Selected viruses, spyware, and other threats: sorted alphabetically
Win32/Swen.A is a worm spreading as a file of an e-mail attachment. It works in Windows 95 or newer versions of Windows operating system. It is spreading via local networks, in the environment of P2P of KaZaA network and via IRC. The worm is not compressed and its length is 106496 bytes. All texts in the worm are freely visible.
The worm arrives as a file in attachment of the message having subject, sender and text combined from strings contained in its body. The message may look as an e-mail returning undelivered or as a message looking like an update of Microsoft Internet Explorer, Microsoft Outlook or Microsoft Outlook Express. The fake message with the update looks very convincingly:
Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.
The file in the attachment of the fake message must be run by user itself. If the worm does not spread with such a message then it tries to use the error described at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp, what may cause its automatic activation.
After the file in the attachment is run, the worm is copied under randomly generated name into %windir% directory. It assures its activation after restarting the operation system due to creation the key in the system registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. It creates here also further worm copies having randomly chosen names - e.g. files WinRar key generator.exe and Klez fixtool.exe. The worm exports the list of SMPT and NNTP servers into the file swen1.dat located in %windir%. It saves the e-mail addresses acquired from html, asp, eml, dbx, wab a mbx files into the file germs0.dvb located in %windir%. The last file created in folder %windir% by Win32/Swen.A Win32/Swen.A is a file having the bat extension and the name identical with that of infected computer. If the name of the file containing the worm, and saved by virus into the folder %windir% is qfvoezsc.exe, the content of given bat file will be:
IF NOT "%1"=="" qfvoezsc.exe %1
Win32/Swen.A modifies the system registry keys HKEY_CLASSES_ROOT\exefile\shell\open\command, HKEY_CLASSES_ROOT\regfile\shell\open\command, HKEY_CLASSES_ROOT\comfile\shell\open\command, HKEY_CLASSES_ROOT\batfile\shell\open\command, HKEY_CLASSES_ROOT\piffile\shell\open\command, HKEY_CLASSES_ROOT\scrfile\shell\open\command and HKEY_CLASSES_ROOT\scrfile\shell\config\command . This is the reason why the worm takes control after opening files with extensions exe, reg, com, bat, pic and scr. It also locks up the system registry editor.
In order spreading in P2P of KaZaA network the worm creates many copies with attractive names in shared folder. In the folder where the client mIRC is installed, it creates the file mirc.ini offering the possibility of downloading the worm copy under the name, e.g. WinRar key generator.exe to everybody who connects to the same channel as the infected computer.
As far as local networks are concerned, the worm spreads using shared folders. It is searching for folders with installed Microsoft Windows operating system, and saves its copy into the subdirectory Startup. The computer is attacked by worm after restarting the operating system.
The worm inactivates processes with names containing following strings:
NOD32 detects this worm using extended heuristics without updating. Detection using sample is added from the version 1.512.
To clean infected computer, the following steps need to be carried out:
- Click the Control Center icon located on the system taskbar
- Restart computer to the Safe mode
- Click "Update now" button (to make sure the latest version of NOD32 database is installed)
- Go to Start > Programs > Eset > NOD32
- In the "Targets" Tab select the all available hard-disks by double clicking appropriate icon
- Click the "Clean" button
- When Win32/Swen.A is found and an action is offered, click "Delete"
- Restart the system
Under Windows ME or XP operating systems it can happen that the infected files are restoring themselves.