Swen Worm Infects Over 1.5 Million Computers

The Swen computer worm is turning out to be a bigger problem than earlier expected, using a brief head start on computer antivirus defenses, as well as complex abilities and an effective masquerade, to infect Windows machines and spread via e-mail to many users.

The worm, also known as "Gibe" or its more technical name of "w32.swen@mm," takes advantage of a well-known vulnerability in Internet Explorer that was first announced in March 2001. A software patch and removal tools for affected Windows systems are available, but because of its persistence -- the worm infects via e-mail or network sharing automatically -- it may be difficult to eliminate.

"People are absolutely seeing this pop up in their mailboxes today," Symantec (Nasdaq: SYMC) senior director of Security Response Vincent Weafer told TechNewsWorld. "For the person who has got it, it's a painful cleanup process."

Significant Spread

Weafer said Swen, which spoofs a Microsoft (Nasdaq: MSFT) security message, has spread primarily among home users, who accounted for 87 percent of infections as of Friday. "It's significant, but it's still not going to be a real major event," Weafer said. "We see it dying down."

Still, even non-Windows users were affected by the worm's spread, as one TechNewsWorld reader -- a Mac user -- reported receiving more than 250 Swen e-mails in the last day.

MessageLabs chief technology officer Mark Sunner described the worm as highly complex and told TechNewsWorld that although it was first discovered September 14th, it was not seen as a priority, and the threat was not added to updated protection from leading antivirus vendors.

"Initially, this went right under the nose of normal desktop antivirus," Sunner said, endorsing MessageLabs' intercept-and-scan approach over traditional antivirus methods that he claimed do not work. "It's almost inexcusable it went through those vendors."

As virus fighters and security companies, including Symantec and F-Secure, upped their severity ratings on Swen before the weekend, MessageLabs reported the interception of more than 35,000 copies of the worm. Sunner said there were infections in 84 countries Friday afternoon, with one in every 355 e-mails containing the worm.

Polymorphic Problem

Classified as a worm because of its ability to copy itself without infecting host files, Swen represents a high level of sophistication in its ability to execute code automatically, its deceptive spoof of Microsoft correspondence and its randomization of information that could be used to identify it, according to Sunner.

"It's massively polymorphic," he said. "It randomizes file text, file name and subject with a high degree of polymorphism. Someone really thought about this."

Sunner likened the worm to the original Gibe worm, but said it was written in C++ and also used an SMTP engine, adding to the indications of a highly sophisticated author.

Symantec's Weafer agreed, adding that the higher-level programming language allowed the addition of some of the worm's features -- a trend among the latest viruses.

Who's Counting

Another unique feature of Swen is its ability to communicate with a Web site that keeps track of the number of computers it has successfully infected. As of late Friday afternoon, the counter was up to more than 1.5 million infected computers.

Ken Dunham, malicious code intelligence manager at iDefense, told TechNewsWorld that the number of infections might be skewed because the Web site address was posted to a security mailing list and likely garnered hits from researchers and others.

However, Dunham said that because it is supposedly accounting for all infections, which are typically underreported, Swen might actually be giving a more accurate estimate than usual of the spread.

"Swen may be giving us a clear picture of how widespread some of these new worms actually are," he said. "When we see 20,000 interceptions listed on a public Web site, there may actually be several hundred thousand infected computers."