Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


SWEN WORM IS SPREADING RAPIDLY

Virus Name  : W32.Swen.A@mm

Alias             : Swen, W32/Gibe.E-mm, I-Worm.Swen, W32/Gibe-F, WORM_SWEN.A

Virus type    : Internet worm

Threat level : Medium

Virus details :

                     Swen aka Gibe.F is an Internet worm, spreads using e-mail, KaZaA, IRC and network shares. Swen worm sends fakes email as it is an update coming from Microsoft. It is very similar to Gibe Worm and uses its own SMTP engine to send infected mails.

                     The infected e-mail attachment and e-mail subject is chosen from the list given in the worm. The message body is details shown below. 

                     When executed, Swen worm copies itself with a random name in  Windows folder and drops swen1.dat, germs0.dbv files in the infected system. It displays the following messages and installs in the background. If the user selected "No" button, the worm installs without displaying message box. 

                     Swen modifies several registry keys to load automatically. The registry modification is given below.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"< random characters >"= "<random file name> autorun"

                     The worm also modifies default keys for EXE, COM, REG, BAT, PIF and SCR files in the registry. 

HKEY_CLASSES_ROOT\batfile\shell\open\command
HKEY_CLASSES_ROOT\comfile\shell\open\command
HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\piffile\shell\open\command
HKEY_CLASSES_ROOT\regfile\shell\open\command
HKEY_CLASSES_ROOT\scrfile\shell\config\command
HKEY_CLASSES_ROOT\scrfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\config\command
HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command

                     Swen worm collects e-mail addresses stored in the local system to send infected messages. Swen worm disables registry tool REGEDIT.EXE and antivirus programs installed in the infected system. The worm displays the following fake error message box periodically.

                   Swen worm copies to the shared network drives startup folder in the network. So the infected files will be executed automatically on the next startup. It also searches for mIRC folder and drops script.ini to infect the users in the IRC channel. In case of KaZaA, it creates a random folder in the Windows Temp directory and modifies the registry to share the infected folder.

                   Swen worm also uses two year old IFRAME vulnerability when infecting via e-mail. Microsoft released security patches to close this security hole. If you haven't installed, you can get a copy at http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp

How can I protect my system?

                   Solo has incorporated W32.Swen.A@mm in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

My system is not working. What to do?

                   If you have deleted the worm file manually or deleted the worm file with some other antivirus software before fixing the registry, your applications will not work. You have to follow the instructions given below to fix the problem.

1. Open the notepad and type the following. [Notepad will work in the problem pc. You should not miss comma, quotation marks while tying]. 

;Start
;Registry fix for Swen worm
[Version]
Signature="$CHICAGO$"

[DefaultInstall]
AddReg=FixSwen

[FixSwen]
HKCR, "exefile\shell\open\command",,0,"""%1"" %*"
HKCR, "comfile\shell\open\command",,0,"""%1"" %*"
;End 

2. Save the contents as an INF file [Example: FixSwen.INF]

3. Using Windows explorer, right click on the saved file and choose "Install". It will modify the registry and allow you to run EXE and COM files. 

4. Now you can establish Internet connection. Download and run this tool SwenFix.exe to fix other registry entries. Instead of deleting the worm files manually, you can use Solo antivirus trial version to remove the worm.

How to remove this worm?

                   If you are already infected with this worm, you can remove it from your computer using Solo Antivirus software. Solo antivirus can detect and remove W32.Swen.A@mm safely. Use the following link to Download 30 day trial version of Solo antivirus [1670 KB] to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VBS, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link