|
F-Secure Virus Descriptions : Swen
 [Summary] | [Disinfection] | [Detailed Description] | [Detection]
|
|
THIS VIRUS IS RANKED AS LEVEL 1 ALERT UNDER
F-SECURE RADAR. 
Radar Alert LEVEL 1 |
| NAME: |
Swen |
| ALIAS: |
I-Worm.Swen, W32/Swen.A@mm, W32/Gibe.E@MM, Gibe.E, Swen.A |
Swen is a worm that replicates via email, local network (LAN), IRC and Kazaa. It uses a vulnerability
in Internet Explorer to execute directly from e-mail. Swen worm appeared on 18th of September 2003. It is most likely written
by the author of Gibe worm (Begbie) and this worm has similar features as the latest Gibe variants.
Disinfection Tool
F-Secure provides the special tool to disinfect the Swen worm. The
tool and disinfection instructions are available at:
ftp://ftp.europe.f-secure.com/anti-virus/tools/swentool.zip
ftp://ftp.europe.f-secure.com/anti-virus/tools/swentool.txt
ftp://ftp.europe.f-secure.com/anti-virus/tools/swentool.com
Please make sure you read the SWENTOOL.TXT file before using the disinfection
tool.
Please note that the tool will only disinfect local infection of Swen
worm. It will not disinfect your e-mail databases from infected messages. You will have to delete all infected messages manually
and then compact the database to permanently destroy the deleted data.
Troubleshooting
In some cases, when Swen executable is deleted or renamed by an anti-virus
program without fixing the Registry, it becomes impossible to run executable files on a computer. This happens because Windows
can't find the file associated with executables (in our case - Swen's file) on a hard disk. If you have such a problem, please
download the following file:
ftp://ftp.europe.f-secure.com/anti-virus/tools/swenfix.exe
or
ftp://ftp.europe.f-secure.com/anti-virus/tools/swentool.zip
Then rename the SWENFIX.EXE file with the name of deleted Swen's executable
(that Windows asks for) and copy that file to Windows folder. After that you will be able to run the SWENTOOL.COM file to
disinfect your computer.
It should be noted that when the Swen's executable file is deleted
or renamed manually or by an anti-virus program, the SWENTOOL will not start to scan all your hard disks automatically - it
will show 'Nothing to clean' message. To make the tool scan all available hard disks you will have to run it with /SCANFILES
command line option. To to this please follow these instructions:
1. Click 'Start' button, select 'Run' option.
2. In the appeared dialog box type the following:
swentool /scanfiles
3. Press 'Enter' to run the tool.
If your SWENTOOL.COM file is not found, you will have to specify the
path to it in the command line:
<drive>:\<path>\swentool /scanfiles
The <drive> and <path> are the names of the drive and folder
where the SWENTOOL.COM file was downloaded and saved, for example if you put the tool to 'c:\temp' folder, the command line
will look like this:
c:\temp\swentool /scanfiles
After the SWENTOOL finishes scanning your hard disk, it is recommended
to restart your computer. After restart your computer should be clean.
The worm's file is a Windows PE executable 106496 bytes long. It is not compressed by any file compressor.
Installation to system
When the worm's file is run, it checks whether it's already installed
and if not, it copies its file to Windows directory with a random name (for example MLMHP.EXE) and creates a startup key for
this file in the Registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"<random_characters>" = "<random_characters>.exe /autorun"
where <random_characters> is the name of the worm's file. This
way the worm's file is always started with Windows.
If the worm is already installed on a computer, it shows the following
messagebox:
Otherwise the worm shows the following messagebox:
Microsoft Internet Update Pack
This will install Microsoft Security Update.
Do you wish to continue?
If a user clicks 'No' button, the worm installs itself to system hiddenly.
If a user clicks 'Yes' button, the worm shows a fake installation dialog:
and after some time it reports successful installation:
During installation the worm creates a batch file that has a name of
an infected workstation. This batch file contains the following text:
@ECHO OFF
IF NOT "%1"=="" <name>.exe %1
where <name> is the name of the worm's executable file.
