How it works
One of the ways Swen spreads is to arrive as an email message containing some references to Microsoft or to a new critical patch for Internet Explorer or as a returned email.
To spread via shared network files, Swen leaves copies of itself in the start-up folders found on individual Windows computers connected to the network.
For IRC users, Swen adds a script.ini file to the mIRC program folder. It then spreads to other IRC users.
To infect other P2P users, Swen adds a copy of itself to the shared file directory using a random but intriguing name.
Once the virus is active, it will attempt to shut down working antivirus and personal firewall applications. Swen will appear to download and install a patch directly from Microsoft; in reality, the virus is changing system Registry files on the infected machine. Changes include, for example, the ability to run the virus every time the computer is rebooted.
Prevention
Windows users who have not installed the Internet Explorer patch MS01-020 for the incorrect MIME header flaw should do so now to prevent automatic infection from Swen. In general, do not open attached files in email without first saving them to the hard disk and scanning them with updated antivirus software. Please note that Microsoft does not email security patches to its users. Contact your antivirus vendor to obtain the latest antivirus signature files that include Swen.
Removal
Most antivirus software companies have updated their signature files to include this virus. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec, and Trend Micro.
Talkback
Everything clear except instructions for installing the Internet Patch, especially when I can't reach Windows Update. I fear a leftover worm (although Norton says I'm clean) has cut me off: can't reach my installation history or any of the 17 updates available for XP. ( Also, for some mysterious reason I can no longer send messages from my Yahoo E-Mail Account.)
Suggestions?
Hi.
I have reason to believe I'm not infected with the swen virus. But someone who has my email address is, and I'm getting a hundred spam e-mails per hour... I see multiple virus removal tools, but no spam blocker for this worm. Can anyone help me?
Thank you.
Lana Boter
lboter@nyc.rr.com
Hi,
I never open attachments when i don't know who sent it to me. And I always send the mails to Yahoo to screen for virusses.
Tonight, after reinstalling Windows 98SE i forgot to fix patcheswith Microsoft.
And yes.....Swen hit me. I think the responsibility is also for Microsoft. It should be possible to go to shop where i bought their software to get a updated reliable version of windows 98se.
They produce products with faillures and should be responsible for the damage!
Marchel
The Netherlands
I got the swen virus on September 18 and immediately used the Norman program to remove it and this did not remove it. I have run other virus scans to no avail also. Today when I tried my Outlook Express there was no problem.
After I got the swen virus I could not receive incoming mail and messages kept ending up in my deleted box.
Guess I should not worry if something is working but any ideas?
Why is it, when detailing virus prevention and removal, you never mention the excellent (and, in one version, free) AVG AntiVirus from http://www.grisoft.com? No - I don't work for Grisoft - I'm just a very satisfied, and very well-protected, customer of theirs.Incidentally, their site provides a number of handy removal tools, in addition to the progams, and their very prompt updates.
As a layman(an old one)I don't understand how Swen can get by the anti-virus in the first place let alone the firewall.A short time ago while running a free version of an anti-virus,I was at McAfee site where they offered to insert a temp virus that would delete itself within minutes and soon as they released it,my free version came on with a actual "bang"and captured it took it to the "Vault for safe storage.Whole thing was over in a heartbeat.All emails and attachments are scanned before they get to email page so why wouldn't that pickup and destroy the virus immediately?.McAfee also has an incredible program called the "Stinger",have you seen it?,watched it in action?.Also have that on desktop.With all the constant threats to our (my)systems today,all the fun and/or enjoyment of Internet is going away,hardly any desire to log on anymore.Can't for the life of me see what these sicko's get out of doing these things to innocent,unsuspecting people at home just trying to get a little enjoyment out of life.Anyway,am running McAfee full Suite 2004,plus ZoneAlarm Pro--do you think I am reasonably safe?.Thank you most kindly.Bruce
What do you do if Swen has done such a great job on your computer and you can't access ANY executable files? Including the patch to remove it.
My machine had the swen virus. I found that each time I opened Outlook Express, the window was small even though properties specified maximum. Other programs were similarly affected. My antivirus (AVG) would not run; there was a violation with Kernel32.dll. After downloading a fix, all programs start as they should.
Hi Lana, I am also recieving lots of spam mail containing this virus but the only way i have found to minimise the amount of a mail that is coming in is to use mail washer thats from www.firetrust.com i have the full working version here and it has blocked a lot of them by adding them to my blacklist and bouncing them back but the mail comes in from different people each time but it has managed to cut it down to about 30 at the moment.
Where does Swen get it's email addresses from? Why does Juno allow my mailbox to fill with Swen messages everyday? How can I track down the sender to let them know they are infected?
I view Juno webmail from a Unix workstation so I doubt that I am infected.
Thanks,
I have it also but no matter what I try from all the suggestions it won't go away.
Lana I have the same Swen virus and I have tried all the suggestions and not one of them has helped. If I could talk to a tech that would be great but all the help sites do is direct me elsewhere. If you do get clear instructions please e-mail direct.
Lynda
Hi, I have Swen too.
First of all I recomend to open another mail
account in www.operamail.com to avoid
junk mail, spam, virus, trojans, etc. I have
not received spam since about two weeks.
I download a "patch" for blaster in the
official website of Microsoft, I supposed that
it is another "patch" for blaster. Also I recomend to download the opera browser
from www.opera.com
I feel embarassed, but not only because
I "install" a virus, but because I use Windows
in my computer, an AMD based that I like
a lot (the hardware), knowing that linux-based
open source OS's are so superior in all the
aspects. I don't think that MAC OS X have so
many virus, trojans, and worms (if they have
important ones).
My last recomendation is to download Stinger of Symantec from: http://securityresponse.symantec.com/avcenter/ venc/data/w32.swen.a@mm.html, run it
download, install and execute zone alert
(download.com), reboot the computer, run
again Stinger and see the "could not be repaired" message and delete it manually.
This virus kind of regenerates, Sometimes
Stinger is infected?!
If you are not happy with Windows, find a
new "better" version, or get MAC OS X or any
other linux-based OS.