Virus Alert: W32.Swen.A@mm - hoax e-mail on campus 9/19/03

Hoax e-mail on campus (09/19/03)

Users all over campus are receiving e-mail claiming to be sent by Microsoft Corporation. The message has an attachment that is described as a patch for the Windows Operating System and its components. THIS MESSAGE IS A HOAX.

The attachment in question has a virus in it. If you run the attachment on a Windows system, your system will not be patched. Instead, it will be infected with a virus that could cause damage to your system, delete your files, or cause attacks on other systems.

Microsoft will never send a software update through e-mail. You should never run attachments claiming otherwise. Also, in general, it is a good idea to scan attachments with your antivirus software before opening them, even if you know the sender of the attachment.

What to watch for:

The new virus/worm, called Swen or W32.Swen.A@mm, can spread through e-mail, KaZaA, IRC (chat), network shares, or newsgroups. The exact message and name of the attached file may vary. A typical e-mail example begins,

MS User

this is the latest version of security update, the "September 2003, Cumulative Patch" update which eliminates all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express. Install now to maintain the security of your computer from these vulnerabilities. This update includes the functionality of all previously released patches.

The message may also be disguised as a routine "unable to deliver your mail" notice.

If launched, this worm attempts to turn off your firewall and antivirus software, and makes other modifications to your system. Then it periodically displays a fake but very real-looking dialog window asking for your e-mail address and password.

More details are available from Symantec.

How to avoid it:

Update virus protection: CIT urges all Windows users to update their Symantec AntiVirus software and perform a complete system scan. W32.Swen.A@mm is detected by Symantec AntiVirus software that has been updated to the Sept. 18, 2003, virus definition file, or a newer file.

To update, run Symantec (Norton) AntiVirus and choose LiveUpdate. Or download the file via Bear Access (Virus Protection folder) or from Symantec's download page.

To install Symantec AntiVirus if you don't already have it, go to http://www.cit.cornell.edu/security/symantec/. Cornell University has signed a site license with Symantec to provide Symantec (Norton) AntiVirus (NAV) to the entire campus community. The license allows NAV to be used on all university-owned computers, home computers of staff and faculty, and computers owned by registered students.

Update Windows system software: You should update the patches on your system weekly. You can obtain the real patches from the Windows Update web site at http://windowsupdate.microsoft.com/. This is the only web site you should trust to have the real patches for Microsoft products. Occasionally other trusted sites, such as this site (Cornell's information technology security site), may have local copies of Microsoft patches for faster downloading.

How to get rid of it:

If you suspect your computer has been infected, visit Symantec's removal instructions. If you need additional assistance, please contact the CIT Contact Center (HelpDesk).

If you have any questions about this hoax or about using your antivirus software, or you believe you have been infected by a virus, please contact the CIT Contact Center (HelpDesk) at helpdesk@cornell.edu or 255-8990.

Last modified: June 5, 2003