IS SPREADING RAPIDLY
Virus Name : W32.Swen.A@mm
Alias : Swen, W32/Gibe.E-mm, I-Worm.Swen, W32/Gibe-F,
Virus type : Internet
level : Medium
Swen aka Gibe.F is
an Internet worm, spreads using e-mail,
KaZaA, IRC and network shares. Swen worm sends fakes
email as it is an update coming from
Microsoft. It is very similar to Gibe Worm and uses its
own SMTP engine to send infected mails.
infected e-mail attachment and e-mail subject is chosen from
the list given in the worm. The
message body is details shown below.
worm copies itself with a random name in Windows folder
and drops swen1.dat, germs0.dbv files in the infected system. It
displays the following messages and installs in the
background. If the user selected "No" button, the
worm installs without displaying message box.
modifies several registry keys to load automatically. The
registry modification is given below.
"< random characters >"= "<random file
also modifies default keys for EXE, COM, REG, BAT, PIF and SCR
files in the registry.
Swen worm collects e-mail addresses
stored in the local system to send infected messages. Swen worm disables registry tool
REGEDIT.EXE and antivirus programs installed in the infected system. The
worm displays the following fake error message box
Swen worm copies to the shared network
drives startup folder in the network. So the infected files
will be executed automatically on the next startup. It also searches for mIRC folder
and drops script.ini to infect the users in the IRC channel. In case of KaZaA, it creates a
random folder in the Windows Temp directory and modifies the registry
to share the infected folder.
also uses two year old IFRAME vulnerability when infecting via e-mail. Microsoft released security patches to close this security hole. If you haven't installed, you can get a copy at
can I protect my system?
has incorporated W32.Swen.A@mm in its signature file to
protect users from this worm attack. Solo antivirus registered
users are already protected from this worm. Make sure that you
have installed registered version of Solo Antivirus to protect
your system from all virus threats.
system is not working. What to do?
you have deleted the worm file manually or deleted the worm
file with some other antivirus software before fixing the
registry, your applications
will not work. You have to follow the instructions given below to
fix the problem.
1. Open the
notepad and type the following. [Notepad
will work in the problem pc. You should not miss comma, quotation marks while tying].
;Registry fix for Swen worm
HKCR, "exefile\shell\open\command",,0,"""%1"" %*"
HKCR, "comfile\shell\open\command",,0,"""%1"" %*"
2. Save the
contents as an INF file [Example: FixSwen.INF]
3. Using Windows
explorer, right click on the saved file and choose
"Install". It will modify the registry and allow you
to run EXE and COM files.
4. Now you can
establish Internet connection. Download and run this tool SwenFix.exe
to fix other registry entries. Instead of deleting the worm
files manually, you can use Solo antivirus trial version to
remove the worm.
to remove this worm?
you are already infected with this worm, you can remove it
from your computer using Solo Antivirus software. Solo
antivirus can detect and remove W32.Swen.A@mm safely.
Use the following link to Download 30 day trial
version of Solo antivirus
to remove viruses from your computer.
Solo anti-virus not only
scans for all viruses, it contains a unique System
Integrity Checker to protect you from
New Internet Worms, Backdoors and
malicious VB, Java Scripts. It also
effectively removes all existing Internet Worms,
File viruses, malicious VBS, Java scripts,
Trojans, Backdoors, boot sector, partition table
and macro viruses.
purchase Solo antivirus using the link