WebCrime

SWEN

Home
THE PROFIT MOTIVE: MyDoom Redux:
MALICIOUS CODE
HORROR STORIES
SPYWARE
SPOOFING
ANTHRAX
VIRUSES BY OTHER NAMES
PROGRAMMING VIA BIOLOGICAL ENGINEERING TECHNIQUES
MYDOOM
WORMS
KEYLOGGER
SPYWARE
HYBRIDS
ANTHRAX ON THE INTERNET
ANTHRAX CHATTER
CELLPHONE VIRUS CHATTER
VIRUS CHATTER
ANTHRAX CHATTER
MICROSOFT CHATTER
"link=bacillus"
MSBLASTER
PHISHING
SWEN
FIREWALLS
TERMS GLOSSARY
MALICIOUS SCRIPTS: THE STATE OF THE ART DELIVERY METHOD
RESOURCES: FIGHTING BACK - FREE UTILITIES
CODE RED
WHAT'S IN A NAME
MICROSOFT
NIMDA
ANTHRAX-NIMDA CONNECTION
SCRIPT KIDDIES VRS ENGINEERS
THE UNLIKELY LADDS
VIRUS ALLERTS
IDENTITY THEFT
HEADS OFF
HEADSUP

 

W32/Swen.B@mm and W32/Swen.C@mm

9 October 2003

W32/Swen.B@mm was discovered on 9 October and is a minor variant of Swen.A, the mass-mailing worm that started spreading last month through e-mails falsely claiming to be from Microsoft.

Swen.B is a compressed version of the original worm and is an attempt to make the worm undetectable to some anti-virus programs. In addition to this, the majority of references within the e-mail have been changed from Microsoft to the Italian ISP Tiscali. Otherwise the original worm and this variant are very similar.

W32/Swen.C@mm is another minor variant of the original Swen.A worm. Swen.C is also a compressed version of the original and contains some minor modifications in its links. Its text strings also refer to Microsoft and Tiscali as well as to Renato Soru, Chairman and CEO of Tiscali.


Recommended Reactions

Users are urged to update their virus signature files for F-Prot Antivirus. W32/Swen.A@mm is detected by the latest virus signature files dated 9 October or later.

After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.

Threat Description

Like Swen.A, these variants are designed to spread not only via e-mail but also through KaZaa and IRC file-sharing networks. The worm also attempts to terminate any known antivirus and firewall software that it finds running.

Threat Detection

W32/Swen.@mm and its variants are all detected by the latest versions of F-Prot Antivirus using the latest virus signature files dated 9 October 2003 or later



W32/Swen.A@mm, a very legitimate looking worm

18 September 2003

W32/Swen.A@mm (a.k.a. W32/Gibe.F@mm) is a new mass-mailing worm that infects via e-mails falsely claiming to be from Microsoft. It also claims to provide a new version of a security patch provided by Microsoft earlier this month.

Microsoft, however, has a policy of never distributing software via e-mail and advises users receiving e-mails claiming to contain software from Microsoft not to run the attachment and to delete such e-mail messages altogether. More information regarding Microsoft's policies on software distribution can be found at Microsoft's website.

The e-mail's text and look are convincing and all links within the message lead to the correct pages at Microsoft's website, so it is not surprising that this worm is now spreading fast.

Recommended Reactions

Users are urged to update their virus signature files for F-Prot Antivirus. W32/Swen.A@mm is detected by virus signature files dated 18 September or later.

After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.

Threat Description

As well as spreading via e-mail the worm also attempts to spread via KaZaA and IRC file-sharing networks. On infecting a computer the worm attempts to terminate any known antivirus and firewall software that it finds running.

Please note that if the patch discussed in Microsoft Security Bulletin MS01-027 (Q295106, Q299618) has not been applied then the attachment will be executed automatically as soon as the e-mail is opened. The patch prevents this automatic execution of the attachment but will not prevent infection if the attachment is opened manually.

For more information on W32/Swen.A@mm please see the technical description.

Threat Detection

The latest versions of F-Prot Antivirus detect W32/Swen.A@mm using virus signature files dated 18 September or later.

