{
	"id": "cb18bc9f-888b-4f30-93f1-dc3ec36d5e77",
	"created_at": "2026-04-06T00:12:08.28346Z",
	"updated_at": "2026-04-10T13:11:28.389599Z",
	"deleted_at": null,
	"sha1_hash": "874d450982c9ec132f86444523668e5fee85e36f",
	"title": "Swen (computer worm)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53368,
	"plain_text": "Swen (computer worm)\r\nBy Contributors to Wikimedia projects\r\nPublished: 2011-03-06 · Archived: 2026-04-05 18:08:01 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nSwen worm\r\nMalware details\r\nTechnical name Win32/Swen\r\nAliases\r\nWin32/Swen.worm.106496 (AhnLab)\r\nW32/Swen.A@mm (Authentium Command)\r\nI-Worm/Swen.A (AVG)\r\nWin32/Swen.A@mm (BitDefender)\r\nWin32/Swen.A.Worm (CA)\r\nWin32/Swen.A (ESET)\r\nEmail-Worm.Win32.Swen (Kaspersky)\r\nW32/Swen@MM (McAfee)\r\nW32/Swen.A@mm (Norman)\r\nW32/Gibe.C.worm (Panda)\r\nW32/Gibe-F (Sophos)\r\nEmail-Worm.Win32.Swen (Sunbelt Software)\r\nW32.Swen.A@mm (Symantec)\r\nWORM_SWEN.A (Trend Micro)\r\nI-Worm.Swen.A1 (VirusBuster)\r\nType Computer worm\r\nSubtype Mass mailer\r\nTechnical details\r\nPlatform Windows 95 to Windows XP\r\nSize 106-496 bytes\r\nSwen is a mass mailing computer worm written in C++. It sends an email which contains the installer for the\r\nvirus, disguised as a Microsoft Windows update, although it also works on P2P filesharing networks, IRC and\r\nnewsgroups' websites. It was first analyzed on September 18, 2003, however, it might have infected computers\r\nbefore then. It disables firewalls and antivirus programs.\r\nhttps://en.wikipedia.org/wiki/Swen_(computer_worm)\r\nPage 1 of 2\n\nThe virus first itself via email with an attachment, posing as an update for Windows. The attachment can have a\r\n.com, .scr, .bat, .pif, or .exe file extension. If its file name starts with the letters P, Q, U, or I, It displays a fake\r\nMicrosoft Update dialogue box, asking if the user wants to install a Microsoft Security Update with the two\r\nchoices \"Yes\" and \"No\". If the user presses \"Yes\", it displays a fake progress bar while installing the fake update.\r\nWhen finished, it displays another dialogue box saying: Microsoft Internet Update Pack This has been\r\nsuccessfully installed. The malware then re-executes itself, followed by yet another dialogue box saying:\r\nMicrosoft Security Update Pack This update does not need to be installed on this system. If the user chooses \"No\",\r\nthe malware will still install itself silently in the background. Next, it checks for certain criteria by opening\r\nanother dialogue box, prompting the user for their email address, username, password, SMTP and POP3 server\r\naddresses. After completing the said fields, the worm then makes a copy of itself in the C:\\Windows folder as\r\n\u003crandom characters\u003e.exe . The virus finally moves all information to the copy and terminates.\r\nThe worm creates the following registry entry to execute upon startup:\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\ CurrentVersion\\Run\\\u003crandom value\u003e = \"\u003crandom\r\nfilename\u003e.exe autorun\"\r\n1. Trend Micro Threat Encyclopedia | WORM_SWEN.A\r\n2. BitDefender Virus Information for Swen.A@mm\r\nSource: https://en.wikipedia.org/wiki/Swen_(computer_worm)\r\nhttps://en.wikipedia.org/wiki/Swen_(computer_worm)\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://en.wikipedia.org/wiki/Swen_(computer_worm)"
	],
	"report_names": [
		"Swen_(computer_worm)"
	],
	"threat_actors": [],
	"ts_created_at": 1775434328,
	"ts_updated_at": 1775826688,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/874d450982c9ec132f86444523668e5fee85e36f.pdf",
		"text": "https://archive.orkl.eu/874d450982c9ec132f86444523668e5fee85e36f.txt",
		"img": "https://archive.orkl.eu/874d450982c9ec132f86444523668e5fee85e36f.jpg"
	}
}