ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Security threats Toolkit

Swen worm tops virus charts

Matthew Broersma ZDNet.co.uk

Published: 19 Sep 2003 15:55 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Security experts have said that the Swen mass-mailing Windows worm appears to be spreading quickly, moving to the top of the virus charts a day after it first appeared -- and even maintaining its own counter that supposedly monitors how many PCs have been infected.

For information on how to combat the worm, click here.

Antivirus companies warned on Thursday that the worm, variously known as I-Worm.Swen, W32/Swen.A@mm or W32/Gibe@MM.e, had the potential to spread quickly because it is well-disguised as a security update from Microsoft. It takes advantage of a two-year-old Internet Explorer flaw that allows it to execute directly from an email message without the help of the user.

On Friday, email provider Messagelabs said its email servers had stopped more copies of Swen than any other worm, including Klez.H, the previous top threat. The largest proportion of the 35,450 copies of Swen stopped by Messagelabs originated from the US, followed by the UK.

The first time the worm executes on a system, it contacts a Web address and updates a counter that supposedly indicates how many machines are infected -- although antivirus vendors doubt that the figure is correct. As of Thursday, the counter already listed more than 500,000 infected PCs.

Antivirus vendors upgraded their assessment of Swen's threat on Friday, due to the increase in infections. Symantec, for example, shifted Swen up to a category 3 virus.

Windows users are still reeling from a series of damaging virus attacks that have caused chaos in recent weeks, partly due to the large number of Internet-connected PCs that have not patched known vulnerabilities. Swen in part relies on a flaw Microsoft first disclosed in a 2001 security bulletin, although it can also be spread by duping users into executing its attachment.

The worm affects Windows 95, Windows NT, and all newer versions, and spreads via email and through IRC, Kazaa and local area networks. It attempts to disable firewall and antivirus software.

One of the emails that Swen uses to spread is a professional-looking message that appears to come from "MS Technical Assistance", and contains a notification of a "September 2003, Cumulative Patch", along with the virus attachment. Microsoft does not spread updates via email.

When executed, the worm continues to pose as a security update, launching a message windows that states: "This will install Microsoft Security Update. Do you wish to continue?" If the user clicks "Yes", the worm shows a fake installation dialogue box, but also installs invisibly if the "No" button is pressed.

Swen installs various files to ensure that it is launched every time the system boots up. It also disables the user's ability to edit the Registry.

Users are advised not to launch attachments without first scanning them with antivirus software. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec, and Trend Micro.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with HP

Did you find this article useful?
52 out of 101 people found this useful


Talkback

Post a comment


Full Talkback thread

16 comments

  1. how do I remove the virus? Al Nizzardini
  2. I normally receive 20 or so e-mails a day. Today I... Paul Yearwood
  3. Try this link for a great utility for getting rid... Steve
  4. Regharding the worm Swen A,I have also been reciev... carol lenton
  5. One of our email addresses is getting swamped with... Betsy
  6. How do I remove the worm. I downloaded the file, b... Lee Wood
  7. That one was a close call! I regluarly patch my sy... Anonymous
  8. Not only do I get the original messages, NAV for M... Loren Meck
  9. Carol wrote: Just so glad I had updated my AVG a f... stewart
  10. Whats wrong with today's socity? Now days you c... Michelle Hernandez
  11. While I have no problem with the worm or virus inf... Gio Bacareza
  12. hi can any one tell me how to remove this virus, i... wendy cook
  13. I installed PC-CILLIN too late, now it tells me it... Mike Liddell
  14. Swen alters the file associations. Go to www.tech... Anonymous
  15. Some providers (like Belgian Telenet and Skynet) o... Louis De Bevere
  16. Has anyone said just how to get ALL these e-mails... Holly Randall

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:







Related Jobs

Websphere Message Broker Consultant

My client, a financial insitution requires a Websphere Message Broker consultant to join their programme. Ideal candidates will have excellent ...

Java & C++ Developer - Spreadbetting - 50-60K+ Finance

JAVA/C++ developers Excellent Java developer who has strong C++ experience required to join a leading financial spread betting company that has ...

WebSphere Architect Contract Vacancy - East Midlands

WebSphere/MQ/Message Broker/Java. They are looking for someone with a good background specifically in WebSphere MQ Series and Message Broker for a ...

Featured Oracle Resources

businessfirst: Ideas to help small companies retain their successful entrepreneurial spirit

Oracle ONE Magazine: Technology solutions for midsized businesses February 2008 edition

Choosing a Reliable and Powerful IT Infrastructure at a Price You Can Afford

Database Consolidation: Reducing Cost and Complexity

Ensuring Data Protection for Growing Business

Oracle for medium and emerging businesses: protect, strengthen and enhance your organisation

Oracle partner network solutions catalogue

See All White Papers

Sentry Posts Blog

Mobile Linux Better For Mobile Busines...

Mobile Linux Better For Mobile Business Apps? Author: Eric Everson, MyMobiSafe.com As mobile Linux is carving it’s footprint on the future of mobile application development, the... More

Post a comment

DWP downplays security breach

The Department for Work and Pensions (DWP) has admitted that some of its staff have been forwarding passwords with password protected material. An email that was leaked on the 'Dizzy... More

Post a comment

How many headshots does one chairperso...

We got a strange request last week from the head of PR from Russian security experts Kaspersky. It seems although the company was very happy with the interview we recently carried with... More

Post a comment

Featured Talkback

On the contrary, if vendors were forced to stand behind their products it should increase innovation. It would force more, and better , testing before hitting the sales floor, resulting in fewer updates and less downtime for the consumer. At present the EULA removes responsibility from the vendor, and moves it to the user, which is a step backward. Make the vendor responsibility for their code.

By: ator1940

Read full story:
RSA: Vendor liability may stifle innovation