F-Secure Virus Descriptions : Swen

[Summary] | [Disinfection] | [Detailed Description] | [Detection]

THIS VIRUS IS RANKED AS LEVEL 1 ALERT UNDER
F-SECURE RADAR.

Radar Alert LEVEL 1

NAME: Swen
ALIAS: I-Worm.Swen, W32/Swen.A@mm, W32/Gibe.E@MM, Gibe.E, Swen.A

Summary

Swen is a worm that replicates via email, local network (LAN), IRC and Kazaa. It uses a vulnerability in Internet Explorer to execute directly from e-mail. Swen worm appeared on 18th of September 2003. It is most likely written by the author of Gibe worm (Begbie) and this worm has similar features as the latest Gibe variants.

Disinfection

Disinfection Tool

F-Secure provides the special tool to disinfect the Swen worm. The tool and disinfection instructions are available at:

ftp://ftp.europe.f-secure.com/anti-virus/tools/swentool.zip

ftp://ftp.europe.f-secure.com/anti-virus/tools/swentool.txt

ftp://ftp.europe.f-secure.com/anti-virus/tools/swentool.com

Please make sure you read the SWENTOOL.TXT file before using the disinfection tool.

Please note that the tool will only disinfect local infection of Swen worm. It will not disinfect your e-mail databases from infected messages. You will have to delete all infected messages manually and then compact the database to permanently destroy the deleted data.

Troubleshooting

In some cases, when Swen executable is deleted or renamed by an anti-virus program without fixing the Registry, it becomes impossible to run executable files on a computer. This happens because Windows can't find the file associated with executables (in our case - Swen's file) on a hard disk. If you have such a problem, please download the following file:

ftp://ftp.europe.f-secure.com/anti-virus/tools/swenfix.exe

or

ftp://ftp.europe.f-secure.com/anti-virus/tools/swentool.zip

Then rename the SWENFIX.EXE file with the name of deleted Swen's executable (that Windows asks for) and copy that file to Windows folder. After that you will be able to run the SWENTOOL.COM file to disinfect your computer.

It should be noted that when the Swen's executable file is deleted or renamed manually or by an anti-virus program, the SWENTOOL will not start to scan all your hard disks automatically - it will show 'Nothing to clean' message. To make the tool scan all available hard disks you will have to run it with /SCANFILES command line option. To to this please follow these instructions:

1. Click 'Start' button, select 'Run' option.

2. In the appeared dialog box type the following:

 swentool  /scanfiles
                                    

3. Press 'Enter' to run the tool.

If your SWENTOOL.COM file is not found, you will have to specify the path to it in the command line:

 <drive>:\<path>\swentool  /scanfiles
                                    

The <drive> and <path> are the names of the drive and folder where the SWENTOOL.COM file was downloaded and saved, for example if you put the tool to 'c:\temp' folder, the command line will look like this:

 c:\temp\swentool  /scanfiles
                                    

After the SWENTOOL finishes scanning your hard disk, it is recommended to restart your computer. After restart your computer should be clean.

Back to the Top


Detailed Description

The worm's file is a Windows PE executable 106496 bytes long. It is not compressed by any file compressor.

Installation to system

When the worm's file is run, it checks whether it's already installed and if not, it copies its file to Windows directory with a random name (for example MLMHP.EXE) and creates a startup key for this file in the Registry:

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
                                     "<random_characters>" = "<random_characters>.exe /autorun"
                                    

where <random_characters> is the name of the worm's file. This way the worm's file is always started with Windows.

If the worm is already installed on a computer, it shows the following messagebox:

Otherwise the worm shows the following messagebox:

 Microsoft Internet Update Pack
                                    

 This will install Microsoft Security Update.
                                     Do you wish to continue?
                                    

If a user clicks 'No' button, the worm installs itself to system hiddenly. If a user clicks 'Yes' button, the worm shows a fake installation dialog:

and after some time it reports successful installation:

During installation the worm creates a batch file that has a name of an infected workstation. This batch file contains the following text:

 @ECHO OFF
                                     IF NOT "%1"=="" <name>.exe %1
                                    

where <name> is the name of the worm's executable file.

