FRISK Software International


Summary of W32/Swen.A@mm
Length: Around 105KB
Discovered: 18 Sep 2003
Definition files: 18 Sep 2003
Risk Level: Low
Distribution:Low
Infection Method:Mass mailing, P2P, IRC and over local networks
Payload: Terminates security and antivirus processes in memory and prevents the user to start them again.
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Swen.A@mm is a mass mailing worm written in Visual C++. It is around 105KB in size and also uses Kazaa and Irc to spread. It pretends to be a patch from Microsoft that patches the system for newly discovered vulnerabilities.


Technical Description
When W32/Swen.A@mm is activated it goes through the following list of applications and tries to terminate them. Some of those applications are security and antivirus applications.

    zonealarm, zapro, wfindv32, webtrap, vsstat, vshwin32, vsecomr, vscan, vettray, vet98, vet95, vet32, vcontrol, vcleaner, tds2, tca, sweep, sphinx, serv95, safeweb, rescue, regedit, rav, pview, pop3trap, persfw, pcfwallicon, pccwin98, pccmain, pcciomon, pavw, pavsched, pavcl, padmin, outpost, nvc95, nupgrade, nupdate, normist, nmain, nisum, navw, navsched, navnt, navlu32, navapw32, nai_vs_stat, msconfig, mpftray, moolive, luall, lookout, lockdown2000, kpfw32, jedi, iomon98, iface, icsupp, icssuppnt, icmoon, icmon, icloant, icload95, ibmavsp, ibmasn, iamserv, iamapp, gibe, f-stopw, frw, fp-win, f-prot95, fprot95, f-prot, fprot, findviru, f-agnt95, espwatch, esafe, efinet32, ecengine, dv95, claw95, cfinet, cfind, cfiaudit, cfiadmin, ccshtdwn, ccapp, bootwarn, blackice, blackd, avwupd32, avwin95, avsched32, avp, avnt, avkserv, avgw, avgctrl, avgcc32, ave32, avconsol, autodown, apvxdwin, aplica32, anti-trojan, ackwin32, _avp.


It also prevents the applications from being executed while it is in memory. When the user tries to execute one of these applications under these circumstances a dialog box is displayed with a fake error message. It then checks if there are any debuggers running on the machine, if so it displays a dialog box containing the following text: "Try to pull my legs?" and terminates its process.

It copies itself to the windows directory under a random name and modifies the registry in such a way that it will be executed if a program is run and on every reboot. The modified values are below.

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    [random name] "="[worm random name] autorun

    [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
    [worm random name] \"%1\" %*

    [HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command]
    [worm random name] \"%1\" /S

    [HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\config\command]
    [worm random name] \"%1\""

    [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command]
    [worm random name] \"%1\" %*

    [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command]
    [worm random name] \"%1\" %*

    [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command]
    [worm random name] \"%1\" %*"

It then drops a file called administrator.bat into the windows directory, this file consists of the following lines:

    @ECHO OFF
    IF NOT "%1"=="" [worm random name] %1

It puts a new key under a random name under this key:

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ [random name] ]


There it keeps information about the worm, email server and email address. It also has the following values in there:

    "Install Item"=[random]
    "Unfile"=[random]
    "CacheBox Outfit"="yes"
    "Email Address"="The email address of the infected user"
    "Server"="The mail servers ip address"
    "Installed"="... by Begbie"
    "Counter Visited"="yes"


It disables registry modifications by denying the user the ability to run regedit and installation of reg files, see key below:

    [HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command] "[worm random name] showerror"


The following key is also modified so that registry tools are disabled, this is done to ensure that the user will not be able to change the registry keys.

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools"=dword:00000001

Spreading with Kazaa.

If Kazaa is installed the worm will copy itself to the download directory and enable sharing if disabled. It will assemble the file name from the following list:

    Kazaa Lite, KaZaA media desktop, KaZaA, WinRar, WinZip, Winamp, Mirc, Download Accelerator, GetRight FTP, Windows Media Player
    [key generator, hack, hacked, warez, upload, installer]

    Bugbear, Yaha, Gibe, Sircam, Sobig, Klez
    [remover, removal tool, cleaner, fixtool]

    AOL hacker, Yahoo hacker, Hotmail hacker, 10.000 Serials, Jenna Jameson, HardPorn, Sex, XboX Emulator, Emulator PS2, XP update, XXX Video, Sick Joke, XXX Pictures, My naked sister, Hallucinogenic Screensaver, Cooking with Cannabis, Magic Mushrooms Growing, Virus Generator.


Spreading with IRC.

It overwrites script.ini with its own script. If someone joins a channel where the infected user is located the script will try to DCC send that person a copy of the worm.


Infecting over local networks.

It checks every drive on the machine and if it finds a remote drive it calls the network infection routine. It then scans for one of the following directories on the remote machine.

    Win98
    Win95
    WinMe
    Windows

If it finds a windows directory it tries to place a copy of itself in the Startup directory to ensure that the worm is executed on startup on the remote machine.


Spreading via email.

It pretends to be a patch from Microsoft that patches the system for newly discovered vulnerabilities. It gathers email addresses from .eml, .wab, .dbx, .mbx and .asp files. The worm scans for these files. The author has obviously tried to make the email as convincing as possible.
It also sends out a fake email message falsely reporting that a message could not be delivered. If the user has not installed the IFrame exploit patch from Microsoft the attachment will run. Those email message can look something like the one below.


From: Email Storage Service
To: Internet User
Subject: Mail: Returned To Sender.

Hi,

I'm sorry to have to inform you that the message returned below could not be delivered to the following addresses.


Undelivered to [random name]@[choosen from a list that is kept in the virus body]


This is the list that the domain part of the email is generated from:

    Puremail, America, Netmail, Freemail, Yahoo, Aol, Bigfoot, Rocketmail, Microsoft, Freemail, Netmail.

    .com or .net

The From field is created from these strings:

    Admin, Administrator, Postmaster, Microsoft.
    Email, Message, Mail,
    Storage, Delivery, Service, System.

The To field is assembled from the following strings:

    Email, Mail, Inet, Net, Internet, Network.
    Client Receiver, User.

The subject is crafted from these strings:

    Returned, Undeliverable, Undelivered.
    Mail, Message.
    Returned To
    Sender, Mailer, User.
    User unknown.
    Bug, Error, Abort, Failure,
    Letter, Advice, Message, Announcement, Report, Notice.

And the body is crafted from the strings below:

    Hi.
    This is the qmail program
    Message from
    I'm sorry
    I'm sorry to have to inform you that
    I'm afraid
    the message returned below could not be delivered
    Message follows:
    I wasn't able to deliver your message
    to the following addresses:
    to one or more destinations.
    Undelivered
    Undeliverable
    Message
    Mail


Removal Instructions

1. Open up notepad.exe START\RUN and write notepad.exe
2. Copy the strings below and paste them to notepad. To copy you'll have to highlight the text below , right click on it and choose copy.

    REGEDIT4

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableRegistryTools"=dword:00000000

    [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command]
    @="\"%1\" %*"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command]
    @="\"%1\" %*"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
    @="\"%1\" %*"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command]
    @= "\"%1\" /S"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\config\command]
    @="\"%1\""

    [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command]
    @="\"%1\" %*"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command]
    @ = "regedit.exe \"%1\""



3. Now goto notepad and choose Edit->Paste
4. Choose File->Save as
5. Modify the "Save as type" field so it will display "All Files (*.*)"
6. Now modify the Save in field so it will display your system hard drive usually this is drive C:
7. Now write the swenfix.reg in the "File Name" field and click Save
8. Now you'll have to boot in dos.

Scanning in DOS / CMD mode

Please note that the DOS scanner is included in F-Prot Antivirus for Windows.

For Windows 95/98/ME:

To boot into DOS press START \ SHUT DOWN \ RESTART IN MS-DOS MODE.
Windows ME users need to use a Windows startup disk.

In DOS mode at the command prompt type:

cd \             [ENTER]
regedit swenfix.reg      [ENTER]
cd progra~1       [ENTER]
cd fsi             [ENTER]
cd f-prot       [ENTER]
f-prot.exe       [ENTER]

We are assuming here that F-Prot™ Antivirus was installed in the default location. Set the scanner to "Automatic disinfection".

For Windows 2000/XP:

Click on START \ SHUT DOWN \ RESTART. As the computer is booting up press the F8 key and from the menu select:

"Safe mode with Command prompt"

At the command prompt type:

cd \             [ENTER]
regedit swenfix.reg      [ENTER]
cd "program files"       [ENTER]
cd fsi             [ENTER]
cd f-prot       [ENTER]
fpcmd c: /disinf /auto /list       [ENTER]

(Please note that the scanning must be done for each drive indi- vidually.)

When the scanning is done and the system is clean, then restart the computer.

For Windows NT 4.0:

Restart the computer in SVGA mode (Safe Mode)

1. Click "Start" / "Run" / type "cmd"       [ENTER]
2. Command prompt window appears.
3. Press "Ctrl-Alt-Del" once and click on "Processes".
4. In "Processes" find "Explorer.exe" and select "End process".
The Desktop will disappear and only the background/wallpaper
and the command prompt window will be visible.
5. In the command prompt window type the following:

cd \             [ENTER]
regedit swenfix.reg      [ENTER]
cd "program files"       [ENTER]
cd fsi             [ENTER]
cd f-prot       [ENTER]
fpcmd c: /disinf /auto /list       [ENTER]

(Please note that the scanning must be done for each drive individually.)

When the scanning is done and the system is clean, then restart the computer.


 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is