The Swen worm gained some traction late last week but its progress tailed off during the weekend.
Also known as Gibe-F, Swen preyed on users' heightened fears about Windows security. It sometimes travels as an attachment to an HTML e-mail purporting to be a patch alert from Microsoft. It can also arrive impersonating an e-mail delivery failure notice. If installed, the worm will try to shut off antivirus and other security software. It also tries to spread itself through network file shares and by e-mailing copies of itself.
The worm, which does not contain a destructive payload, hit Europe hardest. U.K.-based e-mail filtering outsourcer MessageLabs Inc. had intercepted 35,450 copies of it as of midmorning EDT Friday, meaning it had topped the company's threat list for the day so far. Helsinki, Finland-based antivirus vendor F-Secure Corp., meanwhile, elevated Swen to a level 1 threat, the company's highest threat designation.
The worm most likely peaked on Friday, said Mikko Hypponen, F-Secure manager of antivirus research. The numbers were down during the weekend, which isn't unusual because e-mails aren't opened as much during that time of the week. The weekend did give systems administrators time to patch and clean up systems, he said.
Swen hit at an interesting time. Last week, Microsoft Corp. announced two new vulnerabilities in how RPC-DCOM is implemented in Windows. Either could be used to create a worm similar to Blaster, which struck in August.
Moreover, experts are watching for the emergence of another variant of the Sobig worm. Sobig-F spread widely last month, choking e-mail systems until its pre-programmed expiration date of Sept. 10. Experts believe that family of worms is being used to create open relays for spamming.
Some experts are calling Swen a variant of the Gibe worm, but most consider it a new worm. Swen is likely written by that worm's author -- it has features similar to those of Gibe variants, according to F-Secure.
The worm is more of a threat to home users and small offices because it travels as an executable file. Most enterprises strip executables at the gateway. Also, the bogus alert e-mail should set off warning lights to recipients because Microsoft does not send fixes via e-mail. Instead it refers people to its download page.
If the worm is installed, a window pops up that reads "This will install Microsoft Security Update" and asks the user to click "yes" or "no." If "yes" is clicked, then a bogus installation dialog comes up. The worm will install if either button is clicked.
Swen disables registry tools so users can't run the Regedit utility and import REG files data, alerts said. The worm also prepares systems for copies of itself to be shared via the Kazaa peer-to-peer network. When it copies itself, it uses such names as "XXX Pictures," "XboX Emulator" and "Download Accelerator."
The worm also searches the hard drives of infected systems for e-mail addresses that it can send copies of itself to with its own SMTP engine. It looks for addresses in .html, .asp, .eml, .dbx, .wab and .mbx files. It also searches for e-mail addresses from newsgroups.
Swen also tries to spread via IRC networks. The worm tries to send a copy of itself as "WinZip installer.zip" to every user joining a channel where an infected user is present.
The author of the worm seems to want to keep tabs on his creation. When it first runs, the worm sends an HTTP Get request to a server that displays counter information.
FOR MORE INFORMATION:
FEEDBACK: How much of a priority is employee education to security threats in your enterprise?
Send your feedback to the SearchSecurity.com news team.