For information on how to combat the worm, click here.
Antivirus companies warned on Thursday that the worm, variously known as I-Worm.Swen, W32/Swen.A@mm or W32/Gibe@MM.e, had the potential to spread quickly because it is well-disguised as a security update from Microsoft. It takes advantage of a two-year-old Internet Explorer flaw that allows it to execute directly from an e-mail message without the help of the user.
On Friday, e-mail provider Messagelabs said its e-mail servers had stopped more copies of Swen than any other worm, including Klez.H, the previous top threat. The largest proportion of the 35,450 copies of Swen stopped by Messagelabs originated from the US, followed by the UK.
The first time the worm executes on a system, it contacts a Web address and updates a counter that supposedly indicates how many machines are infected--although antivirus vendors doubt that the figure is correct. As of Thursday, the counter already listed more than 500,000 infected PCs.
Antivirus vendors upgraded their assessment of Swen's threat on Friday, due to the increase in infections. Symantec, for example, shifted Swen up to a category 3 virus.
Windows users are still reeling from a series of damaging virus attacks that have caused chaos in recent weeks, partly due to the large number of Internet-connected PCs that have not patched known vulnerabilities. Swen in part relies on a flaw Microsoft first disclosed in a 2001 security bulletin, although it can also be spread by duping users into executing its attachment.
The worm affects Windows 95, Windows NT, and all newer versions, and spreads via e-mail and through IRC, Kazaa and local area networks. It attempts to disable firewall and antivirus software.
One of the e-mails that Swen uses to spread is a professional-looking message that appears to come from "MS Technical Assistance", and contains a notification of a "September 2003, Cumulative Patch", along with the virus attachment. Microsoft does not spread updates via e-mail.
When executed, the worm continues to pose as a security update, launching a message window that states: "This will install Microsoft Security Update. Do you wish to continue?" If the user clicks "Yes", the worm shows a fake installation dialogue box, but also installs invisibly if the "No" button is pressed.
Swen installs various files to ensure that it is launched every time the system boots up. It also disables the user's ability to edit the Registry.
Users are advised not to launch attachments without first scanning them with antivirus software. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec, and Trend Micro.
