Re: Sven

From: Phil Weldon (pweldon_at_mindspring.com)
Date: 09/22/03


Date: Mon, 22 Sep 2003 15:03:37 GMT


The 'Swen' virus (also known as Worm.Automat.AHB) is fully described at
http://www.symantec.com/avcenter/vinfodb.html . There are also complete
directions for removing the infection.

If, for example, you have Norton Antivirus installed with the appropriate
options selected, AND you have updated your virus definitions in the last
two days, it completely safe to try and open, execute, move, or copy the
infective package. Norton Antivirus will not allow you to complete ANY of
these actions.

If you download the infective package, NAV will detect the virus and
ultimately delete it.

If you retrieve e-mail with NAV e-mail protection activated, it will be
detected and a text message from NAV will replace the infective attachment.

If you scan your system with NAV any infective files for this worm will be
ultimatly deleted.

The only exception I know concerning the deletion of this file is

IF you use Outlook Newsreader (and maybe any newsreader the Norton plugs
into)
     AND
IF the newsgroup has an infected posting (yes, this worm posts to
newsgroups, when you see the posting, it will look as if some malicious
idiot posted it, but it is the worm)

     THEN
NAV will NOT identify the infective file and will not remove it. However,
you can not successfuly execute the infective file, and you can't move it or
open it. A system scan with NAV won't detect the infective package as an
attachment to newsgroup post in your newsreader inbox and won't delete it.
The infective package can't directly cause an infection because of
protection by NAV, but it is a disappointment because that pesky file is
there. I am sure that if you did maintence on your newsreader files you
could manually extract and delete the infective attachment with complete
safety IF NAV is active.

It seems from your description that you have an e-mail with infected with a
worm or virus that attempts to exploit a know Microsoft vunerablity. If it
IS "Swen" (not "Sven') AND you have a version of Microsoft Windows that is
still supported AND you have installed ALL current Critical security issue
updates from Microsoft, you will be protected even without an antivirus
program (though I wouldn't advise it.)

If the scary warnings are in the e-mail, it is probably a hoax message. If
the scary warnings are coming from your operating system, then that's
Microsoft's warnining that opening this type of attachment is an unsafe
practice. (For most users it is never necessary to open such attachments,
as in, if you have questions about whether you need the contents of the
attachment, you don't.)

Finally, the list of what infection by this worm will do to your system IS
scary. It should encourage you to install a good antivirus program, set it
for high levels of protection, and, considering present conditions, update
the virus definitions daily.

You also need to take into account your exposure levels.

It is a positive thing if you have NO floppy disks on site.

It is a positive thing if you have NO removable media on site that is of
unknow origin.

It is a positive thing if you NEVER, EVER dowload executables from the
internet.

It is a positive thing if you have a fire wall and a DHCP server between
your machine or local area network and your internet connection (for an
example of this, Microsoft sells a 802.11b Wi-fi Wirless system with a
wireless base station with WEC [encryption strong enough to give the
security of a wired connection], a DHCP server, and one wireless network
card for a desktop or notebook computer. This combination (MN-530, I think)
can be found discounted to less than $100 US. This will help prevent
attacks on your system by worms operating from infected systems and hacker
exploits.

Bottom line, as I understand your question:

If your operating environment is SOHO (Small Office, Home Office)

and you think you have the "Swen" infection, go to
http://www.symantec.com/avcenter/vinfodb.html and find the location of the
free, remote scan it the symantec website, then run it. If "Swen" is not
detected, you don't have the infection. If you you do, then follow the
directions for removal.

If you don't have an Antivirus program, get one, install it, configure it
for the highest level of protection, scan your system. Then update the
virus definition daily for the next month or so. Also, make sure that you
have the latest version of Windows Update installed, then make sure that you
have installed all current security packages and service packs. Also do the
same for Microsoft Office.

If your operating environment has an IT department, then stuff other than
your behavior is THEIR problem.

Finally, I'd suggest providing a bit more information when you ask a
question in a newsgroup. Otherwise you may get a much longer answe than you
need, or the process will be like pulling teeth... you have to keep
extracting information.

Phil Weldon, pweldon@mindspring.com

"Elaine Dorsett" <elaine@visionet.org> wrote in message
news:096301c380a8$941b6430$a001280a@phx.gbl...
> No matter what I try, Microsoft or other fixes, I get a
> scary message as to what downloading it will do to my
> computer. Why is this so? And is it safe to download
> anyway?



Relevant Pages

  • Re: Microsoft Security Essentials good antivirus?
    ... I was running out of time doing free PC repair for someone, put MSE on their ... machine because their internet provider stopped free antivirus, ran a scan, ... Uninstall, Install, scan, leave, ... Having an antivirus not sterilize almost any infection is ...
    (alt.comp.anti-virus)
  • Re: TASK MANAGER EXITING
    ... This is symptomatic of virus infection. ... cause this problem usually break antivirus software. ... Do not install drivers from Windows Update. ...
    (microsoft.public.windowsxp.general)
  • Re: virus attack in vista...!!
    ... Standard information about infection by rogues: ... Your system is infected with a rogue antivirus program. ... how to do a clean install, you can take your machine to a local computer ...
    (microsoft.public.windows.vista.security)
  • Re: NAV 2003 and Win2K - Failed Installation
    ... Norton Antivirus 2003 will not install on a system that uses Internet ... I must empty my mailbox every 5 minutes, ... ISP; sent them this URL ... you can proof your system against infection, ...
    (microsoft.public.security.virus)
  • Re: MSN virus
    ... Standard advice upon a confirmed malware infection is to rebuild the ... that may be infected on the network), bring updates current, install ... antivirus, bring its definitions current, scan the external drive ...
    (Security-Basics)