Yet another Internet virus pretending to be a patch from Microsoft is spreading quickly on the Internet. Swen (w32.swen@mm, also known as Gibe) uses the subject line to entice Windows users to open the attachment. In some cases, the virus will execute automatically.

Picture of email

The virus attempts to kill all antivirus and personal firewall apps running on the infected machine. Swen can also travel using Kazaa, IRC, and shared network paths. Because Swen spreads via e-mail, IRC, P2P, and shared network files and shows signs of spreading rapidly, this virus rates a 6 on the CNET Virus Meter.
How it works
One of the ways Swen spreads is to arrive as an e-mail message containing some references to Microsoft or to a new critical patch for Internet Explorer or as a returned e-mail.

To spread via shared network files, Swen leaves copies of itself in the start-up folders found on individual Windows computers connected to the network.

For IRC users, Swen adds a script.ini file to the mIRC program folder. It then spreads to other IRC users.

To infect other P2P users, Swen adds a copy of itself to the shared file directory using a random but intriguing name.

Once the virus is active, it will attempt to shut down working antivirus and personal firewall applications. Swen will appear to download and install a patch directly from Microsoft; in reality, the virus is changing system Registry files on the infected machine. Changes include, for example, the ability to run the virus every time the computer is rebooted.

Prevention
Windows users who have not installed the Internet Explorer patch MS01-020 for the incorrect MIME header flaw should do so now to prevent automatic infection from Swen. In general, do not open attached files in e-mail without first saving them to the hard disk and scanning them with updated antivirus software. Please note that Microsoft does not e-mail security patches to its users. Contact your antivirus vendor to obtain the latest antivirus signature files that include Swen.

Removal
Download the W32.Swen.A@mm Removal Tool and begin to follow the instructions in the W32.Swen.A@mm Removal Tool document. However, when you get to step 5, which instructs you to "Double-click the FixSwen.exe file," stop. Do not double-click the file. Instead:
Right-click the downloaded FixSwen.exe file, and then click Rename.
Rename the file to:

FixSwen.cmd

When you are asked whether you want to change the file extension, click Yes.
Double-click the FixSwen.cmd file and continue with the steps in the Removal Tool document.

After the tool has run, update the virus definitions. Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

Run a full system scan.
Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
Run a full system scan.
If any files are detected as infected with W32.Swen.A@mm, click Delete.