My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Swen.A@mm

HIGH
LOW
106..496 bytes, compiled with Microsoft Visual C++ 6.0
(W32/Gibe@mm)

Symptoms

- The user cannot run the registry editor
- Presence of files germs0.dbv and germs1.dbv in the Windows directory
- The registry keys [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] and [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System] are altered
- A file with 106.496 bytes in size, of a random name, in the Windows directory.

Removal instructions:

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

The BitDefender Antisven-en.exe tool does the following:
  • it detects all the known Swen versions;

  • it deletes the files infected with Swen;

  • it kills the process from memory;

  • it repairs the Windows registry.


  • You may also need to restore the affected files.

    To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.

    Analyzed By

    Mihai Chiriac BitDefender Virus Researcher

    Technical Description:

    Win32.Swen.A@mm is an internet worm, which spreads mainly via e-mail, but also via Kazaa, Mirc. The worm usually comes as an e-mail. The subject and the body of the e-mail may vary, but the attachment is always 106.496 bytes long.

    The worm may become active by running the infected attachment of an e-mail, or by running an infected file from the Mirc download folder, Kazaa, etc)

    When arriving in an email message, the worm disguises as a Microsoft patch. The email messages are quite realistic and may fool some users to open the infected attachement.



    Once ran, the worm checks if it’s already running; it does that by checking several registry keys; if the worm is already installed and running, it displays the following message box:



    The worm alters several registry keys:
    [HKCR\scrfile\shell\open\command] – this key will allow the worm to get executed when the user attempts to open a SCR (screen saver file)

    [HKCR\exefile\shell\open\command] – this key will allow the worm to get executed when the user attempts to open an EXE (executable file)
    [HKCR\batfile\shell\open\command] – this key will allow the worm to get executed when the user attempts to open a BAT (MS-DOS batch file)

    [HKCR\piffile\shell\open\command] – this key will allow the worm to get executed when the user attempts to open a PIF file.

    [HKCR\comfile\shell\open\command] – this key will allow the worm to get executed when the user attempts to open a COM file.

    [HKCR\regfile\shell\open\command] – this key will allow the worm to get executed when the user attempts to open a registry file.

    Also, the worm modifies the registry key [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System] and adds the value of 1 (true) to the key “DisableRegistryTools”.

    When the worm is active in memory, it periodically scans the windows registered in the system. If a window contains one of the strings below, it will receive a “PostQuitMessage”.

    "_avp", "ackwin32", "anti-trojan", "aplica32", "apvxdwin", "autodown", "avconsol", "ave32", "avgcc32", "avgctrl", "avgw", "avkserv", "avnt", "avp", "avsched32", "avwin95"
    "avwupd32", "blackd", "blackice", "bootwarn", "ccapp", "ccshtdwn", "cfiadmin", "cfiaudit", "cfind", "cfinet", "claw95", "dv95", "ecengine", "efinet32",
    "esafe", "espwatch", "f-agnt95", "findviru", "fprot", "f-prot", "fprot95", "f-prot95"
    "fp-win", "frw", "f-stopw", "gibe", "iamapp", "iamserv", "ibmasn", "ibmavsp"
    "icload95", "icloadnt", "icmon", "icmoon", "icssuppnt", "icsupp"
    "iface", "iomon98", "jedi", "kpfw32", "lockdown2000", "lookout", "luall", "moolive"
    "mpftray", "msconfig", "nai_vs_stat", "navapw32", "navlu32", "navnt", "navsched"
    "navw", "nisum", "nmain", "normist", "nupdate", "nupgrade", "nvc95", "outpost", "padmin", "pavcl", "pavsched", "pavw" , "pcciomon", "pccmain", "pccwin98", "pcfwallicon", "persfw", "pop3trap", "pview", "rav", "regedit", "rescue", "safeweb"
    "serv95", "sphinx", "sweep", "tca", "tds2", "vcleaner", "vcontrol", "vet32", "vet95"
    "vet98", "vettray", "vscan", "vsecomr", "vshwin32", "vsstat", "webtrap", "wfindv32"
    "zapro", "zonealarm".

    If the worm is debugged (analysed), it displays the following message:



    The worm gathers e-mail addresses from the infected user’s address book and uses its own SMTP engine to spread; Also the worm searches for email addresses in .EML, .WAB, .DBX, .MBX, .ASP, .HT* files.

    The email message looks like the following:

    FROM: "MS Corporation Security Division"
    TO: "Commercial Partner"
    SUBJECT: New Internet Critical Upgrade

    Body:
    Microsoft Partner

    this is the latest version of security update, the
    "September 2003, Cumulative Patch" update which eliminates
    all known security vulnerabilities affecting
    MS Internet Explorer, MS Outlook and MS Outlook Express.
    Install now to help protect your computer
    from these vulnerabilities, the most serious of which could
    allow an attacker to run executable on your computer.
    This update includes the functionality =
    of all previously released patches.

    System requirements: Windows 95/98/Me/2000/NT/XP
    This update applies to:
    - MS Internet Explorer, version 4.01 and later
    - MS Outlook, version 8.00 and later
    - MS Outlook Express, version 4.01 and later

    Recommendation: Customers should install the patch =
    at the earliest opportunity.
    How to install: Run attached file. Choose Yes on displayed dialog box.
    How to use: You don't need to do anything after installing this item.


    Microsoft Product Support Services and Knowledge Base articles =
    can be found on the Microsoft Technical Support web site.
    http://support.microsoft.com/

    For security-related information about Microsoft products, please =
    visit the Microsoft Security Advisor web site
    http://www.microsoft.com/security/

    Thank you for using Microsoft products.

    Please do not reply to this message.
    It was sent from an unmonitored e-mail address and we are unable =
    to respond to any replies.

    ----------------------------------------------
    The names of the actual companies and products mentioned =
    herein are the trademarks of their respective owners.
    Copyright 2003 Microsoft Corporation.
    The worm counts the number of infected computers; probably the virus writer needed hits
    on its website; It used the http://ww2.fce.vutbr.cz/bin/counter.gif/link=bacillus hit count system.

    When the user clicks the infected attachement, the worm takes control and installs itself into the system. Then, it fakes an error in the Windows Messaging API (MAPI) and asks the user to enter confidential informations like password, account, SMTP server, etc.



    KaZaa spreading: the worm also gets the shared KaZaa directory and copies itself there with the following names:

    'Virus Generator', 'Magic Mushrooms Growing', 'Cooking with Cannabis', 'Hallucinogenic Screensaver', 'My naked sister', 'XXX Pictures', 'Sick Joke', 'XXX Video', 'XP update', 'Emulator PS2', 'XboX Emulator', 'Sex', 'HardPorn', 'Jenna Jameson', '10.000 Serials', 'Hotmail hacker', 'Yahoo hacker', 'AOL hacker'.
    It also disguises itself as removal tools for various worms like Klez, Sircam, etc.

    The worm also uses NEWS servers; the list is stored as a resource, packed with MS-Compress inside the virus resource section. The worm attempts to post itself to a random News server (chosen from a list of 350 news servers).