W32/Swen.B@mm and W32/Swen.C@mm

9 October 2003

W32/Swen.B@mm was discovered on 9 October and is a minor variant of Swen.A, the mass-mailing worm that started spreading last month through e-mails falsely claiming to be from Microsoft.

Swen.B is a compressed version of the original worm and is an attempt to make the worm undetectable to some anti-virus programs. In addition to this, the majority of references within the e-mail have been changed from Microsoft to the Italian ISP Tiscali. Otherwise the original worm and this variant are very similar.

W32/Swen.C@mm is another minor variant of the original Swen.A worm. Swen.C is also a compressed version of the original and contains some minor modifications in its links. Its text strings also refer to Microsoft and Tiscali as well as to Renato Soru, Chairman and CEO of Tiscali.


Recommended Reactions

Users are urged to update their virus signature files for F-Prot Antivirus. W32/Swen.A@mm is detected by the latest virus signature files dated 9 October or later.

After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.

Threat Description

Like Swen.A, these variants are designed to spread not only via e-mail but also through KaZaa and IRC file-sharing networks. The worm also attempts to terminate any known antivirus and firewall software that it finds running.

Threat Detection

W32/Swen.@mm and its variants are all detected by the latest versions of F-Prot Antivirus using the latest virus signature files dated 9 October 2003 or later



W32/Swen.A@mm, a very legitimate looking worm

18 September 2003

W32/Swen.A@mm (a.k.a. W32/Gibe.F@mm) is a new mass-mailing worm that infects via e-mails falsely claiming to be from Microsoft. It also claims to provide a new version of a security patch provided by Microsoft earlier this month.

Microsoft, however, has a policy of never distributing software via e-mail and advises users receiving e-mails claiming to contain software from Microsoft not to run the attachment and to delete such e-mail messages altogether. More information regarding Microsoft's policies on software distribution can be found at Microsoft's website.

The e-mail's text and look are convincing and all links within the message lead to the correct pages at Microsoft's website, so it is not surprising that this worm is now spreading fast.

Recommended Reactions

Users are urged to update their virus signature files for F-Prot Antivirus. W32/Swen.A@mm is detected by virus signature files dated 18 September or later.

After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.

Threat Description

As well as spreading via e-mail the worm also attempts to spread via KaZaA and IRC file-sharing networks. On infecting a computer the worm attempts to terminate any known antivirus and firewall software that it finds running.

Please note that if the patch discussed in Microsoft Security Bulletin MS01-027 (Q295106, Q299618) has not been applied then the attachment will be executed automatically as soon as the e-mail is opened. The patch prevents this automatic execution of the attachment but will not prevent infection if the attachment is opened manually.

For more information on W32/Swen.A@mm please see the technical description.

Threat Detection

The latest versions of F-Prot Antivirus detect W32/Swen.A@mm using virus signature files dated 18 September or later.

Commtouch® is a leading developer of anti virus software and anti spam filtering services. Commtouch's anti virus computer software, F-PROT Antivirus, is available for a number of operating systems such as Windows, Linux, BSD, Solaris, and AIX as well as the Microsoft Exchange groupware.

2014 © CYRENPrivacy Statement