Yet another Internet virus pretending to be a patch from Microsoft is spreading quickly on the Internet. Swen (w32.swen@mm, also known as Gibe) uses the subject line to entice Windows users to open the attachment. In some cases, the virus will execute automatically. The virus attempts to kill all antivirus and personal firewall apps running on the infected machine. Swen can also travel using Kazaa, IRC, and shared network paths. Because Swen spreads via email, IRC, P2P, and shared network files and shows signs of spreading rapidly, this virus rates a 6 on the ZDNet Virus Meter.
How it works
One of the ways Swen spreads is to arrive as an email message containing some references to Microsoft or to a new critical patch for Internet Explorer or as a returned email.
To spread via shared network files, Swen leaves copies of itself in the start-up folders found on individual Windows computers connected to the network.
For IRC users, Swen adds a script.ini file to the mIRC program folder. It then spreads to other IRC users.
To infect other P2P users, Swen adds a copy of itself to the shared file directory using a random but intriguing name.
Once the virus is active, it will attempt to shut down working antivirus and personal firewall applications. Swen will appear to download and install a patch directly from Microsoft; in reality, the virus is changing system Registry files on the infected machine. Changes include, for example, the ability to run the virus every time the computer is rebooted.
Windows users who have not installed the Internet Explorer patch MS01-020 for the incorrect MIME header flaw should do so now to prevent automatic infection from Swen. In general, do not open attached files in email without first saving them to the hard disk and scanning them with updated antivirus software. Please note that Microsoft does not email security patches to its users. Contact your antivirus vendor to obtain the latest antivirus signature files that include Swen.
Most antivirus software companies have updated their signature files to include this virus. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec, and Trend Micro.