DAWN Ontario: DisAbled Women's Network Ontario

Technology Info, Tips, FAQs
You Can Use

Virus Information

Swen Virus
W32/Swen-A or W32/Gibe-F
 Masquerades as a new Microsoft patch
(w32.swen@mm, also known as Gibe)
Virus Alert September 2003

 

Also Known As:
Swen [F-Secure], W32/Swen@mm [McAfee], W32/Gibe-F [Sophos], Worm Swen.A

Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Systems Not Affected:
DOS, Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 3.x

Symantec Security: http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html

Removal Intructions: Follow this link

Swen prevention and cure
By Robert Vamosi

Swen virus masquerades as a new Microsoft patch
source: http://reviews.cnet.com/4520-6600_7-5078675.html
(9/18/03)

Yet another Internet virus pretending to be a patch from Microsoft is spreading quickly on the Internet. Swen (w32.swen@mm, also known as Gibe) uses the subject line to entice Windows users to open the attachment. In some cases, the virus will execute automatically. The virus attempts to kill all antivirus and personal firewall apps running on the infected machine. Swen can also travel using Kazaa, IRC, and shared network paths. Because Swen spreads via e-mail, IRC, P2P, and shared network files and shows signs of spreading rapidly, this virus rates a 6 on the CNET Virus Meter.

How it works
One of the ways Swen spreads is to arrive as an e-mail message containing some references to Microsoft or to a new critical patch for Internet Explorer or as a returned e-mail.

To spread via shared network files, Swen leaves copies of itself in the start-up folders found on individual Windows computers connected to the network.

For IRC users, Swen adds a script.ini file to the mIRC program folder. It then spreads to other IRC users.

To infect other P2P users, Swen adds a copy of itself to the shared file directory using a random but intriguing name.

Once the virus is active, it will attempt to shut down working antivirus and personal firewall applications. Swen will appear to download and install a patch directly from Microsoft; in reality, the virus is changing system Registry files on the infected machine. Changes include, for example, the ability to run the virus every time the computer is rebooted.

Prevention
Windows users who have not installed the Internet Explorer patch MS01-020 for the incorrect MIME header flaw should do so now to prevent automatic infection from Swen. In general, do not open attached files in e-mail without first saving them to the hard disk and scanning them with updated antivirus software. Please note that Microsoft does not e-mail security patches to its users. Contact your antivirus vendor to obtain the latest antivirus signature files that include Swen.

Removal
Most antivirus software companies have updated their signature files to include this virus. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec, and Trend Micro.




 

 

back to Technology Content Index

Return to DAWN Ontario

Events Calendar
events, conferences etc

Featured News & Alerts

What's New
additions to the site indexed daily

Contact Us

Sign our Guestbook!


Website created & maintained
courtesy of Barbara Anello

DAWN Ontario
Box 1138 North Bay, ON P1B 8K4