How to Remove Swen.A worm virus

What is the Swen.A worm?
The Swen.A worm is a mass-mailing worm that uses its own mailing engine to spread itself. It can spread through email, newsgroups, file sharing networks like Kazaa and IRC, as well as shared network drives. It poses as a legitimate "security" email from Microsoft telling the user to download and install the "September 2003, Cumulative Patch" update to protect yourself from problems. The only problem with this is there isnt an official "September 2003, Cumulative Patch", and Microsoft never sends patches like this via email. Microsoft releases patches on their Windows Update Service for customers to download not through email.

The worm also attempts to kill most antivirus and personal firewall programs running on the computer making the system vulnerable to other viruses spreading on the Internet.

The worm can arrive as an email attachment. The subject, body, and From: address of the email may vary. Some examples claim to be patches for Microsoft Internet Explorer, or delivery failure notices from qmail. The email will look similar to the following picture:

swenemail.gif (36144 bytes)

The Swen worm sends a copy of itself to the address found on the infected computer (it searches for email addresses found in .html, .asp, .eml, .dbx, .wab, .mbx files on the hard drive). The FROM, SUBJECT, and attachment names can vary. The worm may use an incorrect MIME Header exploit, mentioned in Microsoft Security Bulletin MS01-020, to ensure that it is automatically executed when the mail is viewed.

Every attachment has one of the following filenames with a random number appended to it. The file is either an exe file or a zip file.

  • Patch
  • Upgrade
  • Update
  • Installer
  • Install
  • Pack
  • Q

It also produces a fake MAPI32 error message on occasion that appears to try to steal usernames, passwords, pop3 and smtp server information. The virus will then attempt to log into the users account and delete any of the emails sent by the Swen.A worm

The MAPI32 error message is shown below:

swenmapi32.gif (12543 bytes)


How Can I Remove the Swen.A worm?

Follow these steps in removing the Swen.A worm.

1) Terminate the running program

  • Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x machines or CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP machines.
  • Locate the following worm, click on it and End Task or End Process

    The worm will be randomly named file, as an alternative, sort the list by the user and End task on each program running under the local user except for Explorer and Systray
  • Close Task Manager

2) Reactivate the Registry and Reassociate files.

The worm disables the registry by adding the following value to it


Because of this, you will be unable to open REGEDIT to fix the problems. If you have Windows ME or Windows XP, you could run the System Restore procedure and choose a date previous to the virus infection. Although as an alternative, I have created a Visual Basic Script (.vbs) file that changes the above registry value and fixes the file association problems caused by the swen worm.

You can download the vbs file by clicking here. This is a Visual Basic Scripting file, so you'll have to have the Windows Scripting Host installed. You can download the following file to disable or reenable the Windows Scripting Host.


3) Download and run the Symantec Swen.A virus removal tool to

  • Terminate the W32.Swen.A@mm viral processes completely
  • Delete the W32.Swen.A@mm files.
  • Delete the dropped files for Kazaa, IRC and newsgroup propogation.
  • Delete the registry values that the worm added.

Special Note for Windows ME and Windows XP:
If the removal tool shows the files cannot be removed because they are in the backed up RESTORE folder, then you'll have to:

4) Download the Security Patch for this exploit

The virus uses an old Microsoft Internet Vulnerability known as the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment Exploit. Some of the infected email messages that the worm sends contain this vulnerability and can cause the worm attachment to execute automatically upon preview of the infected email. More information on this vulnerability can be found at:

Incorrect MIME Header Can Cause IE to Execute E-mail Attachment Exploit

5) Reboot the computer, update your antivirus software, and run a thorough virus scan using your favorite antivirus program.


space.gif (58 bytes)


site search by freefind advanced


Tools for Removing Spyware, Adware, and Malware

Other Pages

Spyware/Adware Removal Help

MSBlast.exe Worm Removal

Welchia (Dllhost.exe and SVCHost.exe) Worm Removal

Uninstall McAfee Instructions

Uninstall Norton Instructions

Uninstall Avast Instructions

Uninstall AVG Instructions

Uninstall Antivir Instructions

Uninstall Panda Instructions

How to Manually Run the Microsoft Malicious Software Removal Tool

Bloodhound.Exploit.6 Virus Removal

MyDoom Virus Removal

MiMail.C Virus Removal

Swen Worm Virus Removal

SoBig.F Worm Removal

Dumaru Virus Removal

BugBear.B Worm Removal

SoBig.E Worm Removal

Pop Up Ad Removal Info

KAK Worm Removal

MiMail.A Worm Removal

W95.MTX Virus Removal

Snow White Virus Removal

BadTrans Trojan Removal

Wininit Virus (Bymer Trojan)

Happy99 Worm Removal

VBS Netlog Worm Removal

Pretty Park Worm Removal

Sasser Worm Virus Removal

Backdoor SDBot.H Trojan Removal

VBS.Loveletter Help

Computer Security Information

Back Orifice Information

PC HELL Main Page


iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad

Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.

Written by Mark Hasting

Recommended Software for PC Hell Visitors
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware
iolo System Mechanic® - Fix, Speed Up Your PC
iolo System Mechanic®
Emsisoft Anti Malware
Emsisoft Anti Malware
space.gif (58 bytes)


Return to PC Hell
Return to PC Hell