OT, the new worm...

  1. No Swan Songs - WORM_SWEN.A (Low Risk) WORM_SWEN.A is a non-destructive, mass-mailing worm that poses as a legitimate email from Microsoft Windows Update. In addition to its mass-mailing routine, it attempts to propagate via peer-to-peer (P2P) file-sharing networks (such as Kazaa), via IRC, and via newsgroups. WORM_SWEN.A also terminates antivirus and firewall software running on an infected system. This malware runs on Windows 95, 98, NT, ME, 2000, and XP.

Upon execution, the worm displays a fake error message box to disguise itself as a MAPI32 Execution Error. This requires users to input details of their email account, such as:

email address username Password SMTP server POP3 server The worm then searches for the Windows directory and drops a copy of itself with a random file name in the %Windows% folder. It also creates a registry entry that allows it to run at every Windows startup. The executed malware then transfers execution to the dropped copy of the worm, and terminates.

The following files are also dropped by the worm in the Windows directory:

<computer name>.bat <random name>.<random extension> germs0.dbv germs1.dbv swen1.dat This worm uses its own Simple Mail Transfer Protocol (SMTP) engine to propagate via email. It obtains its target email addresses from .EML, .WAB, .DBX, and .MBX files in all directories of the infected system. When sending the email message, it connects to the default SMTP server of the infected machine.

Following are the characteristics of the infected email:

From: ms inet mail storage service [ snipped-for-privacy@freemail.com]

To: network receiver

Subject: <none>

Message Body: Hi. Undeliverable message to <user>@freemail.com

Attachment: <random name>.exe

Using its own SMTP engine, the malware also connects to any of several Network News Transfer Protocol (NNTP) servers where it searches for its target contacts.

The worm also attempts to drop copies of itself in a shared folder over peer-to-peer (P2P) file-sharing networks, with file names that use a combination of strings hard-coded in its body. It modifies registry entries to allow copies of itself to be shared in the Kazaa network.

WORM_SWEN.A attempts to propagate via mIRC application as well. It first searches for the mIRC installation directory and locates the SCRIPT.INI file. If the worm finds this file, it overwrites it with its own version of the SCRIPT.INI file. However, if the file does not exist, it creates this SCRIPT.INI file in the mIRC folder. The worm also attempts to drop copies of itself in all mapped Startup folders in network drives.

The worm terminates antivirus and firewall software that is running on an infected system.

If you would like to scan your computer for WORM_SWEN.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at:

formatting link
WORM_SWEN.A is detected and cleaned by Trend Micro pattern file #635 and above.

  1. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US (week of: September 8, 2003 to September 14, 2003)

WORM_SPYBOT.GEN WORM_MSBLAST.D JAVA_BYTVERIFY.A WORM_MIMAIL.A WORM_SOBIG.F PE_NIMDA.E BKDR_COREFLOOD.A WORM_KLEZ.H PE_PARITE.B ADW_TENGET.A

--Shiva--

Reply to
--Shiva--
Loading thread data ...

Yep.. got like 20 of those nasty e-mails today.. Deleted them all without opening them. Some even may be a 'bounced' or 'undeliverable mail' type of e-mail.

I check

formatting link
daily to keep up on those nasty critters.

Steve

Reply to
Steve

yep, its a virus. run this Fix Tool for W32.Swen.A@mm

formatting link
got this below from road runner. Warning - New Email Virus Claiming to Contain a Microsoft Security Patch

Please note we have received an increased number of incidents relating to a mass-mailing worm that poses as a legitimate email from Microsoft Windows Update. Please note that this is indeed a worm and NOT a security patch from Microsoft.

Information on this worm including removal instructions can be found at

formatting link
snipped-for-privacy@mm.html

formatting link
Please note - the major anti-virus product manufactures have updated their definitions to include this worm so please ensure you do a live update and scan your machine regularly. Alternatively you may choose to run a free web-based virus scanner such as
formatting link
Additionally, Windows Updates should of course be downloaded ONLY from the official site

formatting link
good day

Reply to
"Key

Follow up on the 'bounced mail' / 'undeliverable mail' worm/virus going around. Below is a copy of the text of one I got today that appears to have been cleaned before delivery with a message showing such & info from SARC showing that it is actually the same as the w32.swen worm. Watchout for this one..

From SARC info :

NOTE: This threat was previously detected as Worm.Automat.AHB by definitions automatically created by Symantec's Digital Immune System.

Due to an increase in submissions, Symantec Security Response has upgraded W32.Swen.A@mm to Category 3, as of 6:30pm Thursday, September 18, 2003.

W32.Swen.A@mm is a mass-mailing worm that uses its own SMTP engine to spread itself. It attempts to spread through file-sharing networks, such as KaZaA and IRC, and attempts to kill antivirus and personal firewall programs running on a computer.

The worm can arrive as an email attachment. The subject, body, and From: address of the email may vary. Some examples claim to be patches for Microsoft Internet Explorer, or delivery failure notices from qmail.

The text of the e-mail (certified clean by McAfee Anti-Virus)

[ANTIVIRUS DE CORREO TERRA]

Este correo fue revisado por el Antivirus de Correo de Terra. Lo(s) siguiente(s) archivos(s) han sido desinfectado(s) o eliminado(s):

dtqwuaa.exe fue infectado con el virus malicioso Worm.Automat.AHB y ha sido eliminado porque no puede ser desinfectado.

Por favor, contacte al remitente.

[INICIO DEL MENSAJE]

--olEE8We7x0am2LW4dj9Ew9vAvKLrixDEXGSLT4Zc60jRZk20bYlsbntHwxuLsC4p Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline

Received: from ndqbd (200.112.29.143) by genesis.terra.cl (6.5.034) id 3F5A6E120090E900; Sat, 20 Sep 2003 11:25:47 -0400 Date: Sat, 20 Sep 2003 11:25:47 -0400 (added by snipped-for-privacy@ctcinternet.cl) Message-ID: snipped-for-privacy@genesis.terra.cl> (added by snipped-for-privacy@ctcinternet.cl) FROM: "Microsoft Inet System" snipped-for-privacy@puremail.com TO: "Email Receiver" snipped-for-privacy@emaildomain.com SUBJECT: Undeliverable Mail: User unknown Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="cvdipetyxli"

--cvdipetyxli Content-Type: text/html Content-Transfer-Encoding: quoted-printable

<HTML> <HEAD></HEAD> <BODY> <iframe src=3D"cid:cxspecevlmhu" height=3D0 width=3D0></iframe> <BR>I'm sorry to have to inform you that = I wasn't able to deliver your message = to the following addresses:<BR> <BR><BR><BR>Undelivered message to <B> snipped-for-privacy@puremail.com</B> <BR><BR><BR>Message follows:<BR><BR><BR><BR> </BODY></HTML>

--cvdipetyxli--

--olEE8We7x0am2LW4dj9Ew9vAvKLrixDEXGSLT4Zc60jRZk20bYlsbntHwxuLsC4p--

-SNIP- the rest

Steve

Reply to
Steve

PolyTech Forum website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.