The worm extracts the list of SMTP and NNTP servers from its body into
the SWEN1.DAT file that is placed into Windows directory.
Then the worm modifies default startup keys for BAT, SCR, EXE, REG
and PIF files in the Registry:
[HKCR\exefile\shell\open\command]
[HKCR\regfile\shell\open\command]
[HKCR\scrfile\shell\open\command]
[HKCR\piffile\shell\open\command]
[HKCR\batfile\shell\open\command]
[HKCR\scrfile\shell\config\command]
As a result, the worm gets control every time a user tries to run executable
and registry files.
Additionally the worm disables Registry tools by creating the following
key:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = dword:00000001
As a result a user will not be able to run Regedit utility and import
REG files data. The worm will show the following messagebox in such case:
The numbers in this messagebox are randomly-generated.
The worm creates a set of subkeys in the following key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
These subkeys contain information about SMTP server, user's e-mail,
key name of installed worm's file, name of infected computer user, name of a zip archive that the worm tries to create using
WinZip, name of mIRC folder and some other data.
During installation process the worm enables sharing for Kazaa client,
copies itself several times into Kazaa shared folders and also replaces SCRIPT.INI file of mIRC client with the one that sends
out the worm's file to every user joining a channel where an infected user is present. The worm also copies its file to startup
folders of remote computers via network.
Spreading in local network
The worm attempts to spread itself via local network (LAN). It looks
for mapped network drives, accesses them and if it finds the following directories in the root folder:
Win98
Win95
WinMe
Windows
it copies its file with a random name to the following folders:
\%WinDir%\Start menu\Programs\Startup
\Documents and Settings\All Users\Start menu\Programs\Startup
\Documents and Settings\Administrator\Start menu\Programs\Startup
\Documents and Settings\Default User\Start menu\Programs\Startup
\Winnt\Profiles\All Users\Start menu\Programs\Startup
\Winnt\Profiles\Administrator\Start menu\Programs\Startup
\Winnt\Profiles\Default User\Start menu\Programs\Startup
As a result remote computers will become infected with the worm after
they are restarted.
Spreading in IRC networks
The worm creates its own SCRIPT.INI file in mIRC installation folder.
This script makes an IRC client send a file called 'WinZip installer.zip' to every user joining a channel where an infected
user is present.
Spreading in Kazaa networks
The worm modifies the Registry to enable sharing for Kazaa client,
then it locates Kazaa shared folder and copies itself there with a generated name. The name is generated from the following
strings:
Kazaa Lite
KaZaA media desktop
KaZaA
WinRar
WinZip
Winamp
Mirc
Download Accelerator
GetRight FTP
Windows Media Player
key generator
hack
hacked
warez
upload
installer
Bugbear
Yaha
Gibe
Sircam
Sobig
Klez
remover
removal tool
cleaner
fixtool
AOL hacker
Yahoo hacker
Hotmail hacker
10.000 Serials
Jenna Jameson
HardPorn
Sex
XboX Emulator
Emulator PS2
XP update
XXX Video
Sick Joke
XXX Pictures
My naked sister
Hallucinogenic Screensaver
Cooking with Cannabis
Magic Mushrooms Growing
Virus Generator
These files can have EXE or ZIP extensions.
Spreading in e-mails and to newsgroups
The worm periodically scans HTML and ASP files on a hard drive and
stores found e-mail addresses in the GERMS0.DBV file located in Windows folder. The worm also reads .EML, .DBX, .WAB, and
.MBX files and fetches e-mail addresses from there. The worm does not fetch addresses containing 'delete' and 'spam' strings.
The worm also can search for e-mail addresses in various newsgroups.
It connects to NNTP servers listed in the SWEN1.DAT file, gets a list of all newsgroups on that server and searches recent
messages in these newsgroups for 'nfrom:' and 'nreply-to:' tags. When such tags are found, the worm gets e-mail addressed
after them and writes them to the GERMS0.DBV file. This way the worm can harvers a lot of e-mail addresses to send itself
to.
The worm can post its e-mails to newsgroups, the names of which it
finds during searching process. The worm sends the same kind of messages as it sends via e-mail.
The worm reads SMTP server address and user name from the Registry.
