John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
|  W32.Swen.A@mm
Category 2 by Symantec.
W32.Swen.A@mm is a mass-mailing worm that attempts to spread through file-sharing networks, such as KaZaA, and IRC, and will attempt to kill antivirus and personal firewall software running on the computer.
The worm will also attempt send itself out to addresses found in the Microsoft Outlook address book. The email in which W32.Swen.A@mm arrives within can vary. Some examples include emails that claim to be patches for Microsoft Internet Explorer, or as delivery failure notices from qmail.
Also Known As: Swen [F-Secure], W32/Gibe@MM.e [McAfee]
Infection Length: 106496
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 3.x
Protection:
IU: Sept 18
LU: Sept 24
Full write up here: »securityresponse.symantec.com/av···@mm.html
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
Schouw
Premium
join:2003-05-29
Netherlands | Check the screenies on McAfee's site..
Highly realistic 'ms patch' imo..
The authors are finally learning, this one has potential.. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH | If it only uses the Outlook address book then it's not likely to become a major threat.
Also with the wording of the writeup... "attempt to" this, "attempt to" that, it makes me wonder if the thing even works at all.
KJP |
|
Schouw
Premium
join:2003-05-29
Netherlands
| said by kpatz  :
If it only uses the Outlook address book then it's not likely to become a major threat.
Also with the wording of the writeup... "attempt to" this, "attempt to" that, it makes me wonder if the thing even works at all.
KJP
A whole bunch of people already reporting this on a Dutch forum..
So at least the spreading routine works.. |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to John2g
Yep, this one is spreading fast...there are more details now from Symantec in their write up in the link that John2g listed in his original post.
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum |
|
Schouw
Premium
join:2003-05-29
Netherlands
| reply to John2g
So why isn't Symantec issuing a LU for this?
It seems that almost every AV updated for it, especially the big companies, why not Symantec?
This is not to flame Symantec, but there enough reports about this, and still nothing..
At least with KAV(McAfee too I believe) you get an update in less than an hour when two or more reports come in.. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| 
Still Only Category-2 Hurricane |
said by Schouw :
So why isn't Symantec issuing a LU for this?
Search and Expanded Threats Page
It's still only Cat-2, has to reach Cat-3 to warrant an emergency LU. 
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
Schouw
Premium
join:2003-05-29
Netherlands
| But why? It's spreading pretty fast over here..
Especially with the realism this one has..
I think they should have the same policy as KAV, it's a big company, they should be able to handle it.
Or are we talking more money, less service..
PS: This is not to flame Symantec, but as the Vendor with the biggest market share they have a responsibility if you ask me.. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| I don't consider your comments a "flame", not even close .. and I'm sure Symantec feels a responsibility toward their customers, and toward the user community at large .. LOL.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| reply to John2g
It is included in IU of today:
W32.HLLW.Torvel@mm File infector 09/18/03
W32.Opaserv.AD.Worm File infector 09/18/03
W32.Swen.A@mm File infector 09/18/03
Worm.Automat.AHB File infector 09/18/03
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
Schouw
Premium
join:2003-05-29
Netherlands | reply to John2g
I know it's covered with today's IU, but 9 out of 10 NAV users don't use it.
Back to the good old days, when LU was a daily thing.. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| said by Schouw :
I know it's covered with today's IU, but 9 out of 10 NAV users don't use it. Back to the good old days, when LU was a daily thing..
LowWaterMark , dp , and I were just discussing the same thing in yesterday's updates thread. {I know CJ, it was YOUR thread and we were totally OT, but what the heck!}
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)
[text was edited by author 2003-09-18 16:38:36] |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| F-Secure write-up
McAfee write-up
According to F-Secure, Swen harvests email addresses from HTML, ASP, EML, DBX, WAB, and MBX files. This probably explains its fast spread (earlier I predicted otherwise, due to Symantec claiming it [only] used the "Outlook address book"). That and the authentic-looking MS Patch advisory email fooling people.
I'll bet Symantec will raise Swen to category 3 before the end of the day.
KJP |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to John2g
I have to agree with Schouw on this point. Because this worm appears to be an AV & firewall killer as well, not to mention the fast spread of this worm, I can't understand why Symantec is the only one holding off issuing a live update, but perhaps they will sometime change that policy.
