Run Feature
anonymous_at_discussions.microsoft.com
Date: 02/17/04
- Next message: John R: "Re: PC Mag Utility MenuZap"
- Previous message: Dominique Geoffroy: "Re: windows OS boot, close, etc embeded sound files?"
- In reply to: Spencer: "Run Feature"
- Next in thread: Paras Wadehra: "Re: Run Feature"
- Reply: Paras Wadehra: "Re: Run Feature"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 17 Feb 2004 10:43:37 -0800
If you are using your real email address for the news
reader identity when posting to newsgroups, you WILL be
visited by the The 'swen' worm, even if
you don't get infecfted.
The 'swen' worm and its effects, particularly on users
with uninfected machines
The flood of e-mail ('swen-mail') is being generated by
the 'swen' worm.
Locally, there is not much you can do to stop the flood.
Below you will find a discussion of the effects of
the 'swen' worm and ways you can handle
the flood you are getting, even though your machine may
not be infected, and may be well protected.
Only your ISP can stop the flood of 'swen' generated e-
mail; by scanning all e-mail for virus infection.
Until your ISP or e-mail service begins to scan all e-mail
for virus infection, you can use a filter and a program
that allows partial downloading of e-mail messages
(Veronica Loell posts information about these filters
quite often; the information is also available at
http://nakawe.sf.net/MMM3.)
Symantec, the publisher of Norton AntiVirus, has a
description of the worm, how to remove it, and removal
tools at
http://www.symantec.com/avcenter/venc/data/w32.swen.a@mm.ht
ml . Other publishers of antivirus programs have similar
webpages. Note well, removing this worm after your system
has been infected is not a simple task.
The 'swen' worm can harvest e-mail addresses from
newsgroup postings, so it is very important to disguise
your e-mail identity when posting to Usenet
newsgroups (like microsoft.public.security.virus and tens
of thousands of other active newsgroups .)
"The worm also can search for e-mail addresses in various
newsgroups. It connects to NNTP servers listed in the
SWEN1.DAT file, gets a list of all newsgroups on that
server and searches recent messages in these newsgroups
for 'nfrom:' and 'nreply-to:' tags. When such tags are
found, the worm gets e-mail addressed after them and
writes them to the GERMS0.DBV file. This way
the worm can harvest a lot of e-mail addresses to send
itself to. (From F-secure, http://www.f-secure.com/v-
descs/swen.shtml )
You can find out how at
http://www.mailmsg.com/SPAM_munging.htm .
This worm has two main effects, and some secondary effects
I. Main effects
A. It infects vulnerable systems and networks.
B. It generates a FLOOD of infected e-mail that is
sent to e-mail addresses it harvests from infected machine
and networks. These infected e-mails are of two types
1. An HTML message that looks like a legitimate
Microsoft Security Bulletin; the hotlinks in this message
are valid Microsoft links, and will even lead you to a
description that will allow you to identify this e-mail
as bogus. The message has an attached 104 KByte file that
contains the worm. If you don't have all appropriate
Microsoft security patches and Service Packs installed, it
may be possible for your system to be infected
EVEN IF YOU DON'T OPEN THE MESSAGE. So far, the body of
this message is always the same, though the Subject and
>From lines differ widely. This message, so far, can be
easily be blocked by detecting the string 'Run
attached file' in the body ( in fact, it would be a good
practice to consider ANY e-mail that contains this string
AND has an attachment to very, very likely to carry an
infection.
2. A plain text message that purports to be a
notification of an 'Undeliverable e-mail', with an
attachment that purports to be a copy of the
undeliverable e-mail. This attached file is 104 KBytes
long and contains the worm. The Subject line, From line,
and body present in thousands of combinations, and
probably will continue to mutate. Even worse, real e-mail
addresses harvested from infected systems and networks,
and from Usenet newsgroup posts are tagged onto this type
of message, causing one of the secondary effects.
II. Secondary effects
A. Spam effect
1. Mailboxes with an e-mail address that has
been harvested from infected systems, networks and Usenet
newsgroup postings begin to be flood with infected e-mail.
[Personal example: my machines are not infected, but this
worm began to flood my mailbox 17SEP03. I