Worm:Win32/Swen.A@mm is a network and mass-mailing worm that targets certain versions of Microsoft Windows. The worm spreads in several ways and terminates security-related processes running on an infected computer. Win32/Swen masquerades as a patch for Microsoft Internet Explorer, and may pretend to download and install software.
Installation
When this worm is run, it may display a series of dialogue boxes similar to the ones shown below,
if the first letter of the worm's file name begins with the letters p, P, q, Q, u, U, I or I:
Win32/Swen.A@mm drops a copy of itself into the Windows folder as a randomly named file (such as 'prfcf.exe'), and then modifies the registry to run this copy at each Windows start.
Adds value: <random character string>
With data: "<randomly named copy of worm> autorun"
In subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The worm further enhances chances of execution by adding itself as the default handler for common file types, files with extensions .exe, .com, .bat, .scr, .pif and .reg. This is performed by modifications made to the registry, as in the examples shown below.
Modifies value: (default)
With data: "<randomly named copy of worm> "%1" %*""
In these subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config\command
Modifies value: (default)
With data: "<randomly named copy of worm> showerror"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command
The worm may add an additional registry value and data.
Adds value: "Install Item"
With data: "<random character string>"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\<random value>
Using HTTP, the worm may contact a remote Web server and increment a web hosted counter stored on the domain 'ww2.fce.vutbr.cz'.
Spreads Via…
E-Mail
Win32/Swen.A gathers e-mail addresses from the infected machine by searching files with extensions .eml, .wab, .dbx, .mbx, .asp and .ht. The worm sends an e-mail with a copy of the worm attached, to addresses found.
Win32/Swen.A composes e-mail messages in HTML format, with a malformed MIME header that attempts to exploit a vulnerability in Microsoft Outlook and Outlook Express applications. This vulnerability allows the worm to execute when a user opens or previews the e-mail message. This vulnerability was addressed in 2001, with
Microsoft Security Bulletin MS01-020.
Using a pre-defined list of SMTP servers, the worm attempts to connect to one of them. If successful, it shows the following dialogue box and asks users to enter SMTP server logon credentials:
Network Shares
The worm enumerates network shares and copies itself with a randomly generated filename to unprotected shares (shares that require no username or password) in the following locations:
-
\Documents and Settings\<user account>\Start Menu\Programs\Startup
-
\Windows\Start Menu\Programs\Startup
-
\Winnt\Profiles\<user account>\Start menu\Programs\Startup
mIRC Script
Win32/Swen.A searches in common installation paths for the Internet Relay Chat application mIRC, and overwrites a configuration script named 'script.ini' with instructions to send a copy of the worm to other users that join an IRC channel, while the user is connected to an IRC channel.
Peer-to-Peer File Sharing Networks
Win32/Swen.A may drop copies of itself into the common sharing folder for the Peer-to-Peer (P2P) file sharing application Kazaa. The worm may use one of the following filenames:
Virus Generator
Magic Mushrooms Growing
Cooking with Cannabis
Hallucinogenic Screensaver
My naked sister
XXX Pictures
Sick Joke
XXX Video
XP update
Emulator PS2
XboX Emulator
HardPorn
Jenna Jameson
10.000 Serials
Hotmail hacker
Yahoo hacker
AOL hacker
fixtool
cleaner
removal tool
remover
Sobig
Sircam
Bugbear
installer
upload
warez
hacked
key generator
Windows Media Player
GetRight FTP
Download Accelerator
Newsgroups
This worm searches for newsgroup server details possibly stored in the registry. If no information is located, the worm may then select one from a list of predefined newsgroup servers, and attempt to post random messages to newsgroups, along with an encoded copy of the worm.
Payload
Modifies System Settings
Win32/Swen.A may disable the Registry Editor by modifying a value in the registry.
Modify value: DisableRegistryTools
With data: "1"
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Terminates Processes
Win32/Swen.A may attempt to terminate any of the following processes if found running:
webtrap
vsstat
vshwin32
vsecomr
vscan
vettray
vet98
vet95
vet32
vcontrol
vcleaner
sweep
sphinx
serv95
safeweb
rescue
regedit
pview
pop3trap
persfw
pcfwallicon
pccwin98
pccmain
pcciomon
pavsched
pavcl
padmin
outpost
nvc95
nupgrade
nupdate
normist
nmain
nisum
navsched
navnt
navlu32
navapw32
nai_vs_stat
msconfig
mpftray
moolive
luall
lookout
lockdown2000
kpfw32
iomon98
iface
icsupp
icssuppnt
icmoon
icmon
icloadnt
icload95
ibmavsp
ibmasn
iamserv
iamapp
f-stopw
fp-win
f-prot95
fprot95
f-prot
fprot
findviru
f-agnt95
espwatch
esafe
efinet32
ecengine
claw95
cfinet
cfind
cfiaudit
cfiadmin
ccshtdwn
ccapp
bootwarn
blackice
blackd
avwupd32
avwin95
avsched32
avkserv
avgctrl
avgcc32
ave32
avconsol
autodown
apvxdwin
aplica32
anti-trojan
ackwin32
Analysis by Vitaly Zaytsev
