The swen worm was discoverd in the wild yesterday, it is
similiar to a recent past threat called Gibe. The virus
pretends to be a patch from Microsoft encouraging the user
to install the infected attachment. The attachment is 106,496
bytes in size, and of types SCR, COM, EXE, PIF, BAT,
or ZIP. Microsoft never email patches with email security
notifications. The worm spreads by emailing itself by
the worm own SMTP engine to victims. Other methods of spreading
are through KaZaA, and IRC.
Swen worm copies itself to the Windows folder as a randomly-named
executable and adds an entry to the registry to run on system
reboot in the Microsoft Run registry.
The worm also changes the entries in the registry at:
HKCR\exefile\shell\open\command
HKCR\regfile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\pifile\shell\open\command
HKCR\scrfile\shell\open\command
HKCR\scrfile\shell\config\command
to be able to run it's virus code. Swen worm also creates
a file called SWEN1.DAT in the Windows folder. If
this wasn't enough, then the worm adds a value in the following
registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
as "DisableRegistryTools" = "1". The
latter will prevent the use of REGEDIT under Windows for
reverting changes made by the worm.
The swen worm attempt to exploit the IFRAME vulnerability
(MS01-020)
in certain versions of Microsoft Internet Explorer and Outlook
Express which allows emails to be automatically executed
upon reciveing the email. A patch to fix this vulnerability
is available at:
MS01-020
Emails constructed by the worm appear to be from
random user@support.microsoft.com and try to persuade
the user to open the attachment with subject lines such
as 'Newest Network Critical Patch' or 'Latest Network Security
Upgrade'.
Back
