PC Hell: Swen Worm Virus Removal Instructions

How to Remove Swen.A worm virus

What is the Swen.A worm?

The Swen.A worm is a mass-mailing worm that uses its own mailing engine to spread itself. It can spread through email, newsgroups, file sharing networks like Kazaa and IRC, as well as shared network drives. It poses as a legitimate "security" email from Microsoft telling the user to download and install the "September 2003, Cumulative Patch" update to protect yourself from problems. The only problem with this is there isnt an official "September 2003, Cumulative Patch", and Microsoft never sends patches like this via email. Microsoft releases patches on their Windows Update Service for customers to download not through email.

The worm also attempts to kill most antivirus and personal firewall programs running on the computer making the system vulnerable to other viruses spreading on the Internet.

The worm can arrive as an email attachment. The subject, body, and From: address of the email may vary. Some examples claim to be patches for Microsoft Internet Explorer, or delivery failure notices from qmail. The email will look similar to the following picture:

swenemail.gif (36144 bytes)

The Swen worm sends a copy of itself to the address found on the infected computer (it searches for email addresses found in .html, .asp, .eml, .dbx, .wab, .mbx files on the hard drive). The FROM, SUBJECT, and attachment names can vary. The worm may use an incorrect MIME Header exploit, mentioned in Microsoft Security Bulletin MS01-020, to ensure that it is automatically executed when the mail is viewed.

Every attachment has one of the following filenames with a random number appended to it. The file is either an exe file or a zip file.

Patch
Upgrade
Update
Installer
Install
Pack
Q

It also produces a fake MAPI32 error message on occasion that appears to try to steal usernames, passwords, pop3 and smtp server information. The virus will then attempt to log into the users account and delete any of the emails sent by the Swen.A worm

The MAPI32 error message is shown below:

swenmapi32.gif (12543 bytes)

How Can I Remove the Swen.A worm?

Follow these steps in removing the Swen.A worm.

1) Terminate the running program

Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x machines or CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP machines.
Locate the following worm, click on it and End Task or End Process

The worm will be randomly named file, as an alternative, sort the list by the user and End task on each program running under the local user except for Explorer and Systray

Close Task Manager

2) Reactivate the Registry and Reassociate files.

The worm disables the registry by adding the following value to it

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000001

Because of this, you will be unable to open REGEDIT to fix the problems. If you have Windows ME or Windows XP, you could run the System Restore procedure and choose a date previous to the virus infection. Although as an alternative, I have created a Visual Basic Script (.vbs) file that changes the above registry value and fixes the file association problems caused by the swen worm.

You can download the vbs file by clicking here. This is a Visual Basic Scripting file, so you'll have to have the Windows Scripting Host installed. You can download the following file to disable or reenable the Windows Scripting Host.

noscript.exe

3) Download and run the Symantec Swen.A virus removal tool to

Terminate the W32.Swen.A@mm viral processes completely
Delete the W32.Swen.A@mm files.
Delete the dropped files for Kazaa, IRC and newsgroup propogation.
Delete the registry values that the worm added.

Special Note for Windows ME and Windows XP:
If the removal tool shows the files cannot be removed because they are in the backed up RESTORE folder, then you'll have to:

Turn off System Restore
Reboot in Safe Mode
and run the removal tool again

4) Download the Security Patch for this exploit

The virus uses an old Microsoft Internet Vulnerability known as the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment Exploit. Some of the infected email messages that the worm sends contain this vulnerability and can cause the worm attachment to execute automatically upon preview of the infected email. More information on this vulnerability can be found at:

Incorrect MIME Header Can Cause IE to Execute E-mail Attachment Exploit
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp

5) Reboot the computer, update your antivirus software, and run a thorough virus scan using your favorite antivirus program.