Sign in to follow this  
Guest Motormouse

Watch out there's a virus about

Recommended Posts

Sorry about this, but I thought I'd better post this as a general'heads up'.I had a couple of e-mails yesterday that were infected withthe Win32.Swen.a virus. My anti-virus stopped it when it tried to self-execute (!)but I can't be sure if it had already copied my address book and mailed itself on by then :-(and most of my 'contacts' are either here,or in the BFU forumHere's a description of the virus,"Win32.Swen.a===========================virus/Vandal name: Win32.Swen.aThreat Level: MediumAlias: Swen, I-Worm.Swen, W32/Swen.A@mm, W32/Gibe.E@MM, Gibe.EPlatforms: Win 95,Win 98,Win ME,Win NT,Win 2K,Win XPUpdated on: September 18, 2003Arrival Form: Email,Network Shares,IRC,P2PType: Win32,Worm,TrojanDamage: Create files,Prevent normal OS operation,SendEmail,Send Message,Theft of information,OtherAnalysis-------------Introduction---------------------Win32.Swen.a is a mass-mailing worm which employs multiple propagationmethods to spread. The worm may appear to be a legitimate message fromMicrosoft. All users must note that Microsoft will never send updates andpaths via email.The worm attempts to open itself automatically when received via email byusing the I-Frame exploit. eSafe Gateway and eSafe Mail customers areproactively protected from this exploit and therefore the worm will not beable to self-execute on protected machines.The arriving email will have the following characteristics:Sender: The forged sender's address is composed of several random strings.The random address is composed as follows:Username@domain.domain-suffix.com or .netPossible Usernames:AssistanceBulletinCenterCorporationCustomerDepartmentDivisionInternetMicrosoftMSNetworkProgramPublicSectionSecurityServicesSupportTechnicalPossible Domain Names:advisorbulletinconfidencenewsnewsletterssupporttechnetupdatesPossible Domain Suffixes:microsoftmsmsdnmsnSubject: The subject of this mail will usually be composed from apre-generated list of words. There may be thousands of differentvariations.Message body: The message body contains information that may appearlegitimate. It claims to include a cumulative patch for Internet Explorer,Outlook and Outlook express. The exact message is also constructed fromvarious lines of text and may appear different for each recipients.Attached File: The attached filename will be an executable (.EXE). Thename itself will be composed of one of the following text strings and endwith a randomly generated number:installpatchqupdateMalicious Activity---------------------When the worm is executed it does the following:1. The worm attempts to disable various processes related to securityapplications. This may help the worm thrive on a system if it was notalready protected.2. The worm searches the registry to check if the computer is alreadyinfected. If it doesn't find the relevant entry it creates one. Thisaction also ensures the worm is executed whenever the computer isrestarted. The registry entry is as follows:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun'[random string]' = '[random string].exe /autorun'3. If the computer is already infected by the worm, it will display thefollowing message:Subject: Microsoft Internet Update PackMessage: This update does not need to be installed on this system.If the computer is not yet infected, the worm will display the followingmessage, with Yes and No buttons:Subject: Microsoft Internet Update PackMessage: This will install Microsoft Security Update. Do you wish tocontinue?The infection will commence regardless of the user's selection. If the'No' button is pressed, the worm will install itself in the backgroundwith no user interaction.When a user authorized installation is complete the worm will notify theuser accordingly.4. Copies itself to the default Windows directory as an executable filewith a random filename.5. Creates the following registry entries:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionexplorer[randomly generated 4 character string]'CacheBox Outfit' = 'yes''Install Item' = '''Installed' = '...by Begbie''Mirc Install Folder' = '''Unfile' = '''ZipName' = ''6. Modifies the following registry keys so that they correspond with itsmain executable file:HKEY_LOCAL_MACHINECLASSESexefileshellopencommandHKEY_LOCAL_MACHINECLASSESregfileshellopencommandHKEY_LOCAL_MACHINECLASSESscrfileshellopencommandHKEY_LOCAL_MACHINECLASSEScomfileshellopencommandHKEY_LOCAL_MACHINECLASSESbatfileshellopencommandHKEY_LOCAL_MACHINECLASSESpiffileshellopencommandThis allows the worm to run whenever .exe, .reg, .scr, .com, .bat or .piffiles are executed.7. So that users will not be able to access the worms registrymodifications, it also creates the following entry:HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem'DisableRegistryTools' = '1'8. Occasionally, the worm may present a forged MAPI Exception error whichwill prompt the user to enter all mail details, confidential (password) orotherwise.9. When certain executables the worm does not agree with are opened, theworm will display the following error message and the close theapplication:Exception error occured:Memory access violation in module kernel32 at < randomnumber:random_number >10. To spread via KaZaA, the worm creates a folder and shares it withother users. It then drops several copies of itself to that folder withvarious filenames and with a .zip or .exe extensions.11. To spread via mIRC, the worm attempts to open a client (if it existson the infected computer), connect to channels and send itself to allusers connected to those channels.12. To spread via network shares, the worm attempts to copy itself to allstartup folders on shared drives it can find.13. The worm also attempts to spread via newsgroup channels, but only ifthe machine's user uses this service. The worm will only send itself tothose newsgroups accessed by the user.14. Finally, the worm attempts to send itself to all contacts harvestedfrom various locations on the infected system. All messages attempt to usethe I-Frame exploit in order to be automatically executed when the messageis opened or previewed."If you think you've been infected you can download a 'cleaner' from here ,http://securityresponse.symantec.com/avcen...moval.tool.html:-wavePete

Share this post


Link to post
Share on other sites
Help AVSIM continue to serve you!
Please donate today!

I have since last friday (19th sept) my virus checker has detected this virus at least 3 times a day!I some times wonder if these virus checker companys send out viruses to keep them selfs in biz!Paul.......:)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this