However, if it can't find this info, it shows a fake MAPI error dialog asking a user to input that data:
The worm sends itself a very legitimately-looking messages that are
composed from different text strings hardcoded in the worm's body. It also checks the current date and uses the current month
inside the text of the email message. On that way it will spread with different messages each month of the year.
Here is an example of such message sent in September:
The attachment name, subject and part of the infected message is randomly
composed from text strings hardcoded in the worm's body.
The fake sender's address is selected from the following parts:
MS
Microsoft
Corporation
Program
Internet
Network
Security
Division
Section
Department
Center
Technical
Public
Customer
Bulletin
Services
Assistance
Support
The domain name for these e-mails is selected from the following parts:
news
bulletin
confidence
advisor
updates
technet
support
newsletters
The domain suffix for these e-mails is selected from the following
parts:
ms
msn
msdn
microsoft
followed by one of the following:
.com
.net
The fake recipient's address is also composed from the above shown
strings, however the fake recipient's name is selected from the following parts:
Commercial
MS
Microsoft
Corporation
Customer
User
Partner
Consumer
Client
The subject is composed from the following parts:
Current
Newest
Last
New
Latest
Net
Network
Microsoft
Internet
Critical
Security
Patch
Update
Pack
Upgrade
The worm is usually attached to infected messages as an EXE file. The
attachment name is randomly generated from numbers and the following parts:
upgrade
update
patch
q
install
installer
installation
For example the infected attachment name can be Q591362.EXE or UPDATE98.EXE.
The IFrame exploit is not present in such messages. In some cases the worm's attachment can be in a ZIP archive.
The worm can also compose fake forwarded or bounced e-mails from the
following parts:
RE:
FWD:
FW:
Check
Check out
Prove
Try
Taste
Try on
Look at
Take a look at
See
Watch
Use
Apply
Install
this
that
the
these
important
internet
critical
security
corrective
correction
patch
update
pack
upgrade
for
MS
Microsoft
Windows
Internet Explorer
which
that
comes
from
the
MS
M$
Microsoft
Corporation
Corp.
The bodies of bounced e-mails can have the following text strings:
Hi.
This is the qmail program
Message from
I'm sorry
I'm sorry to have to inform you that
I'm afraid
I wasn't able to deliver your message
the message returned below could not be delivered
to the following addresses:
to one or more destinations.
Undeliverable
Undelivered
message
mail
Message follows:
Such e-mails usually contain IFrame exploit and the worm's file with
PIF, BAT, COM, SCR or EXE extension and there is no Microsoft-like looking message body in them. The IFrame exploit allows
the worm's attachment start automatically on older or unpatched versions of certain e-mail browsers.
Payload
The worm terminates processes of security and anti-virus software that
have the following strings in their names:
_avp
ackwin32
anti-trojan
aplica32
apvxdwin
autodown
avconsol
ave32
avgcc32
avgctrl
avgw
avkserv
avnt
avp
avsched32
avwin95
avwupd32
blackd
blackice
bootwarn
ccapp
ccshtdwn
cfiadmin
cfiaudit
cfind
cfinet
claw95
dv95
ecengine
efinet32
esafe
espwatch
f-agnt95
findviru
fprot
f-prot
fprot95
f-prot95
fp-win
frw
f-stopw
gibe
iamapp
iamserv
ibmasn
ibmavsp
icload95
icloadnt
icmon
icmoon
icssuppnt
icsupp
iface
iomon98
jedi
kpfw32
lockdown2000
lookout
luall
moolive
mpftray
msconfig
nai_vs_stat
navapw32
navlu32
navnt
navsched
navw
nisum
nmain
normist
nupdate
nupgrade
nvc95
outpost
padmin
pavcl
pavsched
pavw
pcciomon
pccmain
pccwin98
pcfwallicon
persfw
pop3trap
pview
rav
regedit
rescue
safeweb
serv95
sphinx
sweep
tca
tds2
vcleaner
vcontrol
vet32
vet95
vet98
vettray
vscan
vsecomr
vshwin32
vsstat
webtrap
wfindv32
zapro
zonealarm
The worm also doesn't allow to start files that have the above strings
in their names. When such file is being started, the worm shows the following messagebox and stops execution if such file:
The numbers in this messagebox are randomly-generated.
