Security threats Toolkit

'Swen' worm poses as security patch

Tags:
Viruses,
Worm,
Swen

Matthew Broersma ZDNet.co.uk

Published: 18 Sep 2003 17:50 BST

Antivirus companies are warning of a new Windows worm that has the potential to spread quickly because it appears to be a legitimate security update from Microsoft.

For information on how to combat the worm, click here.

The Swen worm, known technically as I-Worm.Swen, W32/Swen.A@mm or W32/Gibe@MM.e, affects Windows 95, Windows NT and all newer versions, and spreads via email and through IRC, Kazaa and local area networks. It uses a vulnerability in Internet Explorer to execute directly from an email message, according to F-Secure. It also attempts to disable firewall and antivirus software. The worm first appeared in the wild on Thursday.

Windows users are still reeling from a series of damaging virus attacks that have caused chaos in recent weeks, partly due to the large number of Internet-connected PCs that have not patched known vulnerabilities.

One of the emails Swen uses to spread is a professional-looking message that appears to come from "MS Technical Assistance", and contains a notification of a "September 2003, Cumulative Patch", along with the virus attachment. Microsoft does not spread updates via email.

When executed, the worm continues to pose as a security update, launching a message windows that states: "This will install Microsoft Security Update. Do you wish to continue?" If the user clicks "Yes" the worm shows a fake installation dialogue box, but also installs invisibly if the "No" button is pressed.

Swen installs various files to ensure that it is launched every time the system boots up. It also disables the user's ability to edit the Registry.

Users are advised not to launch attachments. Symantec, F-Secure, Sophos, Network Associates and others have updated the definitions in their anti-virus software to prevent Swen infections.