Swen is a complex worm on Microsoft Windows (Win32) that poses as a Microsoft Security update. Like Nimda it was most visible as a mass-mailer, it could also spread over network shares, and file sharing. It also has retroviral capabilities, as it tries to shut off services that might possibly be antivirus programs and firewalls.
Swen can arrive through an email, Internet Relay Chat, Kazaa filesharing, mapped drives and newsgroups.
Swen's email is made to look like a Microsoft Windows security update. There are two possibilities for a type of subject line and each word of the subject line is generated from a few different possible strings:
Subject Line 1
- Word 1: Current, Newest, Last, New, Latest, <none>
- Word 2: Net, Network, Microsoft, Internet, <none>
- Word 3: Critical, Security, <none>
- Word 4: Patch, Update, Pack, Upgrade
Subject Line 2
- Word 1: RE:, FWD:, FW:, <none>
- Word 2: Check, Checkout, Prove, Taste, Try, TryOn, LookAt, TakeALookAt, See, Watch, Use, Apply, Install, <none>
- Word 3: this, that, the, these, <none>
- Word 4: important, internet, critical, security, corrective, correction, <none>
- Word 5: pack, package, patch, update
The subject line may end here. If it does not, the worm may choose two or more words for the subject line, whose possibilities include:
- Word 6: for, <none>
- Word 7: Windows, Internet, Explorer, <none if Word 6 does not appear>
The subject line may also end here, or the worm may choose six more words to add to the subject line, which may include:
- Word 8: which, that, <none>
- Word 9: came, comes, <none if Word 8 does not appear>
- Word 10: from
- Word 11: the, <none>
- Word 12: MS, Microsoft, M$
- Word 13: Corporation, Corp., <none>
The attachment name is also randomly generated from a list of possible names followed by a random string of numbers and an exe, zip or rar extension: Patch, Upgrade, Update, Installer, Install, Pack or Q. It will be 106,496 bytes long.
Swen may come from the Kazaa file-sharing network as a .zip or .rar archive with one of the following names:
- 10.000 Serials
- AOL hacker
- Cooking with Cannabis
- Download Accelerator
- Emulator PS2
- GetRight FTP
- Hallucinogenic Screensaver
- Hotmail hacker
- Jenna Jameson
- Kazaa Lite
- KaZaA media desktop
- key generator
- Virus Generator
- Magic Mushrooms Growing
- My naked sister
- removal tool
- Sick Joke
- Windows Media Player
- XboX Emulator
- XP update
- XXX Pictures
- XXX Video
- Yahoo hacker
If the user joins the same IRC channel as an infected computer, it may receive a copy. It may also come from a newsgroup post, which will have the same characteristics as the email. A computer on the same local network as an infected computer will be infected with the worm, as it copies itself to any startup folders it finds.
When executed, Swen checks to see if it has previously infected the computer. If so, the worm will display a message saying that the update does not need to be installed. If the worm has not previously infested the computer, it will display a dialog box which appears to give the user the option of continuing the installation. If the user chooses "No", the installation of the worm silently continues anyway. It copies itself into the into the Windows directory as a randomly generated name.
Swen then adds a random value to the local machine registry key which starts the worm when the computer starts up. The value "DisableRegistryTools = 1" is added to the current user system policies key to prevent the user from running Regedit.
It also adds itself as a value to registry six different registry keys, which will cause the worm to run every time one of the six different file types are executed. The file types are:
It then creates its own registry subkey under the local machine Explorer key, which will be a string of random letters. It will add several values to this key, including:
- CacheBox Outfit = yes
- ZipNam = <random>
- Email Address = <user's email address>
- Server = <IP address of SMTP server retrieved from registry>
- Mirc Install Folder = <location of mirc client on system>
- Installed = ...by Begbie
- Install Item = <random>
- Unfile = <random>
The worm attempts to kill processes that may be security programs with the names:
It will intercept these processes and display an error message if the process attempts to restart.
Swen will send an HTTP request to a predefined HTTP server in order to retrieve counter information when and may show how many times the worm has run and therefore how many computers it has infected.
The worm begins to find new computers to infect. It tries to use Winzip (its first choice) and WinRAR to compress itself before sending itself. It searches for email addresses in the following types of files:
It then stores the email addresses in the file Germs0.dbv, which it creates in the Windows directory. It creates Swen1.dat in the same directory, where it stores a list of news and mail servers. Then it drops a .bat file with a name the same as that of the computer, which executes the worm and a configuration file to store local machine data. The worm has its own SMTP engine to mail itself.
Periodically Swen presents the user with a fake MAPI32 Exception error which prompts the user to enter details of his/her email account including the address, username, password, POP3 server, SMTP server. The worm the logs onto the POP3 server using the information provided to the fake MAPI32 exception error and deletes emails sent by another copy of the worm to prevent sending itself to the same email addresses too many times.
Spreading through KaZaA, Swen drops a zip or rar copy of itself, as one of the names in the "Kazaa Transmission" section, into a randomly named folder in the Temp folder of the computer. It adds the value "Dir99 = 012345:<random folder name>" to the Kazaa share folders registry key, which turns this folder into a shared Kazaa folder.
Swen searches the registry looking for newsgroup server addresses and attempts to contact that server. If there is no newsgroup server configured on the system, the worm will select one from its own list. Swen downloads the available groups and posts messages to randomly selected groups.
Swen searches for a Mirc folder then creates the file Script.ini in that folder. The worm uses this folder to send exe, rar or zip copies of itself to other mIRC users who are connected to the same channel.
Swen itself may be a variant of Gibe, a worm that also poses as a Microsoft security alert.
Swen became the top worm of 2003 November, according to Messagelabs, which blocked around 567,000 emails carrying the worm. It is reported to have caused $10.4 billion in damage.
Swen is news spelled backwards. There is no indication if this was the intent of the creator when naming the worm. It was likely named by the antivirus companies for the Swen1.dat file that it drops.
- ClamAV: Worm.Gibe.F
- Kaspersky: Email-Worm.Win32.Swen
- McAfee: W32/Swen@MM
- MessageLabs: W32/Gibe.E-mm
- Sophos: W32/Gibe-F
- Symantec: W32.Swen.A@mm
- Trend Micro: WORM_SWEN.A
John Canavan. Symantec.com, "W32.Swen.A@MM".
John Leyden. The Register, "Nasty worm poses as MS security update". 2003.09.19
-. -, Swen fends off Mimail to top viral charts. 2003.11.28
Richard A. Elnicki. University of Florida, Virus, Worm & Spam Costs 1: An Episode at the University of Florida.