If the worm finds a debugger in a system, it shows a messagebox with
the following text:
Try to pull my legs?
Infection counter
The worm keeps its own counter on a certain webpage. Every infected
computer tries to access that page and that increases the counter there. By the time of this description creation (18th of
September 20:00 GMT) the counter value was over 510000, but we believe that this is not the actual number of infected computers.
This minor variant was found on 9th of October, 2003. It has been created
by compressing the original virus with UPX. This has shrunk the virus from 106496 bytes to 52224 bytes, making it undetectable
to some antivirus programs.
In addition, many references to Microsoft in the original virus have
been changed to references to Tiscali, an Italian ISP.
F-Secure Anti-Virus detected this modified version of the virus without
any need for updates.
This minor variant was also found on 9th of October, 2003. Like the
previous variant this one is also compressed with UPX file compressor. The packed file size is 52224.
Swen.C has a bit different set of text strings mentioning both Tiscali
and Microsoft and also the name of Tiscali's CEO Renato Soru. A few Tiscali links that were present in the B variant were
slightly modified.
F-Secure Anti-Virus detects Swen.A with the update released on September 18th, 2003:
[FSAV_Database_Version]
Version=2003-09-18_03
F-Secure Anti-Virus detects Swen.B and Swen.C variants without any
need for updates.
Technical Details: Alexey Podrezov and Katrin Tocheva; September
18th - October 9th, 2003
F-Secure Corporation
| |
|
-Worm.Swen
I-Worm.Swen (Kaspersky Lab) is also known as: W32/Swen@MM (McAfee), W32.Swen.A@mm (Symantec), Win32.HLLM.Gibe.2 (Doctor Web), W32/Gibe-F (Sophos), Win32/Swen.A@mm (RAV), WORM_SWEN.A (Trend Micro), Worm/Gibe.C.1 (H+BEDV), W32/Swen.A@mm (FRISK), Win32:Swen (ALWIL), I-Worm/Swen.A (Grisoft), Win32.Swen.A@mm (SOFTWIN), Worm.Gibe.F (ClamAV), W32/Gibe.C.worm (Panda), Win32/Swen.A (Eset)
Swen is a very dangerous worm-virus that spreads across the Internet via email (in the form of an infected file
attachment), the Kazaa file sharing network, IRC channels, and open network resources.
Swen is written in Microsoft Visual C++ and is 105KB (106496 Bytes) in size.
The worm activates when a victim launches the infected file (double clicking on the file attachment) or when a victim machine's
email application is vulnerable to the IFrame.FileDownload vulnerability (also exploited by the Internet worms Klez and Tanatos). Once run, Swen installs itself in the system and begins its propogation routine.
You can download the patch released in March 2001 for the IFrame vulnerability: Microsoft Security Bulletin MS01-20.
The worm blocks many anti-virus programs and firewalls. Its algorithm and parts of the code text are almost identical to
that of another Internet worm called I-Worm.Gibe, although the programming language used is different.
Installation
When first launched, the worm may display the "Microsoft Internet Update Pack" message box. Then it imitates patch installation:
The worm then copies itself under one of the names below into the Windows directory. The name may consist of several parts.
First possibility:
- Kazaa Lite
KaZaA media desktop
KaZaA
WinRar
WinZip
Winamp
Mirc
Download Accelerator
GetRight
FTP
Windows Media Player
- Key generator
Hack
Hacked
Warez
Upload
Installer
Upload
Installer
Second possibility:
- Bugbear
Yaha
Gibe
Sircam
Sobig
Klez
- Remover
RemovalTool
Cleaner
Fixtool
Third possibility:
Aol Hacker
Yahoo Hacker
Hotmail Hacker
10.000 Serials
Jenna Jameson
Hardporn
Sex
Xbox Emulator
Emulator
Ps2
Xp Update
Xxx Video
Sick Joke
Xxx Pictures
My Naked Sister
Hallucinogenic Screensaver
Cooking With
Cannabis
Magic Mushrooms Growing
Virus Generator
The new file is registered in the Windows system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
random sequence= %windir%\file name autorun
An identification key is created, which contains the worms' configuration settings:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
random sequence
The worm then creates a file named after the infected host machine with a BAT extension in the Windows folder. The file
contains following the commands:
@ECHO OFF
IF NOT "%1"=="" .exe %1
Then the worm changes the key values in HKLM\Software\Classes in such a way so as to hook onto execution every time the
BAT, COM, EXE, PIF, REG and SCR file types are launched.
