Home>Tips
& Articles>Remove
Worms & Virus>
Remove Worm Swen.A
About Swen.A
W32.Swen.A, aslo known as Gibe.F, is a mass-mailing worm that uses
its own SMTP engine to spread itself. It can spread through file-sharing
networks, such as KaZaA and IRC, as well as email, newsgroups, and attempts
to kill antivirus and personal firewall programs running on a computer.
The worm can arrive as an email attachment. The subject, body, and From:
address of the email may vary. Some examples pretends to be patches
for Microsoft Internet Explorer, or delivery failure notices from qmail.
Remove this worm virus using McAfee Virus Scan 2004!
This worm exploits a vulnerability in Microsoft Outlook and Outlook
Express in an attempt to execute itself when you open or even preview
the message. Information and a patch for the vulnerability can be found
at: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.
The emails sent by the worm seems like this:
Subject: Latest Microsoft Critical Update
Messeage:
Attachment:Patch.zip (or Upgrade.zip,Update.zip,
Installer.zip, Install.zip, Pack.zip, Q.zip or *.exe)
When executed, Swen worm copies itself with a random name in Windows
folder and drops swen1.dat, germs0.dbv files in the infected system.
It displays the following messages and installs in the background. If
the user selected "No" button, the worm installs without displaying
message box.
Swen modifies several registry keys to load automatically. The registry
modification is given below.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"< random characters >"= "<random file name>
autorun"
The worm also modifies default keys for EXE, COM, REG, BAT, PIF and
SCR files in the registry.
HKEY_CLASSES_ROOT\batfile\shell\open\command
HKEY_CLASSES_ROOT\comfile\shell\open\command
HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\piffile\shell\open\command
HKEY_CLASSES_ROOT\regfile\shell\open\command
HKEY_CLASSES_ROOT\scrfile\shell\config\command
HKEY_CLASSES_ROOT\scrfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\config\command
HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command
How to Remove Swen.A?
Follow these steps to remove the MiMail.I worm.
1) Turn off System Restore functions for Windows Me,Windows
XP and Windows 2003 system.
2) Terminate the running program or reboot your system to enter into
Safe mode.
To terminate the running program, open the Windows Task Manager by
either pressing CTRL+ALT+DEL on Win9x machines or CTL+Shift+Tab and
clicking on the Processes tab on WinNT/2000/XP machines.
Since the worm will be randomly named file, sort the list by the user
and End task on each program running under the local user except for
Explorer and Systray
3) Download and run the Symantec
Swen.A virus removal tool to
Terminate the W32.Swen.A@mm viral processes completely
Delete the W32.Swen.A@mm files.
Delete the dropped files for Kazaa, IRC and newsgroup propogation.
Delete the registry values that the worm added.
4) Download the Security Patch for this exploit. The simplest way
is to click Tools| Windows Update on Internet
Explorer menu and follow the instruction to install all the
necessary patches.
5) Reboot the computer and run a thorough virus scan using your favorite
antivirus program.
Remove other worms & virus:
