CAN20030920a
Swen.A Worm In Wide Distribution

Appears As Fake Microsoft Patch Or Qmail Failure Notice; Disables Anti-Virus, Firewall Software

Dates & Revisions

• Original CAN date: September 20, 2003
• Latest revision: September 20, 2003

Systems Affected

Problem Overview

A new worm has been found in heavy distribution on the Internet. The worm, known as Swen.A, moves across the Internet through e-mail, the Kazaa peer-to-peer file-sharing network, IRC, mapped drives on local area networks, and/or newsgroup postings. When spreading via e-mail, the file appears as an attachment and purports to be either a patch from Microsoft for the Internet Explorer browser or an e-mail delivery failure notice from qmail.

Once the attachment is executed, it installs a hook into the Windows operating system which causes the program to execute every time Windows is started. Once the worm is actively running, it attempts to disable anti-virus and/or firewall software which is installed on the computer. Periodically, it shows the user a false MAPI32 error message and tells the user that Outlook and Outlook Express will not work unless the user re-enters mail server password and mail server configuration information. The worm then uses this information to reproduce itself via the aforementioned methods, including sending e-mail messages containing the worm as an attachment to e-mail addresses that it finds on the infected computer.

While infection by this worm may make your computer unstable, the more likely damage will be caused by loss of bandwidth and infection/hacking activity by other viruses and worms which will be possible once Swen.A has disabled your computer's anti-virus and/or firewall software.

It is important to note that if you are using an old version of Microsoft Internet Explorer which has not been patched for at least two years, your browser may be subject to an IE bug which was originally discovered by Microsoft in March 2001. This bug, known as the Incorrect MIME Header bug, will allow certain devious attachments to automatically execute if the message containing them (not the attachment itself) is opened or previewed with a program such as Outlook. Swen.A takes advantage of this bug to install itself on systems with vulnerable versions of Internet Explorer, regardless of whether the user actually opens the attachment.

We remind users that the attachment distributed by infected e-mails is NOT a patch for any Microsoft program. Microsoft DOES NOT distribute actual patch files via e-mail attachments.

Problem Details

For detailed technical descriptions of the problem, please review the following links:

• Microsoft Overview of Swen Worm
• Symantec Security Response Overview
• ComputerWorld article re:Swen.A virus
• Related Information: Microsoft Security Bulletin MS01-020 - Incorrect MIME Header

Please note that the organizations controlling the content of the web sites referenced by these links may periodically update the information on their sites as new details about the severity of the threat become known.

What Should I Do?

You should immediately:

• review the bulletins listed above and
• delete any such e-mail which you receive without opening the attachment, and
• remove any unnecessary network shares from your computer, and
• update your anti-virus software with the latest available signature files.
• Additionally, if your copy of Internet Explorer is vulnerable to the Incorrect MIME Header bug (see the Microsoft article listed above), EITHER download and apply the Microsoft MIME Header patch for your version of Internet Explorer OR upgrade your Internet Explorer software to the latest version and apply any available patches.

What If I Am Unable To Fix The Problem?

If you are unable to correct these problems yourself or are unsure how to proceed, contact Logical Operators by clicking here and arrange to have one of our service technicians check your system and apply the corrections for you (standard service fees will apply). In addition to correcting the problem(s) listed in this CAN, our technicians can also test your system for thousands of other known threats which may be present on your system, make valuable recommendations on securing your system from future threats, and perform numerous other computing services.