The worm extracts the list of SMTP and NNTP servers from its body into the SWEN1.DAT file that is placed into Windows directory.

Then the worm modifies default startup keys for BAT, SCR, EXE, REG and PIF files in the Registry:

 [HKCR\exefile\shell\open\command]
                                     [HKCR\regfile\shell\open\command]
                                     [HKCR\scrfile\shell\open\command]
                                     [HKCR\piffile\shell\open\command]
                                     [HKCR\batfile\shell\open\command]
                                     [HKCR\scrfile\shell\config\command]
                                    

As a result, the worm gets control every time a user tries to run executable and registry files.

Additionally the worm disables Registry tools by creating the following key:

 [HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System]
                                     "DisableRegistryTools" = dword:00000001
                                    

As a result a user will not be able to run Regedit utility and import REG files data. The worm will show the following messagebox in such case:

The numbers in this messagebox are randomly-generated.

The worm creates a set of subkeys in the following key:

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
                                    

These subkeys contain information about SMTP server, user's e-mail, key name of installed worm's file, name of infected computer user, name of a zip archive that the worm tries to create using WinZip, name of mIRC folder and some other data.

During installation process the worm enables sharing for Kazaa client, copies itself several times into Kazaa shared folders and also replaces SCRIPT.INI file of mIRC client with the one that sends out the worm's file to every user joining a channel where an infected user is present. The worm also copies its file to startup folders of remote computers via network.

Spreading in local network

The worm attempts to spread itself via local network (LAN). It looks for mapped network drives, accesses them and if it finds the following directories in the root folder:

 Win98
                                     Win95
                                     WinMe
                                     Windows
                                    

it copies its file with a random name to the following folders:

 \%WinDir%\Start menu\Programs\Startup
                                    

 \Documents and Settings\All Users\Start menu\Programs\Startup
                                     \Documents and Settings\Administrator\Start menu\Programs\Startup
                                     \Documents and Settings\Default User\Start menu\Programs\Startup
                                    

 \Winnt\Profiles\All Users\Start menu\Programs\Startup
                                     \Winnt\Profiles\Administrator\Start menu\Programs\Startup
                                     \Winnt\Profiles\Default User\Start menu\Programs\Startup
                                    

As a result remote computers will become infected with the worm after they are restarted.

Spreading in IRC networks

The worm creates its own SCRIPT.INI file in mIRC installation folder. This script makes an IRC client send a file called 'WinZip installer.zip' to every user joining a channel where an infected user is present.

Spreading in Kazaa networks

The worm modifies the Registry to enable sharing for Kazaa client, then it locates Kazaa shared folder and copies itself there with a generated name. The name is generated from the following strings:

 Kazaa Lite
                                     KaZaA media desktop
                                     KaZaA
                                     WinRar
                                     WinZip
                                     Winamp
                                     Mirc
                                     Download Accelerator
                                     GetRight FTP
                                     Windows Media Player
                                     key generator
                                     hack
                                     hacked
                                     warez
                                     upload
                                     installer
                                    

 Bugbear
                                     Yaha
                                     Gibe
                                     Sircam
                                     Sobig
                                     Klez
                                     remover
                                     removal tool
                                     cleaner
                                     fixtool
                                    

 AOL hacker
                                     Yahoo hacker
                                     Hotmail hacker
                                     10.000 Serials
                                     Jenna Jameson
                                     HardPorn
                                     Sex
                                     XboX Emulator
                                     Emulator PS2
                                     XP update
                                     XXX Video
                                     Sick Joke
                                     XXX Pictures
                                     My naked sister
                                     Hallucinogenic Screensaver
                                     Cooking with Cannabis
                                     Magic Mushrooms Growing
                                     Virus Generator
                                    

These files can have EXE or ZIP extensions.

Spreading in e-mails and to newsgroups

The worm periodically scans HTML and ASP files on a hard drive and stores found e-mail addresses in the GERMS0.DBV file located in Windows folder. The worm also reads .EML, .DBX, .WAB, and .MBX files and fetches e-mail addresses from there. The worm does not fetch addresses containing 'delete' and 'spam' strings.

