Update: The Swen Worm. Yes, It’s Nasty
The Swen Worm is turning out to be a nasty one. It can execute code automatically, it looks like a genuine Microsoft email and it randomizes itself, making it hard to identify. TechNewsWorld reports the worm, also known as “Gibe” or its more technical name of “w32.swen@mm,” takes advantage of a well-known vulnerability in Internet Explorer that was first announced in March 2001. A software patch and removal tools for affected Windows systems are available, but because of its persistence — the worm infects via e-mail or network sharing automatically — it may be difficult to eliminate. Most of those infected are home users.
Part of the problem seems to have been that the antivirus underestimated its shock and awe. TechNewsWorld again: MessageLabs chief technology officer Mark Sunner described the worm as highly complex and told TechNewsWorld that although it was first discovered September 14th, it was not seen as a priority, and the threat was not added to updated protection from leading antivirus vendors. “Initially, this went right under the nose of normal desktop antivirus,” Sunner said, endorsing MessageLabs’ intercept-and-scan approach over traditional antivirus methods that he claimed do not work. “It’s almost inexcusable it went through those vendors.”
Another unique feature of Swen is its ability to communicate with a Web site that keeps track of the number of computers it has successfully infected. As of late Friday afternoon, the counter was up to more than 1.5 million infected computers.