Threat behavior
Win32/Swen copies itself to the Windows folder and may use an archive program to compress the copy. The worm also drops the files swen1.dat, germs0.dbv, and germs1.dbv to store data. Win32/Swen modifies registry keys so that the worm runs each time Windows starts and each time a file with one of the following extensions runs: .bat, .com, .exe, .pif, .reg, .scr. The worm also modifies a registry key so that the user cannot run regedit.exe, the Windows Registry Editor.
Win32/Swen can spread in the following ways:
-
Through e-mail. Win32/Swen sends itself as an attachment to e-mail addresses found on the computer. The message claims that the attachment is a Microsoft software update or a notification of an e-mail delivery failure. The worm runs when the user opens the attachment. The worm can exploit a Windows vulnerability that allows an executable e-mail attachment to run automatically when a user merely previews or opens the e-mail message in Microsoft Outlook or Outlook Express. This vulnerability affects computers using Internet Explorer 5.5 SP1 or earlier (except IE 5.01 SP2), and is fixed in Microsoft Security Bulletin MS01-020.
-
Through newsgroups. The worm posts the same message to newsgroups that it sends to e-mail addresses.
- Through writeable network shares. The worm can then copy itself to one or more Windows startup folders.
- Through IRC channels. The worm drops or overwrites a script.ini file in the mIRC program folder to send itself to users connected on the same IRC channel as the infected computer.
- Through a peer-to-peer file-sharing program such as KaZaA. The worm copies itself to the shared folder of the file-sharing program. It can use a deceptive file name for the worm copy, such as "Hallucinogenic Screensaver.exe."
Win32/Swen terminates security-related processes. The worm can display a number of misleading messages. This can include a dialog box that falsely claims there is an e-mail problem and requests e-mail account information such as user name, password, and e-mail servers. The worm can use this information to log on to the user's e-mail account. In many Win32/Swen variants, another series of dialog boxes deceptively prompts the user to install a Microsoft security update while the worm is actually installing itself.
Prevention