The worm also can search for e-mail addresses in various newsgroups. It connects to NNTP servers listed in the SWEN1.DAT file, gets a list of all newsgroups on that server and searches recent messages in these newsgroups for 'nfrom:' and 'nreply-to:' tags. When such tags are found, the worm gets e-mail addressed after them and writes them to the GERMS0.DBV file. This way the worm can harvers a lot of e-mail addresses to send itself to.

The worm can post its e-mails to newsgroups, the names of which it finds during searching process. The worm sends the same kind of messages as it sends via e-mail.

The worm reads SMTP server address and user name from the Registry. However, if it can't find this info, it shows a fake MAPI error dialog asking a user to input that data:

The worm sends itself a very legitimately-looking messages that are composed from different text strings hardcoded in the worm's body. It also checks the current date and uses the current month inside the text of the email message. On that way it will spread with different messages each month of the year.

Here is an example of such message sent in September:

The attachment name, subject and part of the infected message is randomly composed from text strings hardcoded in the worm's body.

The fake sender's address is selected from the following parts:

 MS
                                     Microsoft
                                     Corporation
                                     Program
                                     Internet
                                     Network
                                     Security
                                     Division
                                     Section
                                     Department
                                     Center
                                     Technical
                                     Public
                                     Customer
                                     Bulletin
                                     Services
                                     Assistance
                                     Support
                                    

The domain name for these e-mails is selected from the following parts:

 news
                                     bulletin
                                     confidence
                                     advisor
                                     updates
                                     technet
                                     support
                                     newsletters
                                    

The domain suffix for these e-mails is selected from the following parts:

 ms
                                     msn
                                     msdn
                                     microsoft
                                    

followed by one of the following:

 .com
                                     .net
                                    

The fake recipient's address is also composed from the above shown strings, however the fake recipient's name is selected from the following parts:

 Commercial
                                     MS
                                     Microsoft
                                     Corporation
                                     Customer
                                     User
                                     Partner
                                     Consumer
                                     Client
                                    

The subject is composed from the following parts:

 Current
                                     Newest
                                     Last
                                     New
                                     Latest
                                     Net
                                     Network
                                     Microsoft
                                     Internet
                                     Critical
                                     Security
                                     Patch
                                     Update
                                     Pack
                                     Upgrade
                                    

The worm is usually attached to infected messages as an EXE file. The attachment name is randomly generated from numbers and the following parts:

 upgrade
                                     update
                                     patch
                                     q
                                     install
                                     installer
                                     installation
                                    

For example the infected attachment name can be Q591362.EXE or UPDATE98.EXE. The IFrame exploit is not present in such messages. In some cases the worm's attachment can be in a ZIP archive.

The worm can also compose fake forwarded or bounced e-mails from the following parts:

 RE:
                                     FWD:
                                     FW:
                                     Check
                                     Check out
                                     Prove
                                     Try
                                     Taste
                                     Try on
                                     Look at
                                     Take a look at
                                     See
                                     Watch
                                     Use
                                     Apply
                                     Install
                                     this
                                     that
                                     the
                                     these
                                     important
                                     internet
                                     critical
                                     security
                                     corrective
                                     correction
                                     patch
                                     update
                                     pack
                                     upgrade
                                     for
                                     MS
                                     Microsoft
                                     Windows
                                     Internet Explorer
                                     which
                                     that
                                     comes
                                     from
                                     the
                                     MS
                                     M$
                                     Microsoft
                                     Corporation
                                     Corp.
                                    

The bodies of bounced e-mails can have the following text strings:

 Hi.
                                     This is the qmail program
                                     Message from
                                     I'm sorry
                                     I'm sorry to have to inform you that
                                     I'm afraid
                                     I wasn't able to deliver your message
                                     the message returned below could not be delivered
                                     to the following addresses:
                                     to one or more destinations.
                                     Undeliverable
                                     Undelivered
                                     message
                                     mail
                                     Message follows:
                                    

Such e-mails usually contain IFrame exploit and the worm's file with PIF, BAT, COM, SCR or EXE extension and there is no Microsoft-like looking message body in them. The IFrame exploit allows the worm's attachment start automatically on older or unpatched versions of certain e-mail browsers.