Meanwhile this is what KAV is reporting on the status of Swen:
»www.kasperskylabs.com/news.html?id=1029166
quote:
Beware! New Epidemic - "I-Worm.Swen" [09/18/2003]
Kaspersky Labs, a leading information security expert, announces the detection of the network worm, I-Worm.Swen. This malicious program spreads via email, the Kazaa file sharing network and IRC channels.
Infected messages appear to have been sent from various Microsoft services, including, MS Technical Assistance, Microsoft Internet Security Section, etc. Message text advises users to install a "special patch" from Microsoft. The "patch" is included as an attachment.
Sven uses the same vulnerability in the Internet Explorer detected in March 2001 that was used by many other well-known worms, such as Klez. Thus, once Sven breaks into an undefended machine to executes itself independently of the owner.
The new malware program is written in Microsoft Visual C++ and is about 107 KB. The worm is activated in two cases: if the infected file is executed or when the email program contains the IFrame.FileDownload vulnerability. The worm then installs itself into the system and initiates propogation procedures.
When the attachment is opened the first time, a window appears on the screen named Microsoft Internet Update Pack and imitates the installation of a patch. At the same time, the malicious code blocks all firewalls and anti-virus software. Then Swen scans the file system of the infected computer and extracts all email addresses, using them to mail itself to all available addresses via a direct connection to an STMP server. The infected letters are in HTML and include an attachment containing Swen. In some cases, the worm can send copies of itself in .zip of .rar form.
Swen propagates via the Kazaa file-sharing network by copying itself under random names in the file exchange directory in Kazaa Lite. It also creates a subdirectory in the Windows Temp folder with random names making several copies of itself with random names as well. This directory then is then identified in the Windows system registry as the source for the file sharing system and as a result, the new files created by Swen become available to other Kazaa network users.
Finally, for spreading via IRC, the worm scans for installed mIRC clients. If these are detected then Swen modifies the script.ini file by adding its propagation procedures. Whereupon the scrip.ini file sends infected files from the Windows directory, to all users that connect to the now-infected IRC channel
Kaspersky Labs experts currently attribute over 30,000 computer infections worldwide to I-Worm.Swen. The number of infections continues to rise.
The defence against I-Worm.Swen has already been added to the Kaspersky® Labs anti-virus database.
Click here to view the I-Worm.Swen description in the Kaspersky Virus Encyclopedia
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
[text was edited by author 2003-09-18 17:30:17] |
|
MattUK
Premium
join:2003-03-23
UK
| reply to John2g
Just recieved one if anyone wants a copy  Quite real looking, but obviously I'm not one to fall for something like that!
It's going to be a biggun I can feel it, after the public being hyped about blaster by the media etc.. this will be so inviting for the end-users who are security-illiterate...
"Oh, I don't want what happened last time to happen again. I must install this patch M$ have kindly sent me"
--
»forum.gladiator-antivirus.com /// Gladiator Security Forum Moderator |
|
Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
| reply to John2g
I ran IU and Beta this morning, but I just received a LU from Symantec as well. Anybody else?
20030918.005
20030918.007
20030918.022
--
oO^..^Oo
[text was edited by author 2003-09-18 18:24:15] |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| said by Sparrow :
I ran IU and Beta this morning, but I just received a LU from Symantec as well. Anybody else?
nothing so far
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH | I got the 9/17 LU, but then I downloaded and installed the 9/18 IU, so I'm all up to date. My F-prot and KAV are up to date too. |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to John2g
BitDefender has posted a Removal Tool for this worm, if anyone knows someone who needs one
»www.bitdefender.com/html/virusin···v_id=158
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum |
|
gkweb
join:2003-06-09
76800
| reply to John2g
it's amazing.
I received it twice or more today, even with up to date NAV2004 it didn't detect anything.
I was sure it was a virus because it was a "patch from M$ by mail" lol
So i sent it to symantec and in the afternoon i received the virus name and the link where i could find an updater to make NAV detect it.
Then i go there, and there is an existing thread
Just want to say i'm happy of symantec support  |
|
