Antivirus companies are warning Internet users about W32.Swen, a new worm that spreads using e-mail messages, vulnerable network connections, Internet Relay Chat (IRC) and peer-to-peer (P-to-P) networks.
First detected on Thursday, Swen exploits a security hole in Microsoft Corp.’s Internet Explorer Web browser and affects all supported versions of the Windows operating system, according to F-Secure Corp. of Helsinki.
The worm poses as a software security update from Microsoft prompting users with “Yes” or “No” buttons to agree to install the update and even an installation “progress” bar if they do agree.
However, the worm code is installed regardless of what users select. Once on an infected system, Swen alters the configuration of the Windows operating system so that the worm is launched whenever Windows is started. The worm also detects and disables antivirus software or other Windows features that could be used to disable it, according to F-Secure.
Like other mass mailing worms, Swen scans an infected machine’s hard drive for e-mail addresses and uses those to send out more copies of itself, skimming Simple Mail Transfer Protocol (SMTP) server addresses and user names from Windows.
Infected e-mail messages are formatted to look like official correspondence from Microsoft. The messages appear to come from one of a variety of randomly generated senders like “MS Technical Assistance,” and advertise a “cumulative patch” for Internet Explorer to patch “three newly discovered vulnerabilities,” F-Secure said.
The worm also can detect the presence of IRC clients or the Kazaa P-to-P file-sharing software and distribute itself on those networks. Swen places a specialized script file that sends a virus file to every computer on the same IRC channel as the infected computer.
For machines running Kazaa file-sharing software, Swen enables the file-sharing feature, if it is not already enabled, and places multiple copies of itself in the Kazaa shared files folder disguised as Kazaa client software, pirated software or other popular applications, F-Secure said.
F-Secure, Network Associates Inc. and Symantec Corp. all issued warnings about Swen Thursday, indicating that the worm is spreading on the Internet.
More than one antivirus company noted the similarity between Swen and an earlier worm, W32.Gibe, which appeared in February. Like Swen, Gibe also attempted to spread via e-mail, as well as Kazaa and IRC networks while posing as a piece of legitimate Microsoft software when installed.
Customers are being advised to update their antivirus definitions to detect Swen.
