Security Alert - Worm: W32/Swen@MM
Severity: Moderate
Date: September 18, 2003
Products affected: Microsoft Outlook, Microsoft Outlook Express, and Web-based e-mail
**********************************************************************
What is it?
W32/Swen.A@MM is a worm that spreads through e-mail and network shares. The Microsoft Product Support Services (PSS) Security Team is issuing this alert to advise you to review the information on this page and take the appropriate action for your environment.
Impact of Attack
W32/Swen.A@MM causes mass mailings, disabling processes related to security software such as antivirus and firewall software.
Technical Details
For additional information about this worm, visit the following antivirus software vendors, participants in the Microsoft Virus Information Alliance:
Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=36939
McAfee: http://vil.nai.com/vil/content/v_100662.htm
Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWEN.A
Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html
For more information about the Virus Information Alliance, visit http://www.microsoft.com/technet/security/alerts/info/via.mspx.
Prevention
1) Install the latest security patch for Internet Explorer. Information about the latest cumulative security patch for Internet Explorer can be found at http://www.microsoft.com/technet/security/bulletin/ms03-032.mspx.
To find out how this worm exploits a previously patched vulnerability related to the following Microsoft Security Bulletin, see http://www.microsoft.com/technet/security/bulletin/ms01-020.mspx.
2) Block harmful attachment types at your Internet mail gateways.
3) Ensure that you:
Get the most recent updates to help improve your Outlook security as well as for other Microsoft Office programs.
| • | For Outlook 2000, install any service pack later than Service Pack2 (SP2). |
| • | For Outlook XP, install any service pack later than Service Pack 1 (SP1). These service packs block attachments by default, so you cannot open them and be infected. |
Ensure you are running the latest version of Office by visiting http://office.microsoft.com/ProductUpdates/default.aspx.
By default, Outlook 2000 released prior to Service Release 1 (SR1) and Outlook 98 did not include this functionality, but it can be obtained by installing Office 2000 Service Pack 3 (SP3). This service pack includes the Outlook 2000 SR1 E-Mail Security Update, which changes the way Outlook handles certain types of e-mail attachments. The new e-mail attachment handling behavior, however, is customizable. To download Office 2000 SP3, see http://office.microsoft.com/Downloads/2000/Out2ksec.aspx.
To find out what attachment types are blocked by Outlook, read the Microsoft Knowledge Base article at http://support.microsoft.com?kbid=290497.
Configure Outlook Express 6 to block access to potentially-damaging attachments. For more information, see http://support.microsoft.com?kbid=291387.
For Web-based e-mail programs, use an application-level firewall to help protect you from being infected with this worm.
Note: Earlier versions of Outlook Express do not contain attachment-blocking functionality. If you are running an earlier version of Outlook Express, please use extreme caution when you open unsolicited e-mail messages with attachments.
Recovery
If your computer is infected with this worm, update your virus signature files to detect and remove the worm. For assistance with removing this worm from your computer, contact Microsoft Help and Support or your preferred antivirus vendor.
As always, make sure to keep your the antivirus software current with the latest updates to help detect new worms, viruses, and their variants.
If you have any questions regarding this alert, contact your Microsoft representative. Or, call 1-866-727-2338 (1-866-PCSafety) if you live within the United States. If you live outside the United States, contact your local Microsoft subsidiary.
PSS Security Response Team