HKCR\batfile\shell\open\command
Default = %windir%\ "%1" %*
HKCR\comfile\shell\open\command
Default = %windir%\ "%1" %*
HKEY_CLASSES_ROOT\exefile\shell\open\command
Default = %windir%\ "%1" %*
HKCR\piffile\shell\open\command
Default = %windir%\ "%1" %*
HKCR\regfile\shell\open\command
Default = %windir%\ showerror
HKCR\scrfile\shell\config\command
Default = %windir%\ "%1"
HKCR\scrfile\shell\open\command
Default = %windir%\ "%1" /S
Disables user capability to edit the system registry:
HKCU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools = 01 00 00 00
When first launched, the worm accesses the following remote website:
http://ww2.fce.vutbr.cz/bin/counter.gif/link=bacillus&width=6&set=cnt006
This counter indicates the number of infected computers.
When attempting to execute a new copy of the worm on the already infected machine the worm displays the following message:
The worm scans all disks for files with extensions DBX, MDX, EML, WAB and also that contain either HT or ASP in the extension.
Swem then extracts any email addresses that it can find and saves them in a file named germs0.dbv.
The worm attempts to connect to one of 350 servers identified in the file swen1.dat, in order
to send infected emails. If connection is impossible the worm then displays the following error message about a MAPI 32 Exception:
and requests a correct email address, as well as a correct SMTP server.
Propagation via Email
The worm mails itself to all available addresses using a direct connection to an SMTP server. The infected emails are in
HTML format and contain an attachment (the actual worm).
Sender name (consists of several parts):
- Microsoft
MS
- (may not be used)
Corporation
- (may not be used)
Program
Internet
Network
- (always included with part 3)
Security
- (may not be used)
Division
Section
Department
Center
- (may not be used)
Public
Technical
Customer
- (may not be used)
Bulletin
Services
Assistance
Support
For example:
Microsoft Internet Security Section
MS Technical Assistance
Sender address (consists of 2 parts):
- before "@": random sequence (example: tuevprkpevcg-gxwi@, dwffa@);
- after "@": consists of 2 parts (though only one may be used):
- news
newsletter
bulletin
confidence
advisor
updates
technet
support
- msdn
microsoft
ms
msn
For example: "newsletter.microsoft" or simply "support". If two parts are used, then they are separated by ".", or "_".
After the "." the domain is either "com" or "net".
Subject (consists of various parts):
- Latest
New
Last
Newest
Current
- Net
Network
Microsoft
Internet
- Security
Critical
- Upgrade
Pack
Update
Patch
Body:
MS Client (Consumer,Partner,User - chosen at random)
this is the latest version of security update, the
"September
2003, Cumulative Patch" update which resolves
all known security vulnerabilities affecting
MS Internet Explorer, MS
Outlook and MS Outlook Express.
Install now to protect your computer
from these vulnerabilities, the most serious of
which could
allow an attacker to run code on your system.
This update includes the functionality =
of all previously
released patches.
System requirements: Windows 95/98/Me/2000/NT/XP
This update applies to:
- MS Internet Explorer, version 4.01 and
later
- MS Outlook, version 8.00 and later
- MS Outlook Express, version 4.01 and later
Recommendation: Customers should install the patch =
at the earliest opportunity.
How to install: Run attached file.
Choose Yes on displayed dialog box.
How to use: You don't need to do anything after installing this item.
Signature:
Microsoft Product Support Services and Knowledge Base articles =
can be found on the Microsoft Technical Support
web site.
http://support.microsoft.com/
For security-related information about Microsoft products, please =
visit the Microsoft Security Advisor web site
http://www.microsoft.com/security/
Thank you for using Microsoft products.