Payload

The worm terminates processes of security and anti-virus software that have the following strings in their names:

 _avp
                                     ackwin32
                                     anti-trojan
                                     aplica32
                                     apvxdwin
                                     autodown
                                     avconsol
                                     ave32
                                     avgcc32
                                     avgctrl
                                     avgw
                                     avkserv
                                     avnt
                                     avp
                                     avsched32
                                     avwin95
                                     avwupd32
                                     blackd
                                     blackice
                                     bootwarn
                                     ccapp
                                     ccshtdwn
                                     cfiadmin
                                     cfiaudit
                                     cfind
                                     cfinet
                                     claw95
                                     dv95
                                     ecengine
                                     efinet32
                                     esafe
                                     espwatch
                                     f-agnt95
                                     findviru
                                     fprot
                                     f-prot
                                     fprot95
                                     f-prot95
                                     fp-win
                                     frw
                                     f-stopw
                                     gibe
                                     iamapp
                                     iamserv
                                     ibmasn
                                     ibmavsp
                                     icload95
                                     icloadnt
                                     icmon
                                     icmoon
                                     icssuppnt
                                     icsupp
                                     iface
                                     iomon98
                                     jedi
                                     kpfw32
                                     lockdown2000
                                     lookout
                                     luall
                                     moolive
                                     mpftray
                                     msconfig
                                     nai_vs_stat
                                     navapw32
                                     navlu32
                                     navnt
                                     navsched
                                     navw
                                     nisum
                                     nmain
                                     normist
                                     nupdate
                                     nupgrade
                                     nvc95
                                     outpost
                                     padmin
                                     pavcl
                                     pavsched
                                     pavw
                                     pcciomon
                                     pccmain
                                     pccwin98
                                     pcfwallicon
                                     persfw
                                     pop3trap
                                     pview
                                     rav
                                     regedit
                                     rescue
                                     safeweb
                                     serv95
                                     sphinx
                                     sweep
                                     tca
                                     tds2
                                     vcleaner
                                     vcontrol
                                     vet32
                                     vet95
                                     vet98
                                     vettray
                                     vscan
                                     vsecomr
                                     vshwin32
                                     vsstat
                                     webtrap
                                     wfindv32
                                     zapro
                                     zonealarm
                                    

The worm also doesn't allow to start files that have the above strings in their names. When such file is being started, the worm shows the following messagebox and stops execution if such file:

The numbers in this messagebox are randomly-generated.

If the worm finds a debugger in a system, it shows a messagebox with the following text:

 Try to pull my legs?
                                    

Infection counter

The worm keeps its own counter on a certain webpage. Every infected computer tries to access that page and that increases the counter there. By the time of this description creation (18th of September 20:00 GMT) the counter value was over 510000, but we believe that this is not the actual number of infected computers.

VARIANT: Swen.B

This minor variant was found on 9th of October, 2003. It has been created by compressing the original virus with UPX. This has shrunk the virus from 106496 bytes to 52224 bytes, making it undetectable to some antivirus programs.

In addition, many references to Microsoft in the original virus have been changed to references to Tiscali, an Italian ISP.

F-Secure Anti-Virus detected this modified version of the virus without any need for updates.

VARIANT: Swen.C

This minor variant was also found on 9th of October, 2003. Like the previous variant this one is also compressed with UPX file compressor. The packed file size is 52224.

Swen.C has a bit different set of text strings mentioning both Tiscali and Microsoft and also the name of Tiscali's CEO Renato Soru. A few Tiscali links that were present in the B variant were slightly modified.


Back to the Top


Detection

F-Secure Anti-Virus detects Swen.A with the update released on September 18th, 2003:

[FSAV_Database_Version]

Version=2003-09-18_03

F-Secure Anti-Virus detects Swen.B and Swen.C variants without any need for updates.


