Are you (like me) bombarded by E-mail messages infected with the Swen virus? Perhaps you were
foolish enough (like me) to use your real E-mail address in Newsgroup discussions. Now infected
computers all over the world are sending you bogus messages day and night. Does your ISP (like many)
neglect to scan and delete infected messages, leaving you to handle the mess? Have you discovered
that your anti-virus software can be configured to automatically delete infected attachments, but
still leaves the messages in your Inbox? Do you want your life back? If so (and you use Microsoft's
Outlook) this VBScript program could help.
This program reads all the messages in your Outlook Inbox folder, determines which are infected with
the W32.Swen virus, logs the date received for each of several types, and deletes the infected
messages. I can't guarantee 100% accuracy. You can use and modify this script at your own risk.
But I have not yet encountered any cases where it deleted messages that were not either infected or
broken copies of the virus. The deleted messages remain in your Deleted Items folder, so you can
review them if you wish. You will have to empty this folder, but that is very easy. The program does
miss a few messages where some feature is unusual, usually because the worm virus code has been
stripped off. The program also does not delete most notices from ISP's or mail servers that an
infected message has been blocked. There is just too much variety in these messages (many of which
are in foreign languages) to even attempt it. Still, after running this program I find I have just
a few virus messages (and the usual spam) to deal with. It is much easier to find the real mail in
my Inbox. It saves me hours each day.
For each infected message found, the program logs the date received and the type in a text file. I
have classified the various types of Swen related messages as follows:
| Approx. Size | Message | Attachments | Infected |
| 2k | Bogus mail delivery failure notice | no | Iframe download exploit |
| 13k | Bogus Microsoft Patch update | yes | Iframe download exploit |
| 64k | Bogus Microsoft Patch update | yes | Iframe download exploit |
| 73k | broken | no | broken |
| 117k | Bogus Microsoft Patch update | yes | Iframe download exploit |
| 145k | broken | no | broken |
| 158k | broken | no | broken |
To function properly, the attachments should not be stripped away. I disable the E-mail scanning feature in my Anti-Virus program (since it does not help). Recognizing Swen related messages would more difficult without the attachments. Also, I leave Outlook running all the time, so my E-mail account is not disabled by my ISP for exceeding limits on their server. The VBScript program was designed to run with Outlook running. However, I always disconnect from the Internet before dealing with my E-mail. I don't want any messages auto-responding or directing me to infected web sites. If you stay connected the program will not deal with new messages received while it runs. I run the program daily at a command prompt using the following command:
cscript ScanSwen.vbs
The program creates a new log file each day, in the form ScanSwen_MMDD.log, where MM is the month
and DD is the day. The log file is created in the same folder as the program. If the log file exists,
the program appends to the end. You can discard the log file, but I import it into a spreadsheet
program for analysis. I can tell, for example, that the volume often peaks (for me, in the Midwestern
United States) at about 3am. Also, most of the messages are the 2k and 117k types (about evenly split),
with the 64k and 73k types relatively rare. The volume for me has ranged from 400 messages per day,
up to 1200.
ScanSwen.txt <<-- Click here to view or download the program