Swen prevention and cure
Published: 19 Sep 2003 12:45 BST
Yet another Internet virus pretending to be a patch from Microsoft is spreading quickly on the Internet. Swen (w32.swen@mm, also known as Gibe) uses the subject line to entice Windows users to open the attachment. In some cases, the virus will execute automatically. The virus attempts to kill all antivirus and personal firewall apps running on the infected machine. Swen can also travel using Kazaa, IRC, and shared network paths. Because Swen spreads via email, IRC, P2P, and shared network files and shows signs of spreading rapidly, this virus rates a 6 on the ZDNet Virus Meter.
How it works
One of the ways Swen spreads is to arrive as an email message containing some references to Microsoft or to a new critical patch for Internet Explorer or as a returned email.
To spread via shared network files, Swen leaves copies of itself in the start-up folders found on individual Windows computers connected to the network.
For IRC users, Swen adds a script.ini file to the mIRC program folder. It then spreads to other IRC users.
To infect other P2P users, Swen adds a copy of itself to the shared file directory using a random but intriguing name.
Once the virus is active, it will attempt to shut down working antivirus and personal firewall applications. Swen will appear to download and install a patch directly from Microsoft; in reality, the virus is changing system Registry files on the infected machine. Changes include, for example, the ability to run the virus every time the computer is rebooted.
Prevention
Windows users who have not installed the Internet Explorer patch MS01-020 for the incorrect MIME header flaw should do so now to prevent automatic infection from Swen. In general, do not open attached files in email without first saving them to the hard disk and scanning them with updated antivirus software. Please note that Microsoft does not email security patches to its users. Contact your antivirus vendor to obtain the latest antivirus signature files that include Swen.
Removal
Most antivirus software companies have updated their signature files to include this virus. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec, and Trend Micro.
Did you find this article useful?
89 out of 135 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
Full Talkback thread
13 comments
-
Everything clear except instructions for installin... Derrie Frost -
Hi.
I have reason to believe I'm not infected with... Lana Boter
-
Hi,
I never open attachments when i don't know who... Marchel K.
-
I got the swen virus on September 18 and immediate... Walter Gust
-
Why is it, when detailing virus prevention and rem... Mike Farley
-
As a layman(an old one)I don't understand how Swen... Wilhelm Arcona
-
What do you do if Swen has done such a great job o... Anonymous
-
My machine had the swen virus. I found that each t... Rob Marshall
-
Hi Lana, I am also recieving lots of spam mail con... Celestine
-
Where does Swen get it's email addresses from? Wh... Anonymous
-
I have it also but no matter what I try from all t... Lynda Cohen@wi.rr.com
-
Lana I have the same Swen virus and I have tried a... Lynda Cohen@wi.rr.com
-
Hi, I have Swen too.
First of all I recomend t... Anonymous