Back to the Top


Technical Details: Alexey Podrezov and Katrin Tocheva; September 18th - October 9th, 2003

F-Secure Corporation  

 


  Description Index   

  Virus Info
 


Privacy Policy
Legal Notices
Contact Us

 
 

-Worm.Swen

Aliases
I-Worm.Swen (Kaspersky Lab) is also known as: W32/Swen@MM (McAfee),   W32.Swen.A@mm (Symantec),   Win32.HLLM.Gibe.2 (Doctor Web),   W32/Gibe-F (Sophos),   Win32/Swen.A@mm (RAV),   WORM_SWEN.A (Trend Micro),   Worm/Gibe.C.1 (H+BEDV),   W32/Swen.A@mm (FRISK),   Win32:Swen (ALWIL),   I-Worm/Swen.A (Grisoft),   Win32.Swen.A@mm (SOFTWIN),   Worm.Gibe.F (ClamAV),   W32/Gibe.C.worm (Panda),   Win32/Swen.A (Eset)
Description added Sep 22 2003
Behavior Email Worm
Technical Details

Swen is a very dangerous worm-virus that spreads across the Internet via email (in the form of an infected file attachment), the Kazaa file sharing network, IRC channels, and open network resources.

Swen is written in Microsoft Visual C++ and is 105KB (106496 Bytes) in size.

The worm activates when a victim launches the infected file (double clicking on the file attachment) or when a victim machine's email application is vulnerable to the IFrame.FileDownload vulnerability (also exploited by the Internet worms Klez and Tanatos). Once run, Swen installs itself in the system and begins its propogation routine.

You can download the patch released in March 2001 for the IFrame vulnerability: Microsoft Security Bulletin MS01-20.

The worm blocks many anti-virus programs and firewalls. Its algorithm and parts of the code text are almost identical to that of another Internet worm called I-Worm.Gibe, although the programming language used is different.


Installation

When first launched, the worm may display the "Microsoft Internet Update Pack" message box. Then it imitates patch installation:

The worm then copies itself under one of the names below into the Windows directory. The name may consist of several parts.

First possibility:

  1. Kazaa Lite
    KaZaA media desktop
    KaZaA
    WinRar
    WinZip
    Winamp
    Mirc
    Download Accelerator
    GetRight FTP
    Windows Media Player

  2. Key generator
    Hack
    Hacked
    Warez
    Upload
    Installer
    Upload
    Installer

Second possibility:

  1. Bugbear
    Yaha
    Gibe
    Sircam
    Sobig
    Klez

  2. Remover
    RemovalTool
    Cleaner
    Fixtool

Third possibility:

Aol Hacker
Yahoo Hacker
Hotmail Hacker
10.000 Serials
Jenna Jameson
Hardporn
Sex
Xbox Emulator
Emulator Ps2
Xp Update
Xxx Video
Sick Joke
Xxx Pictures
My Naked Sister
Hallucinogenic Screensaver
Cooking With Cannabis
Magic Mushrooms Growing
Virus Generator

The new file is registered in the Windows system registry auto-run key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
                                      random sequence= %windir%\file name autorun

An identification key is created, which contains the worms' configuration settings:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
                                      random sequence

The worm then creates a file named after the infected host machine with a BAT extension in the Windows folder. The file contains following the commands:

@ECHO OFF
IF NOT "%1"=="" .exe %1

Then the worm changes the key values in HKLM\Software\Classes in such a way so as to hook onto execution every time the BAT, COM, EXE, PIF, REG and SCR file types are launched.

HKCR\batfile\shell\open\command
                                      Default = %windir%\ "%1" %*
                                    
                                    HKCR\comfile\shell\open\command
                                      Default = %windir%\ "%1" %*
                                       
                                    HKEY_CLASSES_ROOT\exefile\shell\open\command
                                      Default = %windir%\ "%1" %*
                                    
                                    HKCR\piffile\shell\open\command
                                      Default = %windir%\ "%1" %*
                                    
                                    HKCR\regfile\shell\open\command
                                      Default = %windir%\ showerror
                                    
                                    HKCR\scrfile\shell\config\command
                                      Default = %windir%\ "%1"
                                      
                                    HKCR\scrfile\shell\open\command
                                      Default = %windir%\ "%1" /S

Disables user capability to edit the system registry:

HKCU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System
                                      DisableRegistryTools = 01 00 00 00

When first launched, the worm accesses the following remote website:

http://ww2.fce.vutbr.cz/bin/counter.gif/link=bacillus&width=6&set=cnt006

This counter indicates the number of infected computers.

