Security experts have said that the Swen mass-mailing Windows worm appears to be spreading quickly, moving to the top of the virus charts a day after it first appeared -- and even maintaining its own counter that supposedly monitors how many PCs have been infected.
For information on how to combat the worm, click here.
Antivirus companies warned on Thursday that the worm, variously known as I-Worm.Swen, W32/Swen.A@mm or W32/Gibe@MM.e, had the potential to spread quickly because it is well-disguised as a security update from Microsoft. It takes advantage of a two-year-old Internet Explorer flaw that allows it to execute directly from an email message without the help of the user.
On Friday, email provider Messagelabs said its email servers had stopped more copies of Swen than any other worm, including Klez.H, the previous top threat. The largest proportion of the 35,450 copies of Swen stopped by Messagelabs originated from the US, followed by the UK.
The first time the worm executes on a system, it contacts a Web address and updates a counter that supposedly indicates how many machines are infected -- although antivirus vendors doubt that the figure is correct. As of Thursday, the counter already listed more than 500,000 infected PCs.
Antivirus vendors upgraded their assessment of Swen's threat on Friday, due to the increase in infections. Symantec, for example, shifted Swen up to a category 3 virus.
Windows users are still reeling from a series of damaging virus attacks that have caused chaos in recent weeks, partly due to the large number of Internet-connected PCs that have not patched known vulnerabilities. Swen in part relies on a flaw Microsoft first disclosed in a 2001 security bulletin, although it can also be spread by duping users into executing its attachment.
The worm affects Windows 95, Windows NT, and all newer versions, and spreads via email and through IRC, Kazaa and local area networks. It attempts to disable firewall and antivirus software.
One of the emails that Swen uses to spread is a professional-looking message that appears to come from "MS Technical Assistance", and contains a notification of a "September 2003, Cumulative Patch", along with the virus attachment. Microsoft does not spread updates via email.
When executed, the worm continues to pose as a security update, launching a message windows that states: "This will install Microsoft Security Update. Do you wish to continue?" If the user clicks "Yes", the worm shows a fake installation dialogue box, but also installs invisibly if the "No" button is pressed.
Swen installs various files to ensure that it is launched every time the system boots up. It also disables the user's ability to edit the Registry.
Users are advised not to launch attachments without first scanning them with antivirus software. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec, and Trend Micro.
Talkback
how do I remove the virus?
I normally receive 20 or so e-mails a day. Today I received 180, about 160 were the swen worm. I can confirm 40 such mailing before I called my tech support to ask how to delete from the server. He was swamped by the worm. We are both in Indianapolis, IN, USA. This morning I checked with NAI.com and they listed it as Moderate threat for home users. I hate to see what it is now.
Thank you,
Paul Yearwood
Try this link for a great utility for getting rid of the virus from your system. Just start it and let it do the work .It works a treat!!
http://www3.ca.com/Files/VirusInformationAndPrevention/ClnSwen.zip
Regharding the worm Swen A,I have also been recieving a lot of bounced mails containing this virus also recieving about 4 a day from the |"Micrsoft" one too.Just so glad I had updated my AVG a few days before I started recieving these mails!
One of our email addresses is getting swamped with ms security type email with large attachment containing 2mB. We are getting around 80 of these a day and it's really slowing things down.
I'm not convinced that this many emails are getting sent from infected machines. How many times does the worm mail itself? Can an infected machine bog itself down by sending mail to itself?
When I read the details of what these latest worms are doing, it becomes clear a main motiviation is to collect information from the target machine and sent it out to the Internet... Hardly anything is said about this 'aspect' of these viruses in the news...
How do I remove the worm. I downloaded the file, but it cannot execute as it tells me that Windows cannot find the SGKEZNA.EXE FILE.
This is the same message i get when I try to execute any program. Only the file name changes.
I sure could use some help my email address is fishboss1@cox.net
Thanks for any help
That one was a close call!
I regluarly patch my system, working in the IT indstry I know of the importance of security patches and even at home I run the latest virus scans and have installed a firewall.
The most recent virus problem I had on my home setup was MSBlaster, not that I hadn't patched the system but I had just re-installed the OS after fitting a new hard disk. I had installed the network drivers (for my broadband connection) and 6 minutes later my machine was brought crashing down by blaster. Luckily I had installed my firewall so I could detach Blaster.exe from the network, this stops it running long enough to download patched and virus signature updates to I could remove it.
For me to get Swen, I would have had to open the email. I never usually fall for the "Social Engineering" type of virus delivery but this one ALMOST got me. This is the first time I got that close to falling for the trick and to be honest, that scares me! I was just about to open the infected email when I suddenly snapped into reality and remembered the MS never emails patches and even though I was using hotmail opening this email would be dangerous. It wasn't until I got to work and checked ZDNet new that I realised just how close I was.
If a worm like this can get a seasoned (I have had my share of reformatted hard disks and unknown strangers using my PC through trojans) IT professional like me then I hate to think about how many new and unexperenced users are getting hit by this one!
Not only do I get the original messages, NAV for MS Exchange Server sends me a "deleted attachment" message for each one.
As if that weren't bad enough, my email address was spoofed by the virus. Every mail delivery program on the Internet sends me an "Undeliverable Mail" message when a nonexistent user is sent a message by the virus using my spoofed email address. Some of them check the message, know it's a virus AND SPAM ME WITH A MESSAGE ANYWAY JUST TO SPITE ME! The ones that don't check don't delete the attachment, SO OUR CORPORATE NAV FOR EXCHANGE SERVER SPAMS ME WITH THE "DELETED ATTACHMENT" MESSAGE!
Question: Why are mail server and antivirus programs doing their utmost to compound the problems caused by viruses?
Carol wrote: Just so glad I had updated my AVG a few days before
I fail to see why you feel that this is so important... if you never open e-mail attachements, you have nothing to worry about from this worm.
Whats wrong with today's socity? Now days you can't even start your computer or even open your own e-mail acoount with out gettign a virus. I personally think people have way to much time on their hands.......
While I have no problem with the worm or virus infecting my system. I have problems with having my email spoofed.
99% of the emails I receive since last week is an email from Microsoft about a critical update, which is what the worm is supposed to do. I lose so much time just sifting thru my emails.
While I've done my best to protect my PC, how does one protect oneself from losing so much time when other infected computers out there have send you all these infected emails?
hi can any one tell me how to remove this virus, i have ran my AVG about 25 times in the past few days and it just keeps poping up on my screen, it says the virus is in my volume information, please please help,
I installed PC-CILLIN too late, now it tells me it found that virus, and you can't access any files, not even through run!!! What a bummer!!!
Swen alters the file associations. Go to www.techguys.org where a detailed instruction for removal with a link to a tool to reset your file associations in the registry.
Some providers (like Belgian Telenet and Skynet) offer to scan / filter viruses at server level. However, this is not for free (it's a monthly cost), so vrius keep reaching customers, instead of being filtered by the provider. Like this, viruses stay longer on the net than they should / could. I think it's the provider's responsibilty to keep *their* email servers clean, not its users.
You can compare it with a public water system. People pay for the drinking water (the abonnement), not to keep it clean.
Greetings,
Louis
Has anyone said just how to get ALL these e-mails to stop??? I am so sick of receiving so many MS Security, etc. e-mails a day. It started about 2 weeks ago & while, thankfully, my anti-virus "deletes" these (or just deletes the attachment & virus?) - they continue to flow in. So how do we find an end to this??
Thanks!