New Swen Worm Poses as MS Patch, Spreads

Despite the recent success of computer worms, such as Blaster, that have pounced on newly discovered vulnerabilities, a new threat that looks remarkably like a legitimate security e-mail from Microsoft is using a two-year-old vulnerability to infect thousands of computers.

Known as “Swen” or “Gibe,” the mass-mailing worm has hit thousands of Windows machines — mostly home or small business users — through e-mail, Internet Relay Chat (IRC) and peer-to-peer (P2P) networks. The worm, which automatically executes an attachment to infect and also attempts to steal e-mail account data, appears to be seizing on heightened security awareness by spoofing a message and patch from Microsoft.

The impersonation of correspondence from Microsoft — which stresses it never delivers patches via e-mail but instead directs its users to a Web site — is nothing new, but Swen represents a fake that could be hard to spot, iDefense malicious code intelligence manager Ken Dunham told TechNewsWorld.

“It’s really slick how it pretends to be a Microsoft e-mail,” Dunham said. “It makes it all look very official.”

Old Issue, New Threat

Swen, a variant of the Gibe worm rewritten in C++, takes advantage of a vulnerability in Internet Explorer 5.01 and 5.5 that allows an incorrect MIME header to cause execution of an e-mail attachment.

While Microsoft released a patch for the problem when it was announced in March 2001, the issue has been the basis of several viral outbreaks, including such big-name threats as Klez, Nimda, Badtrans and BugBear, according to Dunham.

“There’s been an average of three or four big viruses exploiting this every year since it was discovered,” he said. “It’s still popular, and it still works.”

As the Worm Turns

First discovered nearly a week ago, Swen began with only a few infections but used its automated execution to account for one in every 355 e-mails as of Friday, MessageLabs chief technology officer Mark Sunner told TechNewsWorld.

The worm, which Sunner described as “highly complex,” communicates with a remote Web site to track its own infection reach, which as of Friday morning was at more than 1.4 million computers. Dunham said that although that number might be skewed by noninfected visitors to the site, Swen’s self-assessment of the number of victims is probably accurate.

Sunner, who was critical of traditional antivirus measures that failed to stem the worm’s spread, did not classify Swen as a large outbreak yet, but he said the worm could be a “slow burner” and is still guaranteed to make the top 10 list of viruses.

Like SoBig, So Tricky

Swen, a so-called “blended threat” because of its ability to infect and spread via different available channels, can be triggered automatically through e-mail, IRC, P2P and other network-sharing scenarios. The worm uses its own simple mail transfer protocol (SMTP) engine to send out e-mails using addresses on infected computers.

Dunham, who reported Swen’s solid foothold in the United States, Great Britain and The Netherlands, likened the worm to SoBig in its rapid spread and ability to trick users by changing identifiable information.

“It’s tricky, highly randomized social engineering,” Dunham said, referring to Swen’s bogus error message warning that e-mail functionality could be lost if users do not plug in critical data.

Disabler and Thief

With a variety of components and complexities, Swen is similar to previous threats in its attempts to disable antivirus and firewall programs on targeted computers, according to antivirus vendor Symantec, which upgraded Swen’s severity rating because of increased submissions.

The worm also attempts to steal confidential information with a phony error message that requests e-mail server and password information to avoid loss of e-mail functionality, according to Dunham.

“This component of the attack could lead to a full compromise of a user’s e-mail account or computer,” said Dunham, who referred to a growing number of computers that attackers “know they can count on.”

So Long, Swen

Users who have not patched the problem, despite the availability of a fix for more than two years from Microsoft, are urged to do so now.

Other methods to ward off Swen include blocking executable files at the gateway and avoidance of instant messaging, P2P software and other network-sharing applications.

If already infected, users are advised to seek removal tools for the worm, which are available from several antivirus vendors.


  • In spite of using the Swen removal tool (5 times and once in safe mode!), I still have files becoming infected with this worm – in local settings/Application Data/Microsoft/server file/db/mail. Occasionally new files are generated there (I think they are temp files because I just delete them as I find them manually) and these are the ones that get infected with a compressed file inside of it. Then I quarantine, delete, etc., then delete the files that are left there after Norton certifies my computer as "clean".
    In other words, the touted "removal tools" do not seem to work.

    • I have IE version 6.0 which is not supposed to be vulnerable to this–only 5.x. But, nevertheless, my mailbox is full of these things and my virus catcher is going crazy catching them.
      Since every one is from somebody different, blocking the user is useless. I just tried using Outlook Express v.6 "message rules" to delete all messages that come in with that subject line. I hope it works; and that I don’t automatically delete something from somebody I actually ought to read.

      • well message rules is a misnomer, as we live in a rule-less society, where people ignore the rules just as machines do. what’s wrong with software manufactures anyway, can’t they figure this out? no, because the more pcs people bust by hacking the more money everyone makes selling software and providing support. microsoft should be ashamed it’s put something as worthless as message rules in outlook, it’s not worth the time. and macafee is no better, with it’s spam blocker that will do more harm to your machine then a virus ever will. <i wonder if any of my posts ever get through the censorship of this forum>.
        get jiggy in nepal

  • those of us living in nepal, and using the largest ISP named WLINK, get at least 3 of these a day. and since we are all on modem lines cause of some India-Chinese-USA conspiracy to keep highspeed lines out of Nepal, we are suffering not from the virus attached to the bogus emails, but the wasted download times of the rather large useless messages. the ISP refuses to screen these emails, even though it’s most certianly in thier best interest to do so. and where is microsoft in all of this? why aren’t they held responsible? it’s thier logo on all those emails! cheers,
    get jiggy in nepal

  • As an Mac user invulnerable to the malicious executable, I still haven’t been spared the worm-flame. I have been the recipient of over 250 Swen emails in the last 24 hours.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels