Swen is a worm that replicates via email, local network (LAN),
IRC and Kazaa. It uses a vulnerability in Internet Explorer to
execute directly from e-mail. Swen worm appeared on 18th of
September 2003. It is most likely written by the author of Gibe
worm (Begbie) and this worm has similar features as the latest
Gibe variants.
Disinfection
Disinfection Tool
F-Secure provides the special tool to disinfect the Swen worm.
The tool and disinfection instructions are available at:
Please make sure you read the SWENTOOL.TXT file before using
the disinfection tool.
Please note that the tool will only disinfect local infection of
Swen worm. It will not disinfect your e-mail databases from
infected messages. You will have to delete all infected messages
manually and then compact the database to permanently destroy the
deleted data.
Troubleshooting
In some cases, when Swen executable is deleted or renamed by an
anti-virus program without fixing the Registry, it becomes
impossible to run executable files on a computer. This happens
because Windows can't find the file associated with executables
(in our case - Swen's file) on a hard disk. If you have such a
problem, please download the following file:
Then rename the SWENFIX.EXE file with the name of deleted Swen's
executable (that Windows asks for) and copy that file to Windows
folder. After that you will be able to run the SWENTOOL.COM file
to disinfect your computer.
It should be noted that when the Swen's executable file is
deleted or renamed manually or by an anti-virus program, the
SWENTOOL will not start to scan all your hard disks automatically
- it will show 'Nothing to clean' message. To make the tool scan
all available hard disks you will have to run it with /SCANFILES
command line option. To to this please follow these instructions:
1. Click 'Start' button, select 'Run' option.
2. In the appeared dialog box type the following:
swentool /scanfiles
3. Press 'Enter' to run the tool.
If your SWENTOOL.COM file is not found, you will have to specify
the path to it in the command line:
<drive>:\<path>\swentool /scanfiles
The <drive> and <path> are the names of the drive and folder
where the SWENTOOL.COM file was downloaded and saved, for example
if you put the tool to 'c:\temp' folder, the command line will
look like this:
c:\temp\swentool /scanfiles
After the SWENTOOL finishes scanning your hard disk, it is
recommended to restart your computer. After restart your computer
should be clean.
The worm's file is a Windows PE executable 106496 bytes long. It
is not compressed by any file compressor.
Installation to system
When the worm's file is run, it checks whether it's already
installed and if not, it copies its file to Windows directory
with a random name (for example MLMHP.EXE) and creates a startup
key for this file in the Registry:
These subkeys contain information about SMTP server, user's
e-mail, key name of installed worm's file, name of infected
computer user, name of a zip archive that the worm tries to
create using WinZip, name of mIRC folder and some other data.
During installation process the worm enables sharing for Kazaa
client, copies itself several times into Kazaa shared folders and
also replaces SCRIPT.INI file of mIRC client with the one that
sends out the worm's file to every user joining a channel where
an infected user is present. The worm also copies its file to
startup folders of remote computers via network.
Spreading in local network
The worm attempts to spread itself via local network (LAN). It
looks for mapped network drives, accesses them and if it finds
the following directories in the root folder:
Win98
Win95
WinMe
Windows
it copies its file with a random name to the following folders:
\%WinDir%\Start menu\Programs\Startup
\Documents and Settings\All Users\Start menu\Programs\Startup
\Documents and Settings\Administrator\Start menu\Programs\Startup
\Documents and Settings\Default User\Start menu\Programs\Startup
As a result remote computers will become infected with the worm
after they are restarted.
Spreading in IRC networks
The worm creates its own SCRIPT.INI file in mIRC installation
folder. This script makes an IRC client send a file called
'WinZip installer.zip' to every user joining a channel where an
infected user is present.
Spreading in Kazaa networks
The worm modifies the Registry to enable sharing for Kazaa
client, then it locates Kazaa shared folder and copies itself
there with a generated name. The name is generated from the
following strings:
Kazaa Lite
KaZaA media desktop
KaZaA
WinRar
WinZip
Winamp
Mirc
Download Accelerator
GetRight FTP
Windows Media Player
key generator
hack
hacked
warez
upload
installer
AOL hacker
Yahoo hacker
Hotmail hacker
10.000 Serials
Jenna Jameson
HardPorn
Sex
XboX Emulator
Emulator PS2
XP update
XXX Video
Sick Joke
XXX Pictures
My naked sister
Hallucinogenic Screensaver
Cooking with Cannabis
Magic Mushrooms Growing
Virus Generator
These files can have EXE or ZIP extensions.
Spreading in e-mails and to newsgroups
The worm periodically scans HTML and ASP files on a hard drive
and stores found e-mail addresses in the GERMS0.DBV file located
in Windows folder. The worm also reads .EML, .DBX, .WAB, and .MBX
files and fetches e-mail addresses from there. The worm does not
fetch addresses containing 'delete' and 'spam' strings.
