Gibe.F a.k.a. Swen

Commonly known by two names: Gibe.F and SwenI-Worm.Swen, W32/Swen.A@mm, W32/Gibe.E@MM, Gibe.EEmail, KaZaA, and IRC wormPCsSeptember 18, 2003Also known as Gibe.F, the Swen worm spreads via email, KaZaA, and IRC. Swen attempts to disable security software running on infected systems and modifies the system registry to ensure it is run prior to various executables. As is the case with the Dumaru worm, Swen emails can be disguised as a Microsoft security bulletin. Others are disguised as bounced email messages.In addition to masquerading as bounced messages and Microsoft security patches, the Swen/Gibe.f worm spoofs the sender's name, thus the From address is no indication of origin. The Microsoft patch email the worm composes looks very authenic. Click here to view an image of the fake message. Legitimate Microsoft security bulletins do not include attachments, thus just the presence of an attachment is indicative of malware.

• F-Secure description
• McAfee description
• Symantec description
• Trend Micro description