Antivirus companies are warning Internet users about W32.Swen, a new worm
that spreads using e-mail messages, vulnerable network connections, Internet
Relay Chat (IRC), and peer-to-peer networks.
F-Secure, Network Associates, and Symantec all have issued warnings about
Swen, indicating that the worm is spreading on the Internet. Customers are being
advised to update their antivirus definitions to detect and nullify Swen.
Finding a Flaw
First detected on Thursday, Swen exploits a security hole in Microsoft’s Internet
Explorer Web browser. It affects all supported versions of the Windows operating
system, according to security products vendor F-Secure of Helsinki.
The worm poses as a software security update from Microsoft. Its message prompts
users with “Yes” or “No” buttons to agree to install the update, and even provides
an installation “progress” bar if they do agree.
However, the worm code is installed regardless of what users select. Once
it has infected a system, Swen alters the configuration of Windows so the worm
is launched whenever Windows is started. The worm also detects and disables
antivirus software or other Windows features that could be used to disable it,
according to F-Secure.
Like other mass mailing worms, Swen scans an infected machine’s hard drive
for e-mail addresses and uses those to send out more copies of itself, skimming
SMTP server addresses and user names from Windows.
Infected e-mail messages are formatted to look like official correspondence
from Microsoft. The messages appear to come from one of a variety of randomly
generated senders like “MS Technical Assistance” and advertise a “cumulative
patch” for Internet Explorer to patch “three newly discovered vulnerabilities,”
F-Secure says.
Other Routes
The worm also can detect the presence of IRC clients or
the Kazaa peer-to-peer file-sharing client application, and then distribute
itself on those networks. Swen places a specialized script file that sends a
virus file to every computer on the same IRC channel as the infected computer.
For machines running Kazaa file-sharing software, Swen enables the file-sharing
feature, if it is not already enabled. It places multiple copies of itself in
the Kazaa shared files folder, disguised as Kazaa client software, pirated software,
or other popular applications, F-Secure says.
More than one antivirus company notes the similarity between Swen and an earlier
worm, W32.Gibe, which appeared in March. Like Swen, Gibe also attempted to spread
by e-mail as well as Kazaa and IRC networks, while posing as a piece of legitimate
Microsoft software when installed.
