Jump to content

Swen (computer worm): Difference between revisions

Add links
From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
m Bagumba moved page Swen to Swen (computer worm): make way for Swen (name) as WP:PRIMARYTOPIC
No edit summary
Line 42: Line 42:
#[http://about-threats.trendmicro.com/ArchiveMalware.aspx?language=us&name=WORM_SWEN.A Trend Micro Threat Encyclopedia | WORM_SWEN.A]
#[http://about-threats.trendmicro.com/ArchiveMalware.aspx?language=us&name=WORM_SWEN.A Trend Micro Threat Encyclopedia | WORM_SWEN.A]
#[http://www.bitdefender.ro/VIRUS-7657-ro--Win32.Swen.A@mm.html BitDefender Virus Information for Swen.A@mm]
#[http://www.bitdefender.ro/VIRUS-7657-ro--Win32.Swen.A@mm.html BitDefender Virus Information for Swen.A@mm]

==External links==
*[https://www.duocircle.com/blog/the-top-three-email-based-threats-and-how-to-avoid-them/ Email Based Threats & How To Avoid Them]


[[Category:Email worms]]
[[Category:Email worms]]

Revision as of 05:37, 12 September 2018

Swen worm
Technical nameWin32/Swen
Alias
  • Win32/Swen.worm.106496 (AhnLab)
  • W32/Swen.A@mm (Authentium Command)
  • I-Worm/Swen.A (AVG)
  • Win32/Swen.A@mm (BitDefender)
  • Win32/Swen.A.Worm (CA)
  • Win32/Swen.A (ESET)
  • Email-Worm.Win32.Swen (Kaspersky)
  • W32/Swen@MM (McAfee)
  • W32/Swen.A@mm (Norman)
  • W32/Gibe.C.worm (Panda)
  • W32/Gibe-F (Sophos)
  • Email-Worm.Win32.Swen (Sunbelt Software)
  • W32.Swen.A@mm (Symantec)
  • WORM_SWEN.A (Trend Micro)
  • I-Worm.Swen.A1 (VirusBuster)
TypeComputer worm
SubtypeMass mailer
Technical details
PlatformWindows 95 to Windows XP
Size106-496 bytes

Swen is a mass mailing computer worm written in C++. It sends an email which contains the installer for the virus, disguised as a Microsoft Windows update, although it also works on P2P filesharing networks, IRC and newsgroups' websites. It was first analyzed on September 18, 2003, however, it might have infected computers before then. It disables firewalls and antivirus programs.

Infection

Self-installation

The virus first sends itself via email with an attachment, posing as an update for Windows. The attachment can have a .com, .scr, .bat, .pif, or .exe file extension. If its file name starts with the letters P, Q, U, or I, It displays a fake Microsoft Update dialogue box, asking if the user wants to install a Microsoft Security Update with the two choices "Yes" and "No". If the user presses "Yes", it displays a fake progress bar while installing the fake update. When finished, it displays another dialogue box saying: Microsoft Internet Update Pack This has been successfully installed. The malware then re-executes itself, followed by yet another dialogue box saying: Microsoft Security Update Pack This update does not need to be installed on this system. If the user chooses "No", the malware will still install itself silently in the background. Next, it checks for certain criteria by opening another dialogue box, prompting the user for their email address, username, password, SMTP server, and their POP3 server. After completing the said fields, the worm then makes a copy of itself in the C:\Windows folder as <random characters>.exe. The virus finally moves all information to the copy and terminates.

Autostart

The worm creates the following registry entry to execute upon startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run\<random value> = "<random filename>.exe autorun"

References

  1. Trend Micro Threat Encyclopedia | WORM_SWEN.A
  2. BitDefender Virus Information for Swen.A@mm
Retrieved from "https://en.wikipedia.org/w/index.php?title=Swen_(computer_worm)&oldid=859167480"