Swen Virus Continues To Fool Users
By Jay Wrolstad
Enterprise Windows IT
September 22, 2003

Swen sends a message that claims to contain a cumulative patch for several security vulnerabilities in Outlook, Outlook Express and Internet Explorer. Once a machine is infected, the worm distributes itself to addresses found in a user's system.

Swen, a mass e-mailing virus, continues to spread worldwide, adding yet another concern to a growing heap of problems that have plagued Windows customers in recent weeks.
The W32/Swen@MM worm, also known as a Gibe.F virus, initially was launched late last week. It arrives on PCs as a fraudulent Microsoft software-update message that easily can fool users who have been busy trying to keep up with patches issued by Microsoft for previous attacks.

Swen exploits a Microsoft Internet Explorer flaw revealed two years ago. The worm sends a message that claims to contain a cumulative patch for several security vulnerabilities in Outlook, Outlook Express and Internet Explorer. Once a machine is infected, the worm distributes itself to addresses found in a user's system.

The new bug also spreads through P2P and Internet Relay Chat (IRC) networks, and can copy itself across shared networks.

Number of Infections Rising

This is a very good social engineering attempt, says Bruce Hughes, malicious code authority with security firm TruSecure. He told NewsFactor that Swen spread rapidly on Friday, primarily affecting home computer users, who, unlike businesses, do not have e-mail attachment filters on their systems.

After briefly subsiding over the weekend, the number of Swen bug infections picked up on Monday, said David Loomstein of Symantec security response. The company has received 3,300 submissions regarding the virus, he told NewsFactor, with that number on pace to double, indicating that the infection rate is rising.

This is a very agressive virus using a lot of tools to deceive users, Loomstein said. Beyond causing odd behaviors on a PC, such as slow operation, Swen is sending dialogs to users telling them there is a problem with their e-mail system and requesting personal e-mail account information. It can even delete itself to cover its tracks once the damage has been done, and will install itself on a computer even if the user clicks the no dialogue box.

Consumers Take the Brunt
Of the machines infected, said Loomstein, just 10 percent are corporate computers, while the vast majority are consumer PCs.

Hughes described the worm as a variant of the Gibe virus strain that has previously spread as a disguised Microsoft update. He reinforced Microsoft's reminder that the company does not distribute patches via e-mail, and advised users to delete any such messages they receive.

Users are encouraged to update their antivirus software and to be particularly wary of all e-mail messages with attachments purporting to contain patches or other software-repair tools, Hughes said.

Those using Web-based e-mail should install a third-party firewall to help protect a computer from this worm. In addition to updating antivirus software with new virus definitions, users should scan their computer and follow the instructions from Microsoft for removing this worm.

NewsFactor