Swen prevention and cure

Swen prevention and cure

Summary: The Swen virus masquerades as a new Microsoft patch - find out how to avoid it, and what to do in the case of infection

TOPICS: Security
Yet another Internet virus pretending to be a patch from Microsoft is spreading quickly on the Internet. Swen (w32.swen@mm, also known as Gibe) uses the subject line to entice Windows users to open the attachment. In some cases, the virus will execute automatically. The virus attempts to kill all antivirus and personal firewall apps running on the infected machine. Swen can also travel using Kazaa, IRC, and shared network paths. Because Swen spreads via email, IRC, P2P, and shared network files and shows signs of spreading rapidly, this virus rates a 6 on the ZDNet Virus Meter.

How it works
One of the ways Swen spreads is to arrive as an email message containing some references to Microsoft or to a new critical patch for Internet Explorer or as a returned email.

To spread via shared network files, Swen leaves copies of itself in the start-up folders found on individual Windows computers connected to the network.

For IRC users, Swen adds a script.ini file to the mIRC program folder. It then spreads to other IRC users.

To infect other P2P users, Swen adds a copy of itself to the shared file directory using a random but intriguing name.

Once the virus is active, it will attempt to shut down working antivirus and personal firewall applications. Swen will appear to download and install a patch directly from Microsoft; in reality, the virus is changing system Registry files on the infected machine. Changes include, for example, the ability to run the virus every time the computer is rebooted.

Windows users who have not installed the Internet Explorer patch MS01-020 for the incorrect MIME header flaw should do so now to prevent automatic infection from Swen. In general, do not open attached files in email without first saving them to the hard disk and scanning them with updated antivirus software. Please note that Microsoft does not email security patches to its users. Contact your antivirus vendor to obtain the latest antivirus signature files that include Swen.

Most antivirus software companies have updated their signature files to include this virus. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec, and Trend Micro.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Everything clear except instructions for installing the Internet Patch, especially when I can't reach Windows Update. I fear a leftover worm (although Norton says I'm clean) has cut me off: can't reach my installation history or any of the 17 updates available for XP. ( Also, for some mysterious reason I can no longer send messages from my Yahoo E-Mail Account.)

  • Hi.

    I have reason to believe I'm not infected with the swen virus. But someone who has my email address is, and I'm getting a hundred spam e-mails per hour... I see multiple virus removal tools, but no spam blocker for this worm. Can anyone help me?

    Thank you.

    Lana Boter
  • Hi,

    I never open attachments when i don't know who sent it to me. And I always send the mails to Yahoo to screen for virusses.

    Tonight, after reinstalling Windows 98SE i forgot to fix patcheswith Microsoft.

    And yes.....Swen hit me. I think the responsibility is also for Microsoft. It should be possible to go to shop where i bought their software to get a updated reliable version of windows 98se.

    They produce products with faillures and should be responsible for the damage!

    The Netherlands
  • I got the swen virus on September 18 and immediately used the Norman program to remove it and this did not remove it. I have run other virus scans to no avail also. Today when I tried my Outlook Express there was no problem.
    After I got the swen virus I could not receive incoming mail and messages kept ending up in my deleted box.
    Guess I should not worry if something is working but any ideas?
  • Why is it, when detailing virus prevention and removal, you never mention the excellent (and, in one version, free) AVG AntiVirus from http://www.grisoft.com? No - I don't work for Grisoft - I'm just a very satisfied, and very well-protected, customer of theirs.Incidentally, their site provides a number of handy removal tools, in addition to the progams, and their very prompt updates.
  • As a layman(an old one)I don't understand how Swen can get by the anti-virus in the first place let alone the firewall.A short time ago while running a free version of an anti-virus,I was at McAfee site where they offered to insert a temp virus that would delete itself within minutes and soon as they released it,my free version came on with a actual "bang"and captured it took it to the "Vault for safe storage.Whole thing was over in a heartbeat.All emails and attachments are scanned before they get to email page so why wouldn't that pickup and destroy the virus immediately?.McAfee also has an incredible program called the "Stinger",have you seen it?,watched it in action?.Also have that on desktop.With all the constant threats to our (my)systems today,all the fun and/or enjoyment of Internet is going away,hardly any desire to log on anymore.Can't for the life of me see what these sicko's get out of doing these things to innocent,unsuspecting people at home just trying to get a little enjoyment out of life.Anyway,am running McAfee full Suite 2004,plus ZoneAlarm Pro--do you think I am reasonably safe?.Thank you most kindly.Bruce
  • What do you do if Swen has done such a great job on your computer and you can't access ANY executable files? Including the patch to remove it.
  • My machine had the swen virus. I found that each time I opened Outlook Express, the window was small even though properties specified maximum. Other programs were similarly affected. My antivirus (AVG) would not run; there was a violation with Kernel32.dll. After downloading a fix, all programs start as they should.
  • Hi Lana, I am also recieving lots of spam mail containing this virus but the only way i have found to minimise the amount of a mail that is coming in is to use mail washer thats from www.firetrust.com i have the full working version here and it has blocked a lot of them by adding them to my blacklist and bouncing them back but the mail comes in from different people each time but it has managed to cut it down to about 30 at the moment.
  • Where does Swen get it's email addresses from? Why does Juno allow my mailbox to fill with Swen messages everyday? How can I track down the sender to let them know they are infected?

    I view Juno webmail from a Unix workstation so I doubt that I am infected.

  • I have it also but no matter what I try from all the suggestions it won't go away.
  • Lana I have the same Swen virus and I have tried all the suggestions and not one of them has helped. If I could talk to a tech that would be great but all the help sites do is direct me elsewhere. If you do get clear instructions please e-mail direct.
  • Hi, I have Swen too.
    First of all I recomend to open another mail
    account in www.operamail.com to avoid
    junk mail, spam, virus, trojans, etc. I have
    not received spam since about two weeks.
    I download a "patch" for blaster in the
    official website of Microsoft, I supposed that
    it is another "patch" for blaster. Also I recomend to download the opera browser
    from www.opera.com
    I feel embarassed, but not only because
    I "install" a virus, but because I use Windows
    in my computer, an AMD based that I like
    a lot (the hardware), knowing that linux-based
    open source OS's are so superior in all the
    aspects. I don't think that MAC OS X have so
    many virus, trojans, and worms (if they have
    important ones).
    My last recomendation is to download Stinger of Symantec from: http://securityresponse.symantec.com/avcenter/ venc/data/w32.swen.a@mm.html, run it
    download, install and execute zone alert
    (download.com), reboot the computer, run
    again Stinger and see the "could not be repaired" message and delete it manually.
    This virus kind of regenerates, Sometimes
    Stinger is infected?!
    If you are not happy with Windows, find a
    new "better" version, or get MAC OS X or any
    other linux-based OS.