From: Phil Weldon (pweldon_at_mindspring.com)
Date: Mon, 22 Sep 2003 15:03:37 GMT
The 'Swen' virus (also known as Worm.Automat.AHB) is fully described at
http://www.symantec.com/avcenter/vinfodb.html . There are also complete
directions for removing the infection.
If, for example, you have Norton Antivirus installed with the appropriate
options selected, AND you have updated your virus definitions in the last
two days, it completely safe to try and open, execute, move, or copy the
infective package. Norton Antivirus will not allow you to complete ANY of
If you download the infective package, NAV will detect the virus and
ultimately delete it.
If you retrieve e-mail with NAV e-mail protection activated, it will be
detected and a text message from NAV will replace the infective attachment.
If you scan your system with NAV any infective files for this worm will be
The only exception I know concerning the deletion of this file is
IF you use Outlook Newsreader (and maybe any newsreader the Norton plugs
IF the newsgroup has an infected posting (yes, this worm posts to
newsgroups, when you see the posting, it will look as if some malicious
idiot posted it, but it is the worm)
NAV will NOT identify the infective file and will not remove it. However,
you can not successfuly execute the infective file, and you can't move it or
open it. A system scan with NAV won't detect the infective package as an
attachment to newsgroup post in your newsreader inbox and won't delete it.
The infective package can't directly cause an infection because of
protection by NAV, but it is a disappointment because that pesky file is
there. I am sure that if you did maintence on your newsreader files you
could manually extract and delete the infective attachment with complete
safety IF NAV is active.
It seems from your description that you have an e-mail with infected with a
worm or virus that attempts to exploit a know Microsoft vunerablity. If it
IS "Swen" (not "Sven') AND you have a version of Microsoft Windows that is
still supported AND you have installed ALL current Critical security issue
updates from Microsoft, you will be protected even without an antivirus
program (though I wouldn't advise it.)
If the scary warnings are in the e-mail, it is probably a hoax message. If
the scary warnings are coming from your operating system, then that's
Microsoft's warnining that opening this type of attachment is an unsafe
practice. (For most users it is never necessary to open such attachments,
as in, if you have questions about whether you need the contents of the
attachment, you don't.)
Finally, the list of what infection by this worm will do to your system IS
scary. It should encourage you to install a good antivirus program, set it
for high levels of protection, and, considering present conditions, update
the virus definitions daily.
You also need to take into account your exposure levels.
It is a positive thing if you have NO floppy disks on site.
It is a positive thing if you have NO removable media on site that is of
It is a positive thing if you NEVER, EVER dowload executables from the
It is a positive thing if you have a fire wall and a DHCP server between
your machine or local area network and your internet connection (for an
example of this, Microsoft sells a 802.11b Wi-fi Wirless system with a
wireless base station with WEC [encryption strong enough to give the
security of a wired connection], a DHCP server, and one wireless network
card for a desktop or notebook computer. This combination (MN-530, I think)
can be found discounted to less than $100 US. This will help prevent
attacks on your system by worms operating from infected systems and hacker
Bottom line, as I understand your question:
If your operating environment is SOHO (Small Office, Home Office)
and you think you have the "Swen" infection, go to
http://www.symantec.com/avcenter/vinfodb.html and find the location of the
free, remote scan it the symantec website, then run it. If "Swen" is not
detected, you don't have the infection. If you you do, then follow the
directions for removal.
If you don't have an Antivirus program, get one, install it, configure it
for the highest level of protection, scan your system. Then update the
virus definition daily for the next month or so. Also, make sure that you
have the latest version of Windows Update installed, then make sure that you
have installed all current security packages and service packs. Also do the
same for Microsoft Office.
If your operating environment has an IT department, then stuff other than
your behavior is THEIR problem.
Finally, I'd suggest providing a bit more information when you ask a
question in a newsgroup. Otherwise you may get a much longer answe than you
need, or the process will be like pulling teeth... you have to keep
Phil Weldon, firstname.lastname@example.org
"Elaine Dorsett" <email@example.com> wrote in message
> No matter what I try, Microsoft or other fixes, I get a
> scary message as to what downloading it will do to my
> computer. Why is this so? And is it safe to download