When attempting to execute a new copy of the worm on the already infected machine the worm displays the following message:

The worm scans all disks for files with extensions DBX, MDX, EML, WAB and also that contain either HT or ASP in the extension. Swem then extracts any email addresses that it can find and saves them in a file named germs0.dbv.

The worm attempts to connect to one of 350 servers identified in the file swen1.dat, in order to send infected emails. If connection is impossible the worm then displays the following error message about a MAPI 32 Exception:

and requests a correct email address, as well as a correct SMTP server.


Propagation via Email

The worm mails itself to all available addresses using a direct connection to an SMTP server. The infected emails are in HTML format and contain an attachment (the actual worm).

Sender name (consists of several parts):

  1. Microsoft
    MS

  2. (may not be used)
    Corporation

  3. (may not be used)
    Program
    Internet
    Network

  4. (always included with part 3)
    Security

  5. (may not be used)
    Division
    Section
    Department
    Center

  6. (may not be used)
    Public
    Technical
    Customer

  7. (may not be used)
    Bulletin
    Services
    Assistance
    Support

For example:

Microsoft Internet Security Section
MS Technical Assistance

Sender address (consists of 2 parts):

  • before "@": random sequence (example: tuevprkpevcg-gxwi@, dwffa@);
  • after "@": consists of 2 parts (though only one may be used):

    1. news
      newsletter
      bulletin
      confidence
      advisor
      updates
      technet
      support

    2. msdn
      microsoft
      ms
      msn

    For example: "newsletter.microsoft" or simply "support". If two parts are used, then they are separated by ".", or "_".

    After the "." the domain is either "com" or "net".

Subject (consists of various parts):

  1. Latest
    New
    Last
    Newest
    Current

  2. Net
    Network
    Microsoft
    Internet

  3. Security
    Critical

  4. Upgrade
    Pack
    Update
    Patch

Body:

MS Client (Consumer,Partner,User - chosen at random)
this is the latest version of security update, the
"September 2003, Cumulative Patch" update which resolves
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express.
Install now to protect your computer
from these vulnerabilities, the most serious of which could
allow an attacker to run code on your system.
This update includes the functionality =
of all previously released patches.

System requirements: Windows 95/98/Me/2000/NT/XP
This update applies to:
- MS Internet Explorer, version 4.01 and later
- MS Outlook, version 8.00 and later
- MS Outlook Express, version 4.01 and later

Recommendation: Customers should install the patch =
at the earliest opportunity.
How to install: Run attached file. Choose Yes on displayed dialog box.
How to use: You don't need to do anything after installing this item.

Signature:

Microsoft Product Support Services and Knowledge Base articles =
can be found on the Microsoft Technical Support web site.
http://support.microsoft.com/

For security-related information about Microsoft products, please =
visit the Microsoft Security Advisor web site
http://www.microsoft.com/security/

Thank you for using Microsoft products.

Please do not reply to this message.
It was sent from an unmonitored e-mail address and we are unable =
to respond to any replies.

----------------------------------------------
The names of the actual companies and products mentioned =
herein are the trademarks of their respective owners.

Attachment name:

patch[random number].exe
install[random number].exe
q[random number].exe
update[random number].exe

The actual content of the body may be less complicated, depending on various circumstances.

  • The Subject may contain:

    Letter
    Advise
    Message
    Announcement
    Report
    Notice
    Bug
    Error
    Abort
    Failed
    User Unknown

  • The body may contain:

    Hi!
    This is the qmail program
    Message from [random value]
    I'm sorry
    I'm sorry to have to inform that
    I'm afraid
    I'm afraid I wasn't able to deliver your message to the following addresses
    the message returned below could not be delivered
    I wasn't able to deliver your message
    to one or more destinations

In some cases the worm may send copies of itself in archived form - ZIP or RAR.


