What is the Swen.A worm?

The Swen.A worm is a mass-mailing worm that uses its own mailing engine to spread itself. It can spread through email, newsgroups, file sharing networks like Kazaa and IRC, as well as shared network drives. It poses as a legitimate "security" email from Microsoft telling the user to download and install the "September 2003, Cumulative Patch" update to protect yourself from problems. The only problem with this is there isnt an official "September 2003, Cumulative Patch", and Microsoft never sends patches like this via email.

The worm also attempts to kill most antivirus and personal firewall programs running on the computer making the system vulnerable to other viruses spreading on the Internet.

The worm can arrive as an email attachment. The subject, body, and From: address of the email may vary. Some examples claim to be patches for Microsoft Internet Explorer, or delivery failure notices from qmail. The email will look similar to the following picture:

The Swen worm sends a copy of itself to the address found on the infected computer (it searches for email addresses found in .html, .asp, .eml, .dbx, .wab, .mbx files on the hard drive). The FROM, SUBJECT, and attachment names can vary. The worm may use an incorrect MIME Header exploit, mentioned in Microsoft Security Bulletin MS01-020, to ensure that it is automatically executed when the mail is viewed.

Every attachment has one of the following filenames with a random number appended to it. The file is either an exe file or a zip file.

• Patch
• Upgrade
• Update
• Installer
• Install
• Pack
• Q

It also produces a fake MAPI32 error message on occasion that appears to try to steal usernames, passwords, pop3 and smtp server information. The virus will then attempt to log into the users account and delete any of the emails sent by the Swen.A worm

The MAPI32 error message is shown below:

How to Remove the Swen.A Worm?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects Swen.A during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the Swen.A worm.

1. Disabling System Restore (Windows Me/XP)

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: "How to disable or enable Windows Me/XP System Restore".

2. Updating the Virus Definitions

If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

3. Identifying the Virus Program

1. Scan your system with your Kaspersky antivirus products.
2. NOTE all files detected as Swen.A.

4. Terminating the Running Program

1. Open Windows Task Manager.
   On Windows 95/98/ME systems, press
   CTRL+ALT+DELETE
   On Windows NT/2000/XP systems, press
   CTRL+SHIFT+ESC, then click the Processes tab.
2. In the list of running programs*, locate the malware file or files detected earlier.
3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
4. Do the same for all detected malware files in the list of running processes.
5. To check if the malware process has been terminated, close Task Manager, and then open it again.
6. Close Task Manager.

5. Modifying the Association for Registry Entries (.REG)

On the desktop, double-click My Computer and do the following:
For Windows 95/98/ME

1. Choose View>Folder Options in the drop-down menu. Then, select the File Types tab.
2. Under Registered file types list box, select Registration Entries and click the Edit button.
3. Select Merge, then click the Edit button.
4. In the Application used to perform action field, type the following:
   REGEDIT.EXE "%1"
5. Click Ok>Close>Close

1. Choose Tools>Folder Options in the drop-down menu. Then, select the File Types tab.
2. Under Registered file types list box, select Registration Entries and click the Change button.
3. An Open With window will appear. Choose Registry Editor from the list and click Ok.
   (Note: If Registry Editor is not in the list, click the Other button and manually look for REGEDIT.EXE which can be usually found under C:\Windows or C:\Winnt folders, select it and click Open>Ok)
4. Click>Apply>Ok.

6. Enabling Registry Editing and Addressing Registry Shell Spawning

1. Type the following commands in a text file and save them as RESTORE.REG:

   REGEDIT4
   
   
   [HKEY_CURRENT_USER\Software\Microsoft\Windows
   \CurrentVersion\Policies\System]
   "DisableRegistryTools"=dword:00000000
   
   [HKEY_CLASSES_ROOT\batfile\shell\open\command]
   @="\"%1\" %*"
   
   [HKEY_CLASSES_ROOT\comfile\shell\open\command]
   @="\"%1\" %*"
   
   [HKEY_CLASSES_ROOT\exefile\shell\open\command]
   @="\"%1\" %*"
   
   [HKEY_CLASSES_ROOT\piffile\shell\open\command]
   @="\"%1\" %*"
   
   [HKEY_CLASSES_ROOT\regfile\shell\open\command]
   @="regedit.exe \"%1\""
   
   [HKEY_CLASSES_ROOT\scrfile\shell\config\command]
   @="\"%1\" %*"
   
   [HKEY_CLASSES_ROOT\scrfile\shell\open\command]
   @="\"%1\" /S"
   

2. Double-click RESTORE.REG, and click the Yes button on the confirmation window.

7. Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup. In this procedure, you will need the name(s) of the file(s) detected earlier.

1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
   HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
   CurrentVersion>Run
3. In the right panel, locate and delete the entry or entries whose data value (the rightmost column) is the malware file(s) detected earlier.
4. In the left panel, double-click the following:
   HKEY_CURRENT_USER>Software>Microsoft>Windows>
   CurrentVersion>Run
5. In the right panel, locate and delete the entry or entries whose data value (the rightmost column) is the malware file(s) detected earlier.

8. Removing Other Malware Entries

1. Still in Registry Editor, select Edit>Find in the drop-down menu or press CTRL+F
2. In the Find what field, type Install Item and select all boxes in the Look At section. Then Press Find Next
3. If found, delete the registry value by right-clicking on it and selecting Delete.
4. Repeat steps 1-3 for the following registry values and/or data:
   Unfile
   CacheBox Outfit
   ZipName
   Mirc Install Folder
   ... by Begbie
   Kazaa Infect
   
5. Close Registry Editor.

NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

9. Deleting Other Dropped Files

Please locate and manually delete the following dropped files in the Windows directory:

• <computer name>.bat
• germs0.dbv
• germs1.dbv
• swen1.dat

10. Run a full system scan and delete all the files detected as Swen.A.

1. Start your Kaspersky Internet Security and make sure that it is configured to scan all the files.
2. Run a full system scan.
3. If any files are detected as infected with Swen.A, click Delete.

How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
4. Keep your permanent antivirus protection enabled at all times.

Detect and Removal Instruction for Other Worms - 'S':