W32/Swen.B@mm and W32/Swen.C@mm
W32/Swen.B@mm was discovered on 9 October and is a minor variant of Swen.A, the mass-mailing worm that started spreading last month through e-mails falsely claiming to be from Microsoft.
Swen.B is a compressed version of the original worm and is an attempt to make the worm undetectable to some anti-virus programs. In addition to this, the majority of references within the e-mail have been changed from Microsoft to the Italian ISP Tiscali. Otherwise the original worm and this variant are very similar.
W32/Swen.C@mm is another minor variant of the original Swen.A worm. Swen.C is also a compressed version of the original and
contains some minor modifications in its links. Its text strings also refer to Microsoft and Tiscali as well as to Renato Soru, Chairman and CEO of Tiscali.
Users are urged to update their virus signature files for F-Prot Antivirus.
W32/Swen.A@mm is detected by the latest virus signature files dated 9 October or later.
After updating the virus signature files, users should scan their whole system
with the F-Prot Antivirus OnDemand scanner to ensure that their computer security
was not compromised before the virus signature files were updated.
Like Swen.A, these variants are designed to spread not only via e-mail but also through KaZaa and IRC file-sharing networks. The
worm also attempts to terminate any known antivirus and firewall software that it finds running. W32/Swen.@mm and its variants are all detected by the latest versions of F-Prot Antivirus using the
latest virus signature files dated 9 October 2003 or later
W32/Swen.A@mm (a.k.a. W32/Gibe.F@mm) is a new mass-mailing worm that infects
via e-mails falsely claiming to be from Microsoft. It also claims to provide
a new version of a security patch provided by Microsoft earlier this month.
Microsoft, however, has a policy of never distributing software via e-mail and advises
users receiving e-mails claiming to contain software from Microsoft not to run the
attachment and to delete such e-mail messages altogether. More information regarding
Microsoft's policies on software distribution can be found at
Microsoft's website.
The e-mail's text and look are convincing and all links within the message lead to
the correct pages at Microsoft's website, so it is not surprising that this worm is
now spreading fast.
Recommended Reactions
Threat Description
Threat Detection
W32/Swen.A@mm, a very legitimate looking worm
Recommended Reactions
Users are urged to update their virus signature files for F-Prot Antivirus. W32/Swen.A@mm is detected by virus signature files dated 18 September or later.
After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.
Threat Description
As well as spreading via e-mail the worm also attempts to spread via KaZaA and IRC file-sharing networks. On infecting a computer the worm attempts to terminate any known antivirus and firewall software that it finds running.
Please note that if the patch discussed in Microsoft Security Bulletin MS01-027 (Q295106, Q299618) has not been applied then the attachment will be executed automatically as soon as the e-mail is opened. The patch prevents this automatic execution of the attachment but will not prevent infection if the attachment is opened manually.
For more information on W32/Swen.A@mm please see the technical description.
Threat Detection
The latest versions of F-Prot Antivirus detect W32/Swen.A@mm using virus signature files dated 18 September or later.