Propagation via Kazaa

Swen propagates via the Kazaa file-sharing network by copying itself under random names in the file exchange directory in Kazaa Lite. It also creates a subdirectory in the Windows Temp folder with random names making several copies of itself with random names as well.

This folder is identified in the Windows system registry as Local Content for Kazaa file-sharing system.

HKCU\Software\Kazaa\LocalContent
                                     dir99 = 012345:%Windir%\%temp%\folder name

As a result, the new files created by Swen become available to other Kazaa network users.


Propagation via IRC channels

The worm scans for installed mIRC client. If it's detected Swen then modifies the script.ini file by adding its propagation procedures. Whereupon the scrip.ini file sends the infected file from the Windows directory to all users that connect to the now-infected IRC channel.


Propagation via LAN

The worm scans all available drives. If it finds a network drive it copies itself there in the following folders under a random name:

windows\all users\start menu\programs\startup
windows\start menu\programs\startup
winme\all users\start menu\programs\startup
winme\start menu\programs\startup
win95\all users\start menu\programs\startup
win95\start menu\programs\startup
win98\all users\start menu\programs\startup
win98\start menu\programs\startup
document and settings\all users\start menu\programs\startup
document and settings\default user\start menu\programs\startup
document and settings\administrator\start menu\programs\startup
winnt\profiles\all users\start menu\programs\startup
winnt\profiles\default user\start menu\programs\startup
winnt\profiles\administrator\start menu\programs\startup


Other

The worm attempts to block the launch and work of various anti-virus software and firewalls:

_avp
                                    ackwin32
                                    anti-trojan
                                    aplica32
                                    apvxdwin
                                    autodown
                                    avconsol
                                    ave32
                                    avgcc32
                                    avgctrl
                                    avgw
                                    avkserv
                                    avnt
                                    avp
                                    avsched32
                                    avwin95
                                    avwupd32
                                    blackd
                                    blackice
                                    bootwarn
                                    ccapp
                                    ccshtdwn
                                    cfiadmin
                                    cfiaudit
                                    cfind
                                    cfinet
                                    claw95
                                    dv95
                                    ecengine
                                    efinet32
                                    esafe
                                    espwatch
                                    f-agnt95
                                    findviru
                                    fprot
                                    f-prot
                                    fprot95
                                    f-prot95
                                    fp-win
                                    frw
                                    f-stopw
                                    gibe
                                    iamapp
                                    iamserv
                                    ibmasn
                                    ibmavsp
                                    icload95
                                    icloadnt
                                    icmon
                                    icmoon
                                    icssuppnt
                                    icsupp
                                    iface
                                    iomon98
                                    jedi
kpfw32
                                    lockdown2000
                                    lookout
                                    luall
                                    moolive
                                    mpftray
                                    msconfig
                                    nai_vs_stat
                                    navapw32
                                    navlu32
                                    navnt
                                    navsched
                                    navw
                                    nisum
                                    nmain
                                    normist
                                    nupdate
                                    nupgrade
                                    nvc95
                                    outpost
                                    padmin
                                    pavcl
                                    pavsched
                                    pavw
                                    pcciomon
                                    pccmain
                                    pccwin98
                                    pcfwallicon
                                    persfw
                                    pop3trap
                                    pview
                                    rav
                                    regedit
                                    rescue
                                    safeweb
                                    serv95
                                    sphinx
                                    sweep
                                    tca
                                    tds2
                                    vcleaner
                                    vcontrol
                                    vet32
                                    vet95
                                    vet98
                                    vettray
                                    vscan
                                    vsecomr
                                    vshwin32
                                    vsstat
                                    webtrap
                                    wfindv32
                                    zapro
                                    zonealarm
When these are launched Swen displays the following fake error mesage:



 

Copyright 1996 - 2005
Kaspersky Lab
All rights reserved

Email: webmaster@viruslist.com

 

HOME

Enter supporting content here

HOME