51:20 PM PDT by PoorMuttly (Mutly See...Muttly Eat)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Wright is right!
With Norton AntiVirus 2002, click on Options, click on Email on the left-hand side, and select the option "Repair then silently quarantine if unsuccessful" under "How to Respond when a Virus is Found".

- Maigrey's husband
10 posted on 10/22/2003 12:52:30 PM PDT by Maigrey (These (liberals) are the same people who think therapy will help the terrorists. -GWB, 9/23/03)
[ Post Reply | Private Reply | To 1 | View Replies]

To: sinkspur
I just changed my settings yesterday, so the jury is still out if this change "takes", but fwiw I havn't seen any more since then... here is the procedure:

On the "System Tray", right-click on the Norton Antivirus Icon, and then left-click on the "Configure Norton Antivirus" option. Open the Internet/Email tab, and switch from your current setting "Ask me what to do" to be "Repair, and silently quarantine if unsuccessful"

11 posted on 10/22/2003 12:53:25 PM PDT by C210N
[ Post Reply | Private Reply | To 2 | View Replies]

To: C210N
Thanks. I'll give that one a try.
12 posted on 10/22/2003 12:56:28 PM PDT by sinkspur (Adopt a dog or a cat from a shelter! Save a life, and maybe you'll save your own, too!)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Maigrey
"With Norton AntiVirus 2002, click on Options, click on Email on the left-hand side, and select the option "Repair then silently quarantine if unsuccessful" under "How to Respond when a Virus is Found"."

Seems like I tried that once before but I've just done that procedure again to see if it will work this time.

Fortunately, I'm using Forte Agent 1.9 for email (it's a fab news / Usenet reader but it also does mail really well and is IMPERVIOUS to virii, and I've got Zone Alarm going, too.

michael

13 posted on 10/22/2003 12:56:53 PM PDT by Wright is right! (Never get excited about ANYTHING by the way it looks from behind.)
[ Post Reply | Private Reply | To 10 | View Replies]

To: Wright is right!
It's been around for a while.

See previous posts here.

14 posted on 10/22/2003 1:01:03 PM PDT by Damocles (sword of...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Maigrey
OK, got another question - see if you know the answer to this.

I've got a paid copy of Norton A/V 2002 on the desktop. I also used the Norton CD to install 2002 to my laptop, but this was before I renewed the subscription. Now, everytime I open the laptop, Norton nags me to renew. Is there a clean way to make "Norton On The Laptop" know that I've renewed via "Norton On The Desktop?" Or do I have to pay twice?

Michael

15 posted on 10/22/2003 1:01:04 PM PDT by Wright is right! (Never get excited about ANYTHING by the way it looks from behind.)
[ Post Reply | Private Reply | To 10 | View Replies]

To: Wright is right!
THIS is the one I KEEP getting.....on weekends, mostly it seems......

X-Symantec-TimeoutProtection: 0

FROM: "MS Corporation Internet Security Center"

TO: " "

SUBJECT: Current Security Update

Date: Sun, 19 Oct 2003 10:35:54 +0300

16 posted on 10/22/2003 1:02:28 PM PDT by goodnesswins (Free people are not equal. Equal people are not free.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: martin_fierro
Ever seen this, Martin?

http://www.javacoolsoftware.com/spywareblaster.html

17 posted on 10/22/2003 1:16:51 PM PDT by JoJo Gunn (Liberalism - Better Living through Histrionics ©)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Wright is right!
>>Fortunately, I'm using Forte Agent 1.9 for email (it's a fab news / Usenet reader but it also does mail really well and is IMPERVIOUS to virii, and I've got Zone Alarm going, too.

Dittos. The only virii that my ISP's mail server's scanning didn't nail, Norton did.
18 posted on 10/22/2003 1:20:49 PM PDT by Keith in Iowa (Tag line produced using 100% post-consumer recycled ethernet packets,)
[ Post Reply | Private Reply | To 13 | View Replies]

To: Wright is right!
Is there a clean way to make "Norton On The Laptop" know that I've renewed via "Norton On The Desktop?" Or do I have to pay twice?

The license "limits" the user to one user/one computer. I don't know of a way around that.

-- Maigrey's husband

19 posted on 10/22/2003 1:23:42 PM PDT by Maigrey (These (liberals) are the same people who think therapy will help the terrorists. -GWB, 9/23/03)
[ Post Reply | Private Reply | To 15 | View Replies]

To: JoJo Gunn
Thanks for the link -- will check it out.
20 posted on 10/22/2003 2:24:27 PM PDT by martin_fierro (A v v n c v l v s M a x i m v s)
[ Post Reply | Private Reply | To 17 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-26 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson