Example: Swen
Home ] Up ]


Basic Precautions
Key Defences
Virus Scanning
System Loopholes

On the 18th September 2003 people in the West started receiving this plausible-looking email, apparently from Microsoft.  The email contains an attachment, and readers are urged to apply the new "security update".  In fact the email is a fake (apparently originating from Slovakia) and the attachment is a powerful Internet Worm dubbed "Swen".

It spreads through:

bulletemails like the one described, with several different disguises, including "delivery-failure" notifications
bulletnetwork file-shares & mapped drives
bulletInternet Relay Chat
bulletMusic-sharing networks like KaZaA

If you have Internet Explorer version 5.5 or earlier, and haven't applied the relevant updates, then the program can be triggered merely by viewing the email (including simply allowing it to be displayed in the Preview Pane in Outlook or Outlook Express).

It is a sophisticated program!

bulletIt has a realistic installation dialogue (if you choose "cancel" it installs anyway, of course), and spreads itself round your machine, using various fake names to make itself harder to find.
bulletIt reconfigures your machine so that the program re-starts when Windows starts, or whenever any other program is run (making it very hard to stamp out)
bulletIt checks for 109 different AntiVirus and Firewall programs that might be installed, attempts to kill any it finds, and prevents them being started again.
bulletIt blocks access to the "Registry Editor", the system tool which is necessary to reverse these changes.
bulletIt searches throughout your hard disk and sends copies of itself to every email address it finds, using its own in-built email program.  It sometimes pops up a fake "error message" asking you for your email account password, and (if you fall for it) it logs on to your email account to see what it can find there.

Even when the laborious process of eradicating the program has been completed, you are likely to find some parts of your system no longer work properly.  New and even more destructive versions are likely to follow.  If you don't want this to happen to you, make sure your Key Defences are properly set up and maintained.