The hits for network admins kept coming in late summer/early fall 2003. Just weeks after the Blaster-Welchia-SoBig.F triple punch, the Swen worm wriggled its way onto at least 1.5 million computers.
Like so many other pieces of malware, Swen exploited an old security flaw—in this case, a two-year-old Internet Explorer security flaw. Swen put its own twist on the exploitation, however, by posing as a Microsoft security update. A user received a convincing-looking email purporting to be from “MS Technical Assistance” (For the record, Microsoft does not distribute security updates via email).
The email subject lines and from addresses varied, and the message body referenced a “September 2003, Cumulative Patch” and carried an attachment. When the user opened the attachment, a message window appeared that said, “This will install Microsoft Security Update. Do you wish to continue?” Whether the user clicked yes or no, the worm installed—with an installation box if “yes” had been clicked and invisibly if “no.”
Installing the Swen worm creates a mess
Upon installation, Swen installed multiple files to ensure it always launched upon reboot. On its first run, Swen contacted a website to update a counter tracking the number of infected machines (It’s thought the counter overestimated Swen’s reach, though, as the counter website link had been posted in multiple security forums).
Swen also disabled a user’s ability to update the computer’s registry, as well as attempted to disable antivirus and firewall software. The worm spread via email, as well as through popular contemporary file sharing sites such as Kazaa.
Security experts called Swen “massively polymorphic,” noting its sophisticated C++ code that randomized file names and subject lines.
Photo: nuttapon averuttaman / Shutterstock
