Alias:Swen [F-Secure], W32/Swen@mm [McAfee], W32/Gibe-F [Sophos], I-Worm.Swen [KAV], Win32 Swen.A [CA], WORM_SWEN.A [Trend], Worm.Automat.AHB [Previous Symantec Detection]
Type:Worm 
Size:106,496 Bytes 
Origin: 
Date:00-00-0000 
Damage:Spreads by email, KaZaA, IRC, mapped drives and Newsgroups.  
VDF Version:  
Danger:Low 
Distribution:High 

DistributionThe worm spreads by email, KaZaA, IRC, mapped drives and Newsgroups. The email has the following structure:

Subject: It uses two different subjects, formed from the follwoing text groups:

Subject 1:
Group 1:
Current
Newest
Last
New
Latest
%empty%

Group 2:
Net
Network
Microsoft
Internet
%empty%

Group 3:
Critical
Security
%empty%

Group 4:
Patch
Update
Pack
Upgrade

Subject 2:
Group 1:
RE:
FWD:
FW:
%empty%

Group 2:
Check
Checkout
Prove
Taste
Try
TryOn
LookAt
TakeALookAt
See
Watch
Use
Apply
Install
%empty%

Group 3:
this
that
the
these
%empty%

Group 4:
important
internet
critical
security
corrective
correction
%empty%

Group 5:
pack
package
patch
updat

In most cases, subject 2 ends here.

Group 6:
for
%empty%

Group 7:
Windows
Internet Explorer
%empty, if group 6 is empty, too%

The subjects can end here.

Group 8:

which
that
%empty%

Group 9:
came
comes
%empty, if group 8 is also empty%

Group 10:

from

Group 11:

the
%empty%

Group 12:

MS
Microsoft
M$

Group 13:

Corporation
Corp.
%empty%

Attachment:
Patch
Upgrade
Update
Installer
Install
Pack
Q

followed by a series of random numbers and .exe or .zip extension.

Through KaZaA:
The worm creates a .zip or .rar copy, saved in %Temp% directory, with a random name.
It enters in the registry:
HKEY_CURRENT_USER\Software\Kazaa\LocalContent "Dir99"= "012345:" "DisableSharing"="0"

Some of the possible file names:
Virus Generator
Magic Mushrooms Growing
Cooking with Cannabis
Hallucinogenic Screensaver
My naked sister
XXX Pictures
Sick Joke
XXX Video
XP update
Emulator PS2
XboX Emulator
Sex
HardPorn
Jenna Jameson
10.000 Serials
Hotmail hacker
Yahoo hacker
AOL hacker
fixtool
cleaner
removal tool
remover
Klez
Sobig
Sircam
Gibe
Yaha
Bugbear
installer
upload
warez
hacked
hack
key generator
Windows Media Player
GetRight FTP
Download Accelerator
Mirc
Winamp
WinZip
WinRar
KaZaA
KaZaA media desktop
Kazaa Lite

Through IRC:
The worm looks for \Mirc directory.
It creates a Script.ini file in this directory, used for sending .zip, .rar or .exe worm copies to other mIRC users.

Through mapped drives:
\Win98\Start menu\Programs\Startup
\Win95\Start menu\Programs\Startup
\WinMe\Start menu\Programs\Startup
\Windows\Start menu\Programs\Startup
\Documents and Settings\All Users\Start menu\Programs\Startup
\Documents and Settings\Administrator\Start menu\Programs\Startup
\Documents and Settings\Default User\Start menu\Programs\Startup
\Winnt\Profiles\All Users\Start menu\Programs\Startup
\Winnt\Profiles\Administrator\Start menu\Programs\Startup
\Winnt\Profiles\Default User\Start menu\Programs\Startup

Through Newsgroups:
The worm looks out for email addresses in the registry entries. If there is no newsgroup server on the system, the worm chooses a random one from its prepared list. The message sent to the newsgroups follows the same routine as the emails.

Technical DetailsWhen activated, Worm/Gibe.C.1 checks if it has already been installed on the computer. If this is the case, the installation process ends and a message is displayed:
"This update does not need to be installed on this system"

If the opened file's name begins with q, u, p or i, a dialog box appears:
"This will install Microsoft Security Update.
Do you wish to continue?"

The worm is anyway installed, but the process is hidden, if the user chooses "No". If the user presses "Yes", the installation windows are displayed.

Then, the worm tries to end the following processes:
_avp
Azonealarm
avwupd32
avwin95
avsched32
avp
avnt
avkserv
avgw
avgctrl
avgcc32
ave32
avconsol
autodown
apvxdwin
aplica32
anti-trojan
ackwin32
bootwarn
blackice
blackd
claw95
cfinet
cfind
cfiaudit
cfiadmin
ccshtdwn
ccapp
dv95
espwatch
esafe
efinet32
ecengine
f-stopw
frw
fp-win
f-prot95
fprot95
f-prot
fprot
findviru
f-agnt95
gibe
iomon98
iface
icsupp
icssuppnt
icmoon
icmon
icloadnt
icload95
ibmavsp
ibmasn
iamserv
iamapp
jedi
kpfw32
luall
lookout
lockdown2000
msconfig
mpftray
moolive
nvc95
nupgrade
nupdate
normist
nmain
nisum
navw
navsched
navnt
navlu32
navapw32
nai_vs_stat
outpost
pview
pop3trap
persfw
pcfwallicon
pccwin98
pccmain
pcciomon
pavw
pavsched
pavcl
padmin
rescue
regedit
rav
sweep
sphinx
serv95
safeweb
tds2
tca
vsstat
vshwin32
vsecomr
vscan
vettray
vet98
vet95
vet32
vcontrol
vcleaner
wfindv32
webtrap
zapro

A worm copy is saved in %Windir% directory with an arbitrary name.

It searches for email addresses into the following files:
.html
.asp
.eml
.dbx
.wab
.mbx

The addresses found are collected in the file C:\%Windir%\Germs0.dbv.
The file C:\%Windir%\Swen1.dat is for saving the list of messages and mail servers.

Registry entries:

-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu rrentVersion\explorer\* "CacheBox Outfit"="yes" "ZipName"="" "Email Address"="" "Server"="" "Mirc Install Folder"="" "Installed"="...by Begbie" "Install Item"="" "Unfile"=""
where * is for random characters .

-The autostart entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

-The worm is attached to the following entries:
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shel l\open\command

HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shel l\open\command

HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shel l\open\command

HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shel l\open\command

HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shel l\open\command

HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shel l\open\command

-It also modifies:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur rentVersion\Policies\System "DisableRegistryTools" = "1"

Regularly, a MAPI32 Corruption window appears.
The worm logs to POP 3 server using the user's name and checks the emails. Then, an error window is displayed and, eventually, a reply number.
Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004

zurück . . . .