1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

'Swen' worm poses as security patch

Discussion in 'Computer Security' started by SimonV, Sep 19, 2003.

  1. SimonV

    SimonV Petabyte Poster Administrator

    6,616
    149
    228
    [​IMG]<font size="3">'Swen' worm poses as security patch </font>
    Antivirus experts fear a new Windows worm could fool many into installing it, because of its legitimate appearance

    Antivirus companies are warning of a new Windows worm that has the potential to spread quickly because it appears to be a legitimate security update from Microsoft.

    The Swen worm, known technically as I-Worm.Swen, W32/Swen.A@mm or W32/Gibe@MM.e, affects Windows 95, Windows NT and all newer versions, and spreads via email and through IRC, Kazaa and local area networks. It uses a vulnerability in Internet Explorer to execute directly from an email message, according to F-Secure. It also attempts to disable firewall and antivirus software. The worm first appeared in the wild on Thursday.

    Windows users are still reeling from a series of damaging virus attacks that have caused chaos in recent weeks, partly due to the large number of Internet-connected PCs that have not patched known vulnerabilities.

    One of the emails Swen uses to spread is a professional-looking message that appears to come from "MS Technical Assistance", and contains a notification of a "September 2003, Cumulative Patch", along with the virus attachment. Microsoft does not spread updates via email.

    When executed, the worm continues to pose as a security update, launching a message windows that states: "This will install Microsoft Security Update. Do you wish to continue?" If the user clicks "Yes" the worm shows a fake installation dialogue box, but also installs invisibly if the "No" button is pressed.

    Swen installs various files to ensure that it is launched every time the system boots up. It also disables the user's ability to edit the Registry.

    Users are advised not to launch attachments. Symantec, F-Secure, Sophos, Network Associates and others have updated the definitions in their anti-virus software to prevent Swen infections.

    Source: news.zdnet.co.uk


     
    Certifications: MOS Master 2003, CompTIA A+, MCSA:M, MCSE
    WIP: Keeping CF Alive...
  2. Nelix
    Honorary Member

    Nelix Gigabyte Poster

    1,412
    3
    82
    Thanks for the head up Si
     
    Certifications: A+, 70-210, 70-290, 70-291
    WIP: 70-294
  3. AJ

    AJ Administrator Administrator

    6,771
    102
    221
    Thanks SimonV

    After our firewall crashing and we had to reconfigure it, I was explaining to the Network Manager about your post, he got an undelivered mail. It was this virus and fortunatly the firewall had stripped the .exe file off, so no danger. It does certainly look authentic, so all heed SimonV wise warning.

    This visus is nasty and in the wild.

    Cheers

    Andrew
     
    Last edited by a moderator: Jan 2, 2015
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Looking at doing ..................
  4. Nelix
    Honorary Member

    Nelix Gigabyte Poster

    1,412
    3
    82
    Just recieved an email that i suspect is this virus so in the bin it goes
     
    Certifications: A+, 70-210, 70-290, 70-291
    WIP: 70-294
  5. SimonV

    SimonV Petabyte Poster Administrator

    6,616
    149
    228
    Just got another 13 emails all with variations on this virus!

    :gun
     
    Certifications: MOS Master 2003, CompTIA A+, MCSA:M, MCSE
    WIP: Keeping CF Alive...
  6. Luton Bee

    Luton Bee Kilobyte Poster

    365
    0
    36
    We've had a couple here at work as well, beware people the message that comes with it is very very realistic looking with links to the MS website and the nav bar in the top right and everything else.

    beware
     
    Certifications: MCSE, MCSA, MCP, A+, Network+ C&G ICT
    WIP: CCNA
  7. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    I just got it too, but Grisoft AVG caught and quarantined it before I even saw it. Need to take you Guys' word for its authenticity.

    Good thing I updated AVG last night. :gun

    Deff thanks again for the warning, though :thumbleft
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  8. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    I just got two more hits, but guess what - in the "To" line, its targeted a whole bunch of us here at CertForums, including Admin@, Derek@, Luton (your Hotmail account), AndyL (B.Y account), and more ...

    Nasty piece of work - good thing we're all smart enough to be up to date in protection, right ?????
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  9. Luton Bee

    Luton Bee Kilobyte Poster

    365
    0
    36
    I wondered where it had come from into my Hotmail!!

    Hello Claims direct?
    ....Mr moneygrabbing-b'stard here Certforums infected my home network can I sue?

    :lol: :lol:
     
    Certifications: MCSE, MCSA, MCP, A+, Network+ C&G ICT
    WIP: CCNA
  10. SimonV

    SimonV Petabyte Poster Administrator

    6,616
    149
    228
    Certifications: MOS Master 2003, CompTIA A+, MCSA:M, MCSE
    WIP: Keeping CF Alive...
  11. AJ

    AJ Administrator Administrator

    6,771
    102
    221
    Ok guys

    Just downloaded my email and seems I had this virus in the mail. I do use mailwasher and recognised it for what it was.

    Andrew
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Looking at doing ..................
  12. SimonV

    SimonV Petabyte Poster Administrator

    6,616
    149
    228
    Certifications: MOS Master 2003, CompTIA A+, MCSA:M, MCSE
    WIP: Keeping CF Alive...

Share This Page

Loading...