W32/Swen.A@mm, a very legitimate looking worm
W32/Swen.A@mm (a.k.a. W32/Gibe.F@mm) is a new mass-mailing worm that infects
via e-mails falsely claiming to be from Microsoft. It also claims to provide
a new version of a security patch provided by Microsoft earlier this month.
Microsoft, however, has a policy of never distributing software via e-mail and advises
users receiving e-mails claiming to contain software from Microsoft not to run the
attachment and to delete such e-mail messages altogether. More information regarding
Microsoft's policies on software distribution can be found at
The e-mail's text and look are convincing and all links within the message lead to
the correct pages at Microsoft's website, so it is not surprising that this worm is
now spreading fast.
Users are urged to update their virus signature files for F-Prot Antivirus.
W32/Swen.A@mm is detected by virus signature files dated 18 September or later.
After updating the virus signature files, users should scan their whole system
with the F-Prot Antivirus OnDemand scanner to ensure that their computer security
was not compromised before the virus signature files were updated.
As well as spreading via e-mail the worm also attempts to spread via KaZaA
and IRC file-sharing networks. On infecting a computer the worm attempts to
terminate any known antivirus and firewall software that it finds running.
Please note that if the patch discussed in
Microsoft Security Bulletin MS01-027
(Q295106, Q299618) has not been applied then the attachment will be executed
automatically as soon as the e-mail is opened. The patch prevents this
automatic execution of the attachment but will not prevent infection if
the attachment is opened manually.
For more information on W32/Swen.A@mm please see the
The latest versions of F-Prot Antivirus
detect W32/Swen.A@mm using virus signature files dated 18 September or later.