Contact
About Avira
Press
Beta test
Language:
English
English
Deutsch
Français
Español
Italiano
Português
Русский
For Home
Avira Antivirus Premium
Avira Internet Security
For Business
Client/Servers
Avira Professional Security
Avira Server Security
Avira Business Security Suite
Avira Endpoint Security
Small Business
Managed Services
Gateways
Avira AntiVir MailGate
Avira MailGate Suite
Avira AntiVir Exchange
Avira AntiVir WebGate
Avira WebGate Suite
Avira AntiVir GateWay Bundle
Avira AntiVir SharePoint
Integration
Anti-Malware SDK (SAVAPI)
Antispam SDK (SPACE)
Rebranding & Bundling
Integration Services
Educational Discount
Support
For Home
Overview
Latest News
Video Tutorials
Knowledgebase
For Business
Overview
Latest News
Knowledgebase
Virus Lab
Virus Descriptions
Statistics
VDF History
About Malware
Viruses In the Wild
Submit Suspicious File
Download
Product Downloads
Technical Documentation
Product Lifecycle
VDF Update
Partner
Partner Locator
Become an Avira Partner
Affiliate
Free
Download
Search
Summary
Full description
Statistics
Alias:
Swen [F-Secure], W32/Swen@mm [McAfee], W32/Gibe-F [Sophos], I-Worm.Swen [KAV], Win32 Swen.A [CA], WORM_SWEN.A [Trend], Worm.Automat.AHB [Previous Symantec Detection]
Type:
Worm
Size:
106,496 Bytes
Origin:
Date:
00-00-0000
Damage:
Spreads by email, KaZaA, IRC, mapped drives and Newsgroups.
VDF Version:
Danger:
Low
Distribution:
High
Distribution
The worm spreads by email, KaZaA, IRC, mapped drives and Newsgroups. The email has the following structure:
Subject: It uses two different subjects, formed from the follwoing text groups:
Subject 1:
Group 1:
Current
Newest
Last
New
Latest
%empty%
Group 2:
Net
Network
Microsoft
Internet
%empty%
Group 3:
Critical
Security
%empty%
Group 4:
Patch
Update
Pack
Upgrade
Subject 2:
Group 1:
RE:
FWD:
FW:
%empty%
Group 2:
Check
Checkout
Prove
Taste
Try
TryOn
LookAt
TakeALookAt
See
Watch
Use
Apply
Install
%empty%
Group 3:
this
that
the
these
%empty%
Group 4:
important
internet
critical
security
corrective
correction
%empty%
Group 5:
pack
package
patch
updat
In most cases, subject 2 ends here.
Group 6:
for
%empty%
Group 7:
Windows
Internet Explorer
%empty, if group 6 is empty, too%
The subjects can end here.
Group 8:
which
that
%empty%
Group 9:
came
comes
%empty, if group 8 is also empty%
Group 10:
from
Group 11:
the
%empty%
Group 12:
MS
Microsoft
M$
Group 13:
Corporation
Corp.
%empty%
Attachment:
Patch
Upgrade
Update
Installer
Install
Pack
Q
followed by a series of random numbers and .exe or .zip extension.
Through KaZaA:
The worm creates a .zip or .rar copy, saved in %Temp% directory, with a random name.
It enters in the registry:
HKEY_CURRENT_USER\Software\Kazaa\LocalContent "Dir99"= "012345:" "DisableSharing"="0"
Some of the possible file names:
Virus Generator
Magic Mushrooms Growing
Cooking with Cannabis
Hallucinogenic Screensaver
My naked sister
XXX Pictures
Sick Joke
XXX Video
XP update
Emulator PS2
XboX Emulator
Sex
HardPorn
Jenna Jameson
10.000 Serials
Hotmail hacker
Yahoo hacker
AOL hacker
fixtool
cleaner
removal tool
remover
Klez
Sobig
Sircam
Gibe
Yaha
Bugbear
installer
upload
warez
hacked
hack
key generator
Windows Media Player
GetRight FTP
Download Accelerator
Mirc
Winamp
WinZip
WinRar
KaZaA
KaZaA media desktop
Kazaa Lite
Through IRC:
The worm looks for \Mirc directory.
