W32/Swen@MM

W32/Swen@MM, I-Worm.Swen (AVP), W32/Gibe.e@MM, Win32.HLLM.Gibe.2 (DialogueScience) is a Medium Risk mass-mailing worm for home users. Sometimes posing as a Microsoft Security Update, this worm is intended to spread via the following methods:

  • Mailing itself to recipients extracted from the victim's machine
  • Copying itself over network shares (mapped drives)
  • Sharing itself over the KaZaa P2P network
  • Sending itself via IRC
Worried About Viruses?
Are you protected from the latest viruses & worms?
Check your PC for viruses
Get virus protection

The worm terminates processes relevant to various security and anti-virus products. Additionally, the worm contains its own SMTP engine to create outgoing messages to harvested email addresses from the victim's machine.

Various outgoing messages are created, with multiple subject lines and attachment names. Some make use of an Internet Explorer vulnerability to ensure the worm attachment is run upon viewing the email. See Microsoft Security Bulletin (MS01-020) . Messages created to take advantage of this vulnerability will be detected as Exploit-MIME.gen.exe with the 4215 DATs or greater (and earlier as Exploit-MIME.gen).

When the worm is run on the victim's machine, a series of fraudulent message boxes are displayed. The worm installs itself (using a random filename) into %WinDir%, for example: C:\WINDOWS\ZNFUL.EXE.

W32/Swen@MM modifies various registry keys and disables the execution of REGEDIT.EXE on the victim's machine. Additionally, the worm terminates various processes on the victim's machine.

What are the common subject lines, attachment names and message content associated with W32/Swen@MM emails?

Subject:
Returned Response

From:
Email Delivery Service (kmailengine@yahoo.com)

Body:
Undeliverable mail to (email address)

How do you know if you've been infected?

  • Display of a series of dialog boxes
  • Unexpected termination of various security and anti-virus products
  • Inability to run RegEdit on the victim's machine

How do you clean your system if it’s already infected?

Ensure that your virus definition DAT files are current. Detection is included in the Daily DAT files (beta). W32/Swen@MM disables the execution of REGEDIT.EXE. The UNDO.REG tool will reverse the changes made by the virus and allow the user to execute REGEDIT.EXE as normal.

Additional Windows ME/XP removal considerations

How do you prevent future attacks?

Update your anti-virus software. Always ensure your virus definition DAT files are current. If you do not own anti-virus software, order McAfee VirusScan here.

Looking for more information about the worm?

For a more detailed description of Swen and its characteristics, visit the Virus Profile page.
New Users: Get Protected Now
   Buy VirusScan
   Buy McAfee Personal Firewall Plus
Existing Users: Make Sure Your Protection Is Up to Date
   Update VirusScan
   Update Personal Firewall Plus

Advertisement