The W32/Swen.A@MM Virus Fills Mailboxes; Forges Its "From:" Field

This information can be freely reproduced in any medium, as long as the information is unmodified.

The Swen virus family infects only PC computers running Windows; Macintosh users, and users of other non-Windows operating systems cannot be infected by this virus. These users may, however, receive plenty of email from Swen, so its "annoyance factor" is large.

• Swen was discovered 18 September, 2003; it should have been little threat at the University, since VirusScan as we distribute it would have detected and prevented this generically since -- well, since before we even started using VirusScan, way back in 2001. Hence I expect that any actual infections here will be due to people using other antivirus products, or who have a broken installation of VirusScan, or -- most likely -- who have no antivirus software at all.

• We released the VirusScan 4294 drivers -- which cover W32/Swen.A explicitly -- at 14:54 EDT on August 2003, so U-M Windows users who have VirusScan installed and updating itself automatically should have been able to detect Swen explicily (that is, by name) within an hour or so thereafter -- and of course they should have been protected against it since VirusScan was installed originally. If you opened infected email, though, and didn't have virus protection -- the virus probably bit you. NEVER open unsolicited email attachments, even when they appear to be from someone you know and trust. [Instead, email the sender to ask if s/he sent it, and what it is, and demand a sufficiently detailed answer that a virus would be unable to generate. Better yet, ask over the phone or in person; no virus can forge that!]

  Note that even if you have antivirus software, that does not mean that you will not see large numbers of emails from victims of this virus. But since this virus is not likely to infect as many people as some other viruses -- compared, for example, to Sobig.F, we expect that the deluge overall will be significantly less.

That said, Swen definitely is out "In The Wild" in significant measure, probably mostly on "unadministered" computers.

The main features of Swen.A are these:

• Swen sends a message that appears to be email containing a patch for Windows. DO NOT BE FOOLED! For one thing, Microsoft does not send email containing attachments.... Also, Swen can forge a message that appears to be a rejection notice.

• Swen harvests email addresses it finds on the infected computer, not only from addressbooks. It uses these addresses as targets to which to send infected attachments but the "To:" field will appear different than these addresses. In particular, it generates generic sounding names like
  • "MS Customer" <customer-xxxx@newsletters.msdn.net> or
  • Client <client@updates.msdn.com> or
  • "Commercial Customer" <customer_xxxx@news.net>.

  [The "xxxx" represents random text, which is not always present and need not be 4 characters long.]

• Similarly, it forges its From: field, so that recipients of email with Swen.A-infected attachments seem to get it from an official-sounding address, but that is not the actual sender (and is not the real Swen.A victim). The forged address is generated randomly from combinations of text strings carried by the virus. For example, the email might appear to come from
  • Microsoft <xxxx@newsletters.msdn.net> or
  • "Microsoft Technical Bulletin" <xxxx@news.net> or
  • "MS Program Security Center" <xxxx@newsletter.msn.com>.

  Again, "xxxx" represents random junk.

• "Subject:" fields are generated randomly from lists contained within the virus. Again, they contain official-sounding text, like "New Internet Upgrade" or "Security Upgrade" or "Microsoft Critical Update".

• Swen attempts to terminate antivirus protection.

• If the recipient uses Outlook, Swen attempts to utilize unpatched bugs to spread automatically. That is, it can spread even if the attachment is not launched manually. [Hint: if you use Outlook (yuk!), make sure you run your Windows Update procedure on your Start (or, for XP, Start/All Programs) menu to install all "critical" updates! Do this regularly; do this often!]

• Swen also attempts to spread via mapped drives on a local network, IRC, KaZaA, and newsgroups.

For more details, see the antivirus vendor URLs below.

Obviously, you should not attempt to open the attachment.... But then again, at the risk of sounding like a broken record: you never should open unsolicited attachments -- not even when they appear to be from someone you know and trust.

What should you do if:

• If know you are infected by Swen?

  Easy: disinfect with current, top quality antivirus software. University folks can get such software here. But in this case, since Swen actively attacks antivirus software, I recommend you first perform the procedure below:

  There is an excellent tool for doing this -- it also handles a fair number of other viruses that are particularly nasty. It's NAI's free! Stinger tool (leaving our site). If you use Stinger, be sure to follow all the instructions they provide -- in particular, if you use WinME or WinXP, disabling System Restore. Otherwise, you'll be wasting time and effort. IN ADDITION I recommend booting in Safe Mode also.

  Also, note that while Stinger removes a few nasty viruses, it does NOT detect most of the 80000+ viruses known to exist -- nor does it protect you from getting reinfected. For that, you must use normal antivirus software.

  One more time: Stinger is for detection and removal only, not protection.

• You receive email you suspect is infected with Swen.A -- or other viruses, for that matter?

  That's up to you; for suggestions, see our What to do with suspicious email document.

For technical info on Swen, see e.g. Network Associates write-up on W32/Swen (leaving our site) or F–Secure's write up (leaving our site).

The URL for this document is http://www.umich.edu/~virus-busters/swen.html

For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

   -BPB