Please do not reply to this message.
It was sent from an unmonitored e-mail address and we are unable =
to respond
to any replies.
----------------------------------------------
The names of the actual companies and products mentioned =
herein
are the trademarks of their respective owners.
Attachment name:
patch[random number].exe
install[random number].exe
q[random number].exe
update[random number].exe
The actual content of the body may be less complicated, depending on various circumstances.
- The Subject may contain:
Letter
Advise
Message
Announcement
Report
Notice
Bug
Error
Abort
Failed
User Unknown
- The body may contain:
Hi!
This is the qmail program
Message from [random value]
I'm sorry
I'm sorry to have to inform that
I'm
afraid
I'm afraid I wasn't able to deliver your message to the following addresses
the message returned below could
not be delivered
I wasn't able to deliver your message
to one or more destinations
In some cases the worm may send copies of itself in archived form - ZIP or RAR.
Propagation via Kazaa
Swen propagates via the Kazaa file-sharing network by copying itself under random names in the file exchange directory
in Kazaa Lite. It also creates a subdirectory in the Windows Temp folder with random names making several copies of itself
with random names as well.
This folder is identified in the Windows system registry as Local Content for Kazaa file-sharing system.
HKCU\Software\Kazaa\LocalContent
dir99 = 012345:%Windir%\%temp%\folder name
As a result, the new files created by Swen become available to other Kazaa network users.
Propagation via IRC channels
The worm scans for installed mIRC client. If it's detected Swen then modifies the script.ini file by adding its propagation
procedures. Whereupon the scrip.ini file sends the infected file from the Windows directory to all users that connect to the
now-infected IRC channel.
Propagation via LAN
The worm scans all available drives. If it finds a network drive it copies itself there in the following folders under
a random name:
windows\all users\start menu\programs\startup
windows\start menu\programs\startup
winme\all users\start
menu\programs\startup
winme\start menu\programs\startup
win95\all users\start menu\programs\startup
win95\start menu\programs\startup
win98\all
users\start menu\programs\startup
win98\start menu\programs\startup
document and settings\all users\start menu\programs\startup
document
and settings\default user\start menu\programs\startup
document and settings\administrator\start menu\programs\startup
winnt\profiles\all
users\start menu\programs\startup
winnt\profiles\default user\start menu\programs\startup
winnt\profiles\administrator\start
menu\programs\startup
Other
The worm attempts to block the launch and work of various anti-virus software and firewalls:
_avp
ackwin32
anti-trojan
aplica32
apvxdwin
autodown
avconsol
ave32
avgcc32
avgctrl
avgw
avkserv
avnt
avp
avsched32
avwin95
avwupd32
blackd
blackice
bootwarn
ccapp
ccshtdwn
cfiadmin
cfiaudit
cfind
cfinet
claw95
dv95
ecengine
efinet32
esafe
espwatch
f-agnt95
findviru
fprot
f-prot
fprot95
f-prot95
fp-win
frw
f-stopw
gibe
iamapp
iamserv
ibmasn
ibmavsp
icload95
icloadnt
icmon
icmoon
icssuppnt
icsupp
iface
iomon98
jedi
|
kpfw32
lockdown2000
lookout
luall
moolive
mpftray
msconfig
nai_vs_stat
navapw32
navlu32
navnt
navsched
navw
nisum
nmain
normist
nupdate
nupgrade
nvc95
outpost
padmin
pavcl
pavsched
pavw
pcciomon
pccmain
pccwin98
pcfwallicon
persfw
pop3trap
pview
rav
regedit
rescue
safeweb
serv95
sphinx
sweep
tca
tds2
vcleaner
vcontrol
vet32
vet95
vet98
vettray
vscan
vsecomr
vshwin32
vsstat
webtrap
wfindv32
zapro
zonealarm
| When these are launched Swen displays the following fake error
mesage:
|
|
| |
|
|
Copyright © 1996 - 2005
Kaspersky Lab
All rights reserved |
Email: webmaster@viruslist.com |
 |
HOME
|
