Published September 23rd, 2003 by Jim O'Halloran
Swen Virus on the Loose
Hot on the heels of Sobig.f a few weeks back comes the W32/Swen@MM worm. We saw 53 instances of Swen yesterday, and more today. Swen has been slowly ramping up since late last week (it certainly hasn’t had the “explosive” growth that the last couple of Sobig’s acheived), but is now becomming quite prevalent.
W32/Swen@MM is a mass-mailing worm written in MSVC that also spreads through file sharing networks and IRC. It uses its own SMTP engine to mail itself to addresses found in the Microsoft Outlook address book. It will attempt to terminate several security-related processes. It takes advantage of the Microsoft vulnerability MS01-020 to ensure the attachment is automatically launched when opened.
When Swen arrives it claims to be a security patch needing to be installed onto the user’s system. I guess in the wake of the Blaster worm, some people have been woken up to the need to patch their systems, and are now taking patches from everywhere.
One thing to be aware of though is that it is Microsoft has a policy of never emailing out patches. Reason being is that its a lot harder to fake a website download for a large number of users than it is to forge an email.