It creates a Script.ini file in this directory, used for sending .zip, .rar or .exe worm copies to other mIRC users.
Through mapped drives:
\Win98\Start menu\Programs\Startup
\Win95\Start menu\Programs\Startup
\WinMe\Start menu\Programs\Startup
\Windows\Start menu\Programs\Startup
\Documents and Settings\All Users\Start menu\Programs\Startup
\Documents and Settings\Administrator\Start menu\Programs\Startup
\Documents and Settings\Default User\Start menu\Programs\Startup
\Winnt\Profiles\All Users\Start menu\Programs\Startup
\Winnt\Profiles\Administrator\Start menu\Programs\Startup
\Winnt\Profiles\Default User\Start menu\Programs\Startup
Through Newsgroups:
The worm looks out for email addresses in the registry entries. If there is no newsgroup server on the system, the worm chooses a random one from its prepared list. The message sent to the newsgroups follows the same routine as the emails.
Technical Details
When activated, Worm/Gibe.C.1 checks if it has already been installed on the computer. If this is the case, the installation process ends and a message is displayed:
"This update does not need to be installed on this system"
If the opened file's name begins with q, u, p or i, a dialog box appears:
"This will install Microsoft Security Update.
Do you wish to continue?"
The worm is anyway installed, but the process is hidden, if the user chooses "No". If the user presses "Yes", the installation windows are displayed.
Then, the worm tries to end the following processes:
_avp
Azonealarm
avwupd32
avwin95
avsched32
avp
avnt
avkserv
avgw
avgctrl
avgcc32
ave32
avconsol
autodown
apvxdwin
aplica32
anti-trojan
ackwin32
bootwarn
blackice
blackd
claw95
cfinet
cfind
cfiaudit
cfiadmin
ccshtdwn
ccapp
dv95
espwatch
esafe
efinet32
ecengine
f-stopw
frw
fp-win
f-prot95
fprot95
f-prot
fprot
findviru
f-agnt95
gibe
iomon98
iface
icsupp
icssuppnt
icmoon
icmon
icloadnt
icload95
ibmavsp
ibmasn
iamserv
iamapp
jedi
kpfw32
luall
lookout
lockdown2000
msconfig
mpftray
moolive
nvc95
nupgrade
nupdate
normist
nmain
nisum
navw
navsched
navnt
navlu32
navapw32
nai_vs_stat
outpost
pview
pop3trap
persfw
pcfwallicon
pccwin98
pccmain
pcciomon
pavw
pavsched
pavcl
padmin
rescue
regedit
rav
sweep
sphinx
serv95
safeweb
tds2
tca
vsstat
vshwin32
vsecomr
vscan
vettray
vet98
vet95
vet32
vcontrol
vcleaner
wfindv32
webtrap
zapro
A worm copy is saved in %Windir% directory with an arbitrary name.
It searches for email addresses into the following files:
.html
.asp
.eml
.dbx
.wab
.mbx
The addresses found are collected in the file C:\%Windir%\Germs0.dbv.
The file C:\%Windir%\Swen1.dat is for saving the list of messages and mail servers.
Registry entries:
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu rrentVersion\explorer\* "CacheBox Outfit"="yes" "ZipName"="" "Email Address"="" "Server"="" "Mirc Install Folder"="" "Installed"="...by Begbie" "Install Item"="" "Unfile"=""
where * is for random characters .
-The autostart entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
-The worm is attached to the following entries:
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shel l\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shel l\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shel l\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shel l\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shel l\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shel l\open\command
-It also modifies:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur rentVersion\Policies\System "DisableRegistryTools" = "1"
Regularly, a MAPI32 Corruption window appears.
The worm logs to POP 3 server using the user's name and checks the emails. Then, an error window is displayed and, eventually, a reply number.
Description inserted by Crony Walker on Tuesday, June 15, 2004
Back
.
.
.
.
