- No Swan Songs - WORM_SWEN.A (Low Risk) WORM_SWEN.A is a non-destructive, mass-mailing worm that poses as a legitimate email from Microsoft Windows Update. In addition to its mass-mailing routine, it attempts to propagate via peer-to-peer (P2P) file-sharing networks (such as Kazaa), via IRC, and via newsgroups. WORM_SWEN.A also terminates antivirus and firewall software running on an infected system. This malware runs on Windows 95, 98, NT, ME, 2000, and XP.
Upon execution, the worm displays a fake error message box to disguise itself as a MAPI32 Execution Error. This requires users to input details of their email account, such as:
email address username Password SMTP server POP3 server The worm then searches for the Windows directory and drops a copy of itself with a random file name in the %Windows% folder. It also creates a registry entry that allows it to run at every Windows startup. The executed malware then transfers execution to the dropped copy of the worm, and terminates.
The following files are also dropped by the worm in the Windows directory:
<computer name>.bat <random name>.<random extension> germs0.dbv germs1.dbv swen1.dat This worm uses its own Simple Mail Transfer Protocol (SMTP) engine to propagate via email. It obtains its target email addresses from .EML, .WAB, .DBX, and .MBX files in all directories of the infected system. When sending the email message, it connects to the default SMTP server of the infected machine.Following are the characteristics of the infected email:
From: ms inet mail storage service [ snipped-for-privacy@freemail.com]
To: network receiver
Subject: <none>
Message Body: Hi. Undeliverable message to <user>@freemail.com
Attachment: <random name>.exe
Using its own SMTP engine, the malware also connects to any of several Network News Transfer Protocol (NNTP) servers where it searches for its target contacts.
The worm also attempts to drop copies of itself in a shared folder over peer-to-peer (P2P) file-sharing networks, with file names that use a combination of strings hard-coded in its body. It modifies registry entries to allow copies of itself to be shared in the Kazaa network.
WORM_SWEN.A attempts to propagate via mIRC application as well. It first searches for the mIRC installation directory and locates the SCRIPT.INI file. If the worm finds this file, it overwrites it with its own version of the SCRIPT.INI file. However, if the file does not exist, it creates this SCRIPT.INI file in the mIRC folder. The worm also attempts to drop copies of itself in all mapped Startup folders in network drives.
The worm terminates antivirus and firewall software that is running on an infected system.
If you would like to scan your computer for WORM_SWEN.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at:
- 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US (week of: September 8, 2003 to September 14, 2003)
WORM_SPYBOT.GEN WORM_MSBLAST.D JAVA_BYTVERIFY.A WORM_MIMAIL.A WORM_SOBIG.F PE_NIMDA.E BKDR_COREFLOOD.A WORM_KLEZ.H PE_PARITE.B ADW_TENGET.A
--Shiva--