The worm also can search for e-mail addresses in various
newsgroups. It connects to NNTP servers listed in the SWEN1.DAT
file, gets a list of all newsgroups on that server and searches
recent messages in these newsgroups for 'nfrom:' and 'nreply-to:'
tags. When such tags are found, the worm gets e-mail addressed
after them and writes them to the GERMS0.DBV file. This way the
worm can harvers a lot of e-mail addresses to send itself to.
The worm can post its e-mails to newsgroups, the names of
which it finds during searching process. The worm sends the
same kind of messages as it sends via e-mail.
The worm reads SMTP server address and user name from the
Registry. However, if it can't find this info, it shows a fake
MAPI error dialog asking a user to input that data:
The worm sends itself a very legitimately-looking messages that
are composed from different text strings hardcoded in the worm's
body. It also checks the current date and uses the current month
inside the text of the email message. On that way it will spread
with different messages each month of the year.
Here is an example of such message sent in September:
The attachment name, subject and part of the infected message is
randomly composed from text strings hardcoded in the worm's body.
The fake sender's address is selected from the following parts:
MS
Microsoft
Corporation
Program
Internet
Network
Security
Division
Section
Department
Center
Technical
Public
Customer
Bulletin
Services
Assistance
Support
The domain name for these e-mails is selected from the following
parts:
news
bulletin
confidence
advisor
updates
technet
support
newsletters
The domain suffix for these e-mails is selected from the
following parts:
ms
msn
msdn
microsoft
followed by one of the following:
.com
.net
The fake recipient's address is also composed from the above
shown strings, however the fake recipient's name is selected from
the following parts:
Commercial
MS
Microsoft
Corporation
Customer
User
Partner
Consumer
Client
The subject is composed from the following parts:
Current
Newest
Last
New
Latest
Net
Network
Microsoft
Internet
Critical
Security
Patch
Update
Pack
Upgrade
The worm is usually attached to infected messages as an EXE file.
The attachment name is randomly generated from numbers and the
following parts:
For example the infected attachment name can be Q591362.EXE or
UPDATE98.EXE. The IFrame exploit is not present in such messages.
In some cases the worm's attachment can be in a ZIP archive.
The worm can also compose fake forwarded or bounced e-mails from
the following parts:
RE:
FWD:
FW:
Check
Check out
Prove
Try
Taste
Try on
Look at
Take a look at
See
Watch
Use
Apply
Install
this
that
the
these
important
internet
critical
security
corrective
correction
patch
update
pack
upgrade
for
MS
Microsoft
Windows
Internet Explorer
which
that
comes
from
the
MS
M$
Microsoft
Corporation
Corp.
The bodies of bounced e-mails can have the following text
strings:
Hi.
This is the qmail program
Message from
I'm sorry
I'm sorry to have to inform you that
I'm afraid
I wasn't able to deliver your message
the message returned below could not be delivered
to the following addresses:
to one or more destinations.
Undeliverable
Undelivered
message
mail
Message follows:
Such e-mails usually contain IFrame exploit and the worm's file
with PIF, BAT, COM, SCR or EXE extension and there is no
Microsoft-like looking message body in them. The IFrame exploit
allows the worm's attachment start automatically on older or
unpatched versions of certain e-mail browsers.
Payload
The worm terminates processes of security and anti-virus software
that have the following strings in their names:
The worm also doesn't allow to start files that have the above
strings in their names. When such file is being started, the worm
shows the following messagebox and stops execution if such file:
The numbers in this messagebox are randomly-generated.
If the worm finds a debugger in a system, it shows a messagebox
with the following text:
Try to pull my legs?
Infection counter
The worm keeps its own counter on a certain webpage. Every
infected computer tries to access that page and that increases
the counter there. By the time of this description creation (18th
of September 20:00 GMT) the counter value was over 510000, but we
believe that this is not the actual number of infected computers.
This minor variant was found on 9th of October, 2003. It has
been created by compressing the original virus with UPX. This
has shrunk the virus from 106496 bytes to 52224 bytes, making
it undetectable to some antivirus programs.
In addition, many references to Microsoft in the original virus
have been changed to references to Tiscali, an Italian ISP.
F-Secure Anti-Virus detected this modified version of the virus
without any need for updates.
This minor variant was also found on 9th of October, 2003. Like
the previous variant this one is also compressed with UPX file
compressor. The packed file size is 52224.
Swen.C has a bit different set of text strings mentioning both
Tiscali and Microsoft and also the name of Tiscali's CEO Renato
Soru. A few Tiscali links that were present in the B variant were
slightly modified.
![](/images/pixel.gif"){kind=tracking}
