When W32.Swen.A@mm is executed, it performs the following actions:
Transmission through email
- Checks to see whether it has already been installed on the computer. If so, the installation procedure will end and display the following message:
- If the executed filename starts with the letter q, u, p, or i, the worm will present the user with the following dialog box:
The worm will install itself regardless of the choice that is made. If you click No, the worm will be installed silently. If you click Yes, the following dialog boxes will be displayed while the worm is installed:
- Attempts to end the following processes:
- Drops a copy of itself to %Windir% with a randomly generated filename.
Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
- Searches the .html, .asp, .eml, .dbx, .wab, and .mbx files on the hard disk for email addresses.
- Creates the file, %Windir%\Germs0.dbv, where it stores the email addresses it has found.
- Creates the file, %Windir%\Swen1.dat, where it stores a list of remote news and mail servers.
- Drops a %ComputerName%.bat file, which executes the worm and a randomly named configuration file to store the local, machine-specific data.
Note: %ComputerName% is a variable that represents the name of the infected computer.
- Adds the values:
- "CacheBox Outfit"="yes"
- "Email Address"="<The current users email address that the worm retrieves from the registry>"
- "Server"="<The IP address of the SMTP server that the worm retrieves from the registry>"
- "Mirc Install Folder"="<location of mirc client on system>"
- "Installed"="...by Begbie"
- "Install Item"="<random>"
to the key:
where * is a random set of letters.
- Adds a randomly named value to:
so that the worm starts when Windows starts.
- Modifies the following registry keys:
which hooks the worm to each of these file types.
- Modifies the value:
"DisableRegistryTools" = "1"
in the registry key:
to prevent you from running Regedit on the computer.
- Periodically presents you with a fake MAPI32 Exception error:
prompting you to enter the details of your email account, including the following:
- Email address
- POP3 server
- SMTP server
- Using the username and password, the worm will log into the POP3 server and check your email. If the worm finds an email that the worm sent, it will be deleted. The worm will only delete the messages, which the currently infected computer has sent.
- Intercepts the execution of any of the processes listed in step three, preventing them from loading, and then displays the following fake error message:
- Sends an HTTP Get request to a predefined HTTP server to retrieve counter information when the worm runs for the first time. Then, the worm may display the counter information.
- Attempts to create one or more compressed copies of itself using the Winzip file-compression utility, and then the Winrar file-compression utility.
The worm spreads through email, KaZaA, IRC, mapped drives, and newsgroups. The following sections discuss how each of these transmission methods can occur.
W32.Swen.A@mm sends a copy of itself to the addresses found on the system through various methods. The worm can vary the message it sends, as well as the filename that it attaches itself as. The worm may use an incorrect MIME Header exploit, mentioned in Microsoft Security Bulletin MS01-020
, to ensure that it is automatically executed when the mail is viewed.
One of the messages, as shown here, pretends to be a critical message from Microsoft, suggesting that you update your system with the attached file.
Other messages can be constructes as follows:
The subject of the email can take one of two formats:
In this subject, the email contains up to four strings and may appear as lowercase:
- String 1
- String 2
- String 3
- String 4
- String 1
- String 2
- String 3
- String 4
- String 5
- The subject for subject 2 may end here
- String 6
- String 7
- Internet Explorer
- <empty if String 6 is empty>
- The subject may end here
- String 8
- String 9
- <empty if String 8 is empty>
- String 10
- String 11
- String 12
- String 13
The attachment name is created by:
- Selecting one of the following predetermined names:
- Followed by a series of random numbers.
- And a file extension that is either .exe or .zip.
The worm can also impersonate mail delivery failure notices, attaching itself as a randomly named executable.
One example is:
I'm sorry I wasn't able to deliver your message to one or more destinations.
Transmission through KaZaA
When attempting to spread through KaZaA, W32.Swen.A@mm performs the following actions:
Transmission through IRC
- Drops a .zip or .rar copy of itself into a randomly named subdirectory of %Temp% on the computer.
Note: %Temp% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
- Adds the values:
"Dir99"= "012345:<random folder name>"
to the registry key:
which adds this folder to the list of shared folders in KaZaA.
Note: <random folder name> is the folder created under %Temp% in step 1 above.
- Some of the possible dropped filenames include:
- Virus Generator
- Magic Mushrooms Growing
- Cooking with Cannabis
- Hallucinogenic Screensaver
- My naked sister
- XXX Pictures
- Sick Joke
- XXX Video
- XP update
- Emulator PS2
- XboX Emulator
- Jenna Jameson
- 10.000 Serials
- Hotmail hacker
- Yahoo hacker
- AOL hacker
- removal tool
- key generator
- Windows Media Player
- GetRight FTP
- Download Accelerator
- KaZaA media desktop
- Kazaa Lite
When attempting to spread through IRC, W32.Swen.A@mm performs the following actions:
Transmission through mapped drives
- Searches for a \Mirc folder.
- Creates a Script.ini file in this folder, which the worm uses to send .zip, .rar, or .exe files of itself to other mIRC users, who are connected on the same channel as the infected computer.
When attempting to spread through mapped drives, W32.Swen.A@mm does so to the following locations:
Transmission through newsgroups
- \Win98\Start menu\Programs\Startup
- \Win95\Start menu\Programs\Startup
- \WinMe\Start menu\Programs\Startup
- \Windows\Start menu\Programs\Startup
- \Documents and Settings\All Users\Start menu\Programs\Startup
- \Documents and Settings\Administrator\Start menu\Programs\Startup
- \Documents and Settings\Default User\Start menu\Programs\Startup
- \Winnt\Profiles\All Users\Start menu\Programs\Startup
- \Winnt\Profiles\Administrator\Start menu\Programs\Startup
- \Winnt\Profiles\Default User\Start menu\Programs\Startup
The worm will enumerate the registry looking for newsgroup server addresses, and then attempt to contact that newsgroup server. If a newsgroup server is not configured on the system, the worm will randomly select one from a predefined list. The worm will download the available groups and post messages to randomly selected groups. The messages posted to the newsgroups are generated according to the same routine used for sending email.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":