SWEN/Worm.Automat.AHB virus - How to remove the worm (and other questions)

Web design/web hosting Scotland - professional design agency, Peterhead, Aberdeen et al

West Toddlehills Web
Blackhills
Peterhead
Aberdeenshire
Scotland
AB42 0LY
[t] 0800 018 62 65
[f] 01779 473549

swen

MS Blaster - remove the worm

<MAP NAME="boxmap-p10"><AREA SHAPE="RECT" COORDS="14, 440, 106, 450" HREF="http://rcm.amazon.com/e/cm/privacy-policy.html?o=1" target=main><AREA COORDS="0,0,10000,10000" HREF="http://www.amazon.com/exec/obidos/redirect-home/zincwebintern-20" target=main></MAP><img src="http://rcm-images.amazon.com/images/G/01/rcm/120x450.gif" width="120" height="450" border="0" usemap="#boxmap-p10" alt="Shop at Amazon.com">

FED UP WITH SPAM?
We can now provide a server-side spam filtering system with all web domains hosted through our servers - all from only an additional £10 ex VAT per annum! This system is similar to that used by the US military and many blue chip companies. You don't need a web site to benefit... More>>

SWEN VIRUS/WORM aka Worm.Automat.AHB virus - PREVENTION & CURE

The Swen virus masquerades as a new Microsoft patch (click here for a screenshot) - find out how to avoid it, and what to do in the case of infection.

Yet another Internet virus pretending to be a patch from Microsoft is spreading quickly on the Internet. Swen (w32.swen@mm, also known as Gibe) uses the subject line to entice Windows users to open the attachment. In some cases, the virus will execute automatically. The virus attempts to kill all antivirus and personal firewall apps running on the infected machine. Swen can also travel using Kazaa, IRC, and shared network paths. Because Swen spreads via email, IRC, P2P, and shared network files and shows signs of spreading rapidly, this virus rates a 6 on the ZDNet Virus Meter.

One of the ways Swen spreads is to arrive as an email message containing some references to Microsoft or to a new critical patch for Internet Explorer or as a returned email.

To spread via shared network files, Swen leaves copies of itself in the start-up folders found on individual Windows computers connected to the network.

For IRC users, Swen adds a script.ini file to the mIRC program folder. It then spreads to other IRC users.

To infect other P2P users, Swen adds a copy of itself to the shared file directory using a random but intriguing name.

Once the virus is active, it will attempt to shut down working antivirus and personal firewall applications. Swen will appear to download and install a patch directly from Microsoft; in reality, the virus is changing system Registry files on the infected machine. Changes include, for example, the ability to run the virus every time the computer is rebooted.

Prevention - Windows users who have not installed the Internet Explorer patch MS01-020 for the incorrect MIME header flaw should do so now to prevent automatic infection from Swen. In general, do not open attached files in email without first saving them to the hard disk and scanning them with updated antivirus software. Please note that Microsoft does not email security patches to its users. Contact your antivirus vendor to obtain the latest antivirus signature files that include Swen.

Send this link to a friend

One of the emails Swen uses to spread is a professional-looking message that appears to come from "MS Technical Assistance", and contains a notification of a "September 2003, Cumulative Patch", along with the virus attachment. Microsoft does not spread updates via email.

When executed, the worm continues to pose as a security update, launching a message windows that states: "This will install Microsoft Security Update. Do you wish to continue?" If the user clicks "Yes" the worm shows a fake installation dialogue box, but also installs invisibly if the "No" button is pressed.

If you don't have an up-to-date Firewall/Antivirus suite, we recommend by Symantec for best priced all round protection for the home user, including Spam protection and Parental Control (see more links on the left of the page).

Click link below to directly download removal tool from the Symantec web site:

Removal tool

Final thought: if you have invested in a good system (usually less than £50), you won't need to search the internet for a solution to another worm infection in 3 months time!

See also: Fake 'Microsoft' MS Blaster Email Scam. More>>
And also: 'Teddy Bear' Hoax Virus Alert (jdbgmgr.exe). More>>
And also: MS Blaster worm. More>>

DOMAIN NAME SEARCH/ONLINE PURCHASE SYSTEM
Check the availability of your required domain and purchase with hosting options online via PayPal or standard UK invoicing. More>>

FED UP WITH SPAM?
We can now provide a server-side spam filtering system with all web domains hosted through our servers - all from only an additional £10 ex VAT per annum! This system is similar to that used by the US military and many blue chip companies. More>>

hosting | portfolio | website design | content management | shopping carts | domain names | privacy | home | contact