Swen
Swen
Type Multi-vector worm
Creator
Date Discovered 2003.09.14
Place of Origin Slovakia?
Source Language C++
Platform MS Windows
File Type(s) .exe, .rar, .zip
Infection Length
Reported Costs $10.4 billion

'''Swen''' is a complex worm that poses as a Microsoft Security update. Like Nimda it was most visible as a mass-mailer, it could also spread over network shares, and file sharing. It also has retroviral capabilities, as it tries to shut off services that might possibly be antivirus programs and firewalls.

Behavior

Swen can arrive through an email, Internet Relay Chat, Kazaa filesharing, mapped drives and newsgroups.

Email Transmission

Swen's email is made to look like a Microsoft Windows security update. There are two possibilities for a type of subject line and each word of the subject line is generated from a few different possible strings:

SwenMail.gif

Subject Line 1

  • Word 1: Current, Newest, Last, New, Latest, <none>
  • Word 2: Net, Network, Microsoft, Internet, <none>
  • Word 3: Critical, Security, <none>
  • Word 4: Patch, Update, Pack, Upgrade

Subject Line 2

  • Word 1: RE:, FWD:, FW:, <none>
  • Word 2: Check, Checkout, Prove, Taste, Try, TryOn, LookAt, TakeALookAt, See, Watch, Use, Apply, Install, <none>
  • Word 3: this, that, the, these, <none>
  • Word 4: important, internet, critical, security, corrective, correction, <none>
  • Word 5: pack, package, patch, update

The subject line may end here. If it does not, the worm may choose two or more words for the subject line, whose possibilities include:

  • Word 6: for, <none>
  • Word 7: Windows, Internet, Explorer, <none if Word 6 does not appear>

The subject line may also end here, or the worm may choose six more words to add to the subject line, which may include:

  • Word 8: which, that, <none>
  • Word 9: came, comes, <none if Word 8 does not appear>
  • Word 10: from
  • Word 11: the, <none>
  • Word 12: MS, Microsoft, M$
  • Word 13: Corporation, Corp., <none>

The attachment name is also randomly generated from a list of possible names followed by a random string of numbers and an exe, zip or rar extension: Patch, Upgrade, Update, Installer, Install, Pack or Q. It will be 106,496 bytes long.

Swen may come from the Kazaa file-sharing network as a .zip or .rar archive with one of the following names:

  • 10.000 Serials
  • AOL hacker
  • Bugbear
  • cleaner
  • Cooking with Cannabis
  • Download Accelerator
  • Emulator PS2
  • fixtool
  • GetRight FTP
  • Gibe
  • hack
  • hacked
  • Hallucinogenic Screensaver
  • HardPorn
  • Hotmail hacker
  • installer
  • Jenna Jameson
  • KaZaA
  • Kazaa Lite
  • KaZaA media desktop
  • key generator
  • Klez
  • Virus Generator
  • Magic Mushrooms Growing
  • Mirc
  • My naked sister
  • removal tool
  • remover
  • Sex
  • Sick Joke
  • Sircam
  • Sobig
  • upload
  • warez
  • Winamp
  • Windows Media Player
  • WinZip
  • WinRar
  • XboX Emulator
  • XP update
  • XXX Pictures
  • XXX Video
  • Yaha
  • Yahoo hacker

Other Methods

If the user joins the same IRC channel as an infected computer, it may receive a copy. It may also come from a newsgroup post, which will have the same characteristics as the email. A computer on the same local network as an infected computer will be infected with the worm, as it copies itself to any startup folders it finds.

Infection

SwenMessage1B.gif

When executed, Swen checks to see if it has previously infected the computer. If so, the worm will display a message saying that the update does not need to be installed. If the worm has not previously infested the computer, it will display a dialog box which appears to give the user the option of continuing the installation. If the user chooses "No", the installation of the worm silently continues anyway. It copies itself into the into the Windows directory as a randomly generated name.

Swen then adds a random value to the local machine registry key which starts the worm when the computer starts up. The value "DisableRegistryTools = 1" is added to the current user system policies key to prevent the user from running Regedit. It also adds itself as a value to six different registry keys, which will cause the worm to run every time one of the six different file types are executed. The file types are:

SwenMessage2.gif
  • bat
  • com
  • exe
  • pif
  • reg
  • scr

It then creates its own registry subkey under the local machine Explorer key, which will be a string of random letters. It will add several values to this key, including:

  • CacheBox Outfit = yes
  • ZipNam = <random>
  • Email Address = <user's email address>
  • Server = <IP address of SMTP server retrieved from registry>
  • Mirc Install Folder = <location of mirc client on system>
  • Installed = …by Begbie
  • Install Item = <random>
  • Unfile = <random>
  • <random letters>

The worm attempts to kill processes that may be security programs with the names:

