Swen worm, Posing as Microsoft Support

Another email worm has made it's way onto the Internet, with high distribution.

Apparently this worm is using the Incorrect MIME Header vulnerability in Internet Explorer, present in versions 5.5 and earlier. The worm uses its own SMTP engine to spread itself once installed, and tries to shutoff personal firewalls and antivirus programs. Swen.A also spreads via Kazaa, IRC, and newsgroups.

If you get an email with subject "Network Security Patch" from "Microsoft Program Security Section", attached with "UPGRADE.exe" - don't open it. Of course, if you have IE 5.5 or earlier then it may run itself anyway.

Swen.A will also generate emails with random subject headings and alternatively use attachment names of PATCH.exe, UPDATE.exe, and INSTALL.exe.

More information about Swen.A itself can be found here:
http://web.archive.org/web/20031202022504/http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html

More information about the MIME Header vulnerability:
http://web.archive.org/web/20031202022504/http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

You can download a new version of Internet Explorer here:
http://web.archive.org/web/20031202022504/http://www.microsoft.com/windows/ie/default.asp

Symantec has a Swen removal tool available:
http://web.archive.org/web/20031202022504/http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.removal.tool.html

If you are using Netscape, Opera, Mozilla, or anything other than Internet Explorer, but are still using Outlook Express or Outlook, it is still a good idea to keep your Internet Explorer up to date.

Swen.A is also known as Gibe.F, because of how similar it is to Gibe. (Can't virus writers come up with something original for a change?)