Home > Rediff Guide To The Net > Features
How to recognise and weed out the Swen
Vidya Srinivasa Rao |
September 22, 2003 16:51 IST
Yet another Windows virus is doing the round. This one is goes by the name Swen or Gibe. It is similar to the recent Sobig.F and MSBlast epidemics in the sense that it spreads through email and shared networks.
Swen can come in as an email attachment, most often disguised as a security update from Microsoft or sometimes as an email delivery failure notification.
What does it do?
The virus affects machines running Windows 2000, Windows 95/98/Me, Windows NT, Windows Server 2003 and Windows XP.
Users of DOS, Linux, Macintosh, Microsoft IIS, OS/2, Unix and Windows 3.x or any other operating systems, need not worry.
Once active, the virus attempts to shut down any antivirus or personal firewall applications that may be running on the infected system.
Swen will appear to download a patch from the Microsoft site while it is actually changing the system registry files such that the virus runs every time the system is rebooted. The virus also mails itself to addresses it finds on the victim's computer. The Symantec page explains, with screenshots, what exactly happens when the virus executes itself.
How does it spread?
The virus spreads via email messages containing references from Microsoft to a critical patch for Internet Explorer or as an undeliverable email notice. It exploits the vulnerability of MS Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message.
On shared networks, the virus spreads by leaving a copy of itself in the startup folders of individual Windows machines found on the network.
For Internet relay chat users, Swen adds a file called script.ini to the mIRC program folder and then spreads to other IRC users' machines.
KaZaa, and other P2P file-sharing users are affected when the virus adds a copy of itself to the shared file directory using a random name.
The virus affects users who have not installed the Internet Explorer patch MS01-020 for the incorrect MIME header flaw. Users who do not have this latest patch should install it now. Also, do not open any attachment without scanning it for viruses. Microsoft has warned Windows users that they do not issue security updates via email. Update your antivirus with the latest signature files.
Most antivirus companies have updated their signature files. This will stop the infection upon contact and in some cases remove the virus completely. Symantec has detailed instructions to remove the virus infection (Scroll down on the page to see how to remove the virus from different operating systems).
Links to updates on antivirus sites