  • _avp
  • Azonealarm
  • avwupd32
  • avwin95
  • avsched32
  • avp
  • avnt
  • avkserv
  • avgw
  • avgctrl
  • avgcc32
  • ave32
  • avconsol
  • autodown
  • apvxdwin
  • aplica32
  • anti-trojan
  • ackwin32
  • bootwarn
  • blackice
  • blackd
  • claw95
  • cfinet
  • cfind
  • cfiaudit
  • cfiadmin
  • ccshtdwn
  • ccapp
  • dv95
  • espwatch
  • esafe
  • efinet32
  • ecengine
  • f-stopw
  • frw
  • fp-win
  • f-prot95
  • fprot95
  • f-prot
  • fprot
  • findviru
  • f-agnt95
  • gibe
  • iomon98
  • iface
  • icsupp
  • icssuppnt
  • icmoon
  • icmon
  • icloadnt
  • icload95
  • ibmavsp
  • ibmasn
  • iamserv
  • iamapp
  • jedi
  • kpfw32
  • luall
  • lookout
  • lockdown2000
  • msconfig
  • mpftray
  • moolive
  • nvc95
  • nupgrade
  • nupdate
  • normist
  • nmain
  • nisum
  • navw
  • navsched
  • navnt
  • navlu32
  • navapw32
  • nai_vs_stat
  • outpost
  • pview
  • pop3trap
  • persfw
  • pcfwallicon
  • pccwin98
  • pccmain
  • pcciomon
  • pavw
  • pavsched
  • pavcl
  • padmin
  • rescue
  • regedit
  • rav
  • sweep
  • sphinx
  • serv95
  • safeweb
  • tds2
  • tca
  • vsstat
  • vshwin32
  • vsecomr
  • vscan
  • vettray
  • vet98
  • vet95
  • vet32
  • vcontrol
  • vcleaner
  • wfindv32
  • webtrap
  • zapro
SwenError.gif

It will intercept these processes and display an error message if the process attempts to restart.

Swen will send an HTTP request to a predefined HTTP server in order to retrieve counter information when and may show how many times the worm has run and therefore how many computers it has infected.

The worm begins to find new computers to infect. It tries to use Winzip (its first choice) and WinRAR to compress itself before sending itself. It searches for email addresses in the following types of files:

  • asp
  • dbx
  • eml
  • html
  • mbx
  • wab

It then stores the email addresses in the file Germs0.dbv, which it creates in the Windows directory. It creates Swen1.dat in the same directory, where it stores a list of news and mail servers. Then it drops a .bat file with a name the same as that of the computer, which executes the worm and a configuration file to store local machine data. The worm has its own SMTP engine to mail itself.

Swenmapi.png

Periodically Swen presents the user with a fake MAPI32 Exception error which prompts the user to enter details of his/her email account including the address, username, password, POP3 server, SMTP server. The worm the logs onto the POP3 server using the information provided to the fake MAPI32 exception error and deletes emails sent by another copy of the worm to prevent sending itself to the same email addresses too many times.

Spreading through KaZaA, Swen drops a zip or rar copy of itself, as one of the names in the "Kazaa Transmission" section, into a randomly named folder in the Temp folder of the computer. It adds the value "Dir99 = 012345:<random folder name>" to the Kazaa share folders registry key, which turns this folder into a shared Kazaa folder.

Swen searches the registry looking for newsgroup server addresses and attempts to contact that server. If there is no newsgroup server configured on the system, the worm will select one from its own list. Swen downloads the available groups and posts messages to randomly selected groups.

Swen searches for a Mirc folder then creates the file Script.ini in that folder. The worm uses this folder to send exe, rar or zip copies of itself to other mIRC users who are connected to the same channel.

Variants

Swen itself may be a variant of Gibe, a worm that also poses as a Microsoft security alert.

Effects

Swen became the top worm of 2003 November, according to Messagelabs, which blocked around 567,000 emails carrying the worm. It is reported to have caused $10.4 billion in damage.

Name

Swen is news spelled backwards. There is no indication if this was the intent of the creator when naming the worm. It was likely named by the antivirus companies for the Swen1.dat file that it drops.

Antivirus Aliases

  • ClamAV: Worm.Gibe.F
  • Kaspersky: Email-Worm.Win32.Swen
  • McAfee: W32/Swen@MM
  • MessageLabs: W32/Gibe.E-mm
  • Sophos: W32/Gibe-F
  • Symantec: W32.Swen.A@mm
  • Trend Micro: WORM_SWEN.A

Sources

John Canavan. Symantec.com, "W32.Swen.A@MM".

John Leyden. The Register, "Nasty worm poses as MS security update". 2003.09.19

-. -, Swen fends off Mimail to top viral charts. 2003.11.28

Richard A. Elnicki. University of Florida, Virus, Worm & Spam Costs 1: An Episode at the University of Florida.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License