Swen
Encyclopedia
Swen is a mass mailing computer worm
written in C++
. It sends an email which contains the installer for the virus, disguised as a Microsoft Windows
update, although it also works on P2P
filesharing networks, IRC and newsgroups' websites. It was first analyzed on September 18, 2003, however, it might have infected computers before then. It disables firewalls and antivirus programs.
with an attachment, posing as an update for Windows. The attachment can have a .com
, .scr, .bat, .pif, or .exe file extension. If its file name starts with the letters P, Q, U, or I, It displays a fake Microsoft Update dialogue box, asking if the user wants to a Microsoft Security Update with the two choices "Yes" and "No". If the user presses "Yes", it displays a fake progress bar while installing the fake update. When finished, it displays another dialogue box saying: Microsoft Internet Update Pack This has been successfully installed. The malware then re-executes itself, followed by yet another dialogue box saying: Microsoft Security Update Pack This update does not need to be installed on this system. If the user chooses "No", the malware will still install itself silently in the background. Next, it checks for certain criteria by opening another dialogue box, prompting the user for their email address ,username, password, SMTP server, and their POP3 server. After completing the said fields, the worm then makes a copy of itself in the C:\Windows folder as.exe. The virus finally moves all information to the copy and terminates.
to execute upon startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
<random value> = ".exe autorun"
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
written in C++
C++
C++ is a statically typed, free-form, multi-paradigm, compiled, general-purpose programming language. It is regarded as an intermediate-level language, as it comprises a combination of both high-level and low-level language features. It was developed by Bjarne Stroustrup starting in 1979 at Bell...
. It sends an email which contains the installer for the virus, disguised as a Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
update, although it also works on P2P
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
filesharing networks, IRC and newsgroups' websites. It was first analyzed on September 18, 2003, however, it might have infected computers before then. It disables firewalls and antivirus programs.
Self-installation
The virus first sends itself via emailEmail
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
with an attachment, posing as an update for Windows. The attachment can have a .com
COM file
In many computer operating systems, a COM file is a type of executable file; the name is derived from the file name extension .COM. Originally, the term stood for "Command file", a text file containing commands to be issued to the operating system , on many of the Digital Equipment Corporation mini...
, .scr, .bat, .pif, or .exe file extension. If its file name starts with the letters P, Q, U, or I, It displays a fake Microsoft Update dialogue box, asking if the user wants to a Microsoft Security Update with the two choices "Yes" and "No". If the user presses "Yes", it displays a fake progress bar while installing the fake update. When finished, it displays another dialogue box saying: Microsoft Internet Update Pack This has been successfully installed. The malware then re-executes itself, followed by yet another dialogue box saying: Microsoft Security Update Pack This update does not need to be installed on this system. If the user chooses "No", the malware will still install itself silently in the background. Next, it checks for certain criteria by opening another dialogue box, prompting the user for their email address ,username, password, SMTP server, and their POP3 server. After completing the said fields, the worm then makes a copy of itself in the C:\Windows folder as
Autostart
The worm creates the following registry entryWindows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
to execute upon startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
<random value> = "