ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Security

Security management Toolkit

Swen prevention and cure

Robert Vamosi ZDNet.com

Published: 19 Sep 2003 12:45 BST

Yet another Internet virus pretending to be a patch from Microsoft is spreading quickly on the Internet. Swen (w32.swen@mm, also known as Gibe) uses the subject line to entice Windows users to open the attachment. In some cases, the virus will execute automatically. The virus attempts to kill all antivirus and personal firewall apps running on the infected machine. Swen can also travel using Kazaa, IRC, and shared network paths. Because Swen spreads via email, IRC, P2P, and shared network files and shows signs of spreading rapidly, this virus rates a 6 on the ZDNet Virus Meter.

How it works
One of the ways Swen spreads is to arrive as an email message containing some references to Microsoft or to a new critical patch for Internet Explorer or as a returned email.

To spread via shared network files, Swen leaves copies of itself in the start-up folders found on individual Windows computers connected to the network.

For IRC users, Swen adds a script.ini file to the mIRC program folder. It then spreads to other IRC users.

To infect other P2P users, Swen adds a copy of itself to the shared file directory using a random but intriguing name.

Once the virus is active, it will attempt to shut down working antivirus and personal firewall applications. Swen will appear to download and install a patch directly from Microsoft; in reality, the virus is changing system Registry files on the infected machine. Changes include, for example, the ability to run the virus every time the computer is rebooted.

Prevention
Windows users who have not installed the Internet Explorer patch MS01-020 for the incorrect MIME header flaw should do so now to prevent automatic infection from Swen. In general, do not open attached files in email without first saving them to the hard disk and scanning them with updated antivirus software. Please note that Microsoft does not email security patches to its users. Contact your antivirus vendor to obtain the latest antivirus signature files that include Swen.

Removal
Most antivirus software companies have updated their signature files to include this virus. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec, and Trend Micro.

Did you find this article useful?
89 out of 135 people found this useful

Post a comment

Full Talkback thread

13 comments

Everything clear except instructions for installin... Derrie Frost
Hi. I have reason to believe I'm not infected with... Lana Boter
Hi, I never open attachments when i don't know who... Marchel K.
I got the swen virus on September 18 and immediate... Walter Gust
Why is it, when detailing virus prevention and rem... Mike Farley
As a layman(an old one)I don't understand how Swen... Wilhelm Arcona
What do you do if Swen has done such a great job o... Anonymous
My machine had the swen virus. I found that each t... Rob Marshall
Hi Lana, I am also recieving lots of spam mail con... Celestine
Where does Swen get it's email addresses from? Wh... Anonymous
I have it also but no matter what I try from all t... Lynda Cohen@wi.rr.com
Lana I have the same Swen virus and I have tried a... Lynda Cohen@wi.rr.com
Hi, I have Swen too. First of all I recomend t... Anonymous

More In Security management

Company/Topic Alerts

Create a new alert from the list below:

Featured Talkback

It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.