How to Remove Swen.A worm
the Swen.A worm?
The worm also attempts to kill most antivirus and personal firewall programs running on the computer making the system vulnerable to other viruses spreading on the Internet.
The worm can arrive as an email attachment. The subject, body, and From: address of the email may vary. Some examples claim to be patches for Microsoft Internet Explorer, or delivery failure notices from qmail. The email will look similar to the following picture:
The Swen worm sends a copy of itself to the address found on the infected computer (it searches for email addresses found in .html, .asp, .eml, .dbx, .wab, .mbx files on the hard drive). The FROM, SUBJECT, and attachment names can vary. The worm may use an incorrect MIME Header exploit, mentioned in Microsoft Security Bulletin MS01-020, to ensure that it is automatically executed when the mail is viewed.
Every attachment has one of the following filenames with a random number appended to it. The file is either an exe file or a zip file.
It also produces a fake MAPI32 error message on occasion that appears to try to steal usernames, passwords, pop3 and smtp server information. The virus will then attempt to log into the users account and delete any of the emails sent by the Swen.A worm
The MAPI32 error message is shown below:
How Can I Remove the Swen.A worm?
Follow these steps in removing the Swen.A worm.
1) Terminate the running program
2) Reactivate the Registry and Reassociate files.
The worm disables the registry by adding the following value to it
Because of this, you will be unable to open REGEDIT to fix the problems. If you have Windows ME or Windows XP, you could run the System Restore procedure and choose a date previous to the virus infection. Although as an alternative, I have created a Visual Basic Script (.vbs) file that changes the above registry value and fixes the file association problems caused by the swen worm.
You can download the vbs file by clicking here. This is a Visual Basic Scripting file, so you'll have to have the Windows Scripting Host installed. You can download the following file to disable or reenable the Windows Scripting Host.
3) Download and run the Symantec Swen.A virus removal tool to
Note for Windows ME and Windows XP:
4) Download the Security Patch for this exploit
The virus uses an old Microsoft Internet Vulnerability known as the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment Exploit. Some of the infected email messages that the worm sends contain this vulnerability and can cause the worm attachment to execute automatically upon preview of the infected email. More information on this vulnerability can be found at:
MIME Header Can Cause IE to Execute E-mail Attachment Exploit
5) Reboot the computer, update your antivirus software, and run a thorough virus scan using your favorite antivirus program.
|Recommended Software for PC Hell Visitors|
iolo System Mechanic®
Emsisoft Anti Malware