Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Swen.A

W32/Gibe-F

Win32/Swen.A is a worm spreading as a file of an e-mail attachment. It works in Windows 95 or newer versions of Windows operating system. It is spreading via local networks, in the environment of P2P of KaZaA network and via IRC. The worm is not compressed and its length is 106496 bytes. All texts in the worm are freely visible.

The worm arrives as a file in attachment of the message having subject, sender and text combined from strings contained in its body. The message may look as an e-mail returning undelivered or as a message looking like an update of Microsoft Internet Explorer, Microsoft Outlook or Microsoft Outlook Express. The fake message with the update looks very convincingly:

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.

The file in the attachment of the fake message must be run by user itself. If the worm does not spread with such a message then it tries to use the error described at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp, what may cause its automatic activation.

After the file in the attachment is run, the worm is copied under randomly generated name into %windir% directory. It assures its activation after restarting the operation system due to creation the key in the system registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. It creates here also further worm copies having randomly chosen names - e.g. files WinRar key generator.exe and Klez fixtool.exe. The worm exports the list of SMPT and NNTP servers into the file swen1.dat located in %windir%. It saves the e-mail addresses acquired from html, asp, eml, dbx, wab a mbx files into the file germs0.dvb located in %windir%. The last file created in folder %windir% by Win32/Swen.A Win32/Swen.A is a file having the bat extension and the name identical with that of infected computer. If the name of the file containing the worm, and saved by virus into the folder %windir% is qfvoezsc.exe, the content of given bat file will be:

@ECHO OFF
IF NOT "%1"=="" qfvoezsc.exe %1

Win32/Swen.A modifies the system registry keys HKEY_CLASSES_ROOT\exefile\shell\open\command, HKEY_CLASSES_ROOT\regfile\shell\open\command, HKEY_CLASSES_ROOT\comfile\shell\open\command, HKEY_CLASSES_ROOT\batfile\shell\open\command, HKEY_CLASSES_ROOT\piffile\shell\open\command, HKEY_CLASSES_ROOT\scrfile\shell\open\command and HKEY_CLASSES_ROOT\scrfile\shell\config\command . This is the reason why the worm takes control after opening files with extensions exe, reg, com, bat, pic and scr. It also locks up the system registry editor.

In order spreading in P2P of KaZaA network the worm creates many copies with attractive names in shared folder. In the folder where the client mIRC is installed, it creates the file mirc.ini offering the possibility of downloading the worm copy under the name, e.g. WinRar key generator.exe to everybody who connects to the same channel as the infected computer.

As far as local networks are concerned, the worm spreads using shared folders. It is searching for folders with installed Microsoft Windows operating system, and saves its copy into the subdirectory Startup. The computer is attacked by worm after restarting the operating system.

The worm inactivates processes with names containing following strings:

zonealarm
zapro
wfindv32
webtrap
vsstat
vshwin32
vsecomr
vscan
ettray
vet98
vet95
vet32
vcontrol
vcleaner
tds2
tca
sweep
s phinx
serv95
safeweb
rescue
regedit
rav
pview
pop3trap
persfw
pcfwallicon
pccwin98
pccmain
pcciomon
pavw
pavsched
pavcl
padmin
o utpost
nvc95
nupgrade
nupdate
normist
nmain
nisum
navw
navsched
navnt
navlu32
navapw32
nai_vs_stat
msconfig
mpftray
moolive
luall
lookout
lockdown2000
kpfw32
jedi
iomon98
iface
icsupp
icssuppnt
icmoon
icmon
i cloadnt
icload95
ibmavsp
ibmasn
iamserv
iamapp
gibe
f-stopw
frw
fp-win
f-prot95
fprot95
f-prot
fprot
findviru
f-agnt95
espwatch
esafe
efinet32
ecengine
dv95
claw95
cfinet
cfind
cfiaudit
cfiadmin
ccshtdwn
ccapp
bootwarn
blackice
blackd
avwupd32
avwin95
avsched32
avp
avnt
avkserv
avgw
a vgctrl
avgcc32
ave32
avconsol
autodown
apvxdwin
aplica32
anti-trojan
ackwin32
_avp

NOD32 detects this worm using extended heuristics without updating. Detection using sample is added from the version 1.512.

To clean infected computer, the following steps need to be carried out:

  • Click the Control Center icon located on the system taskbar
  • Restart computer to the Safe mode
  • Click "Update now" button (to make sure the latest version of NOD32 database is installed)
  • Go to Start > Programs > Eset > NOD32
  • In the "Targets" Tab select the all available hard-disks by double clicking appropriate icon
  • Click the "Clean" button
  • When Win32/Swen.A is found and an action is offered, click "Delete"
  • Restart the system

NOTE:
Under Windows ME or XP operating systems it can happen that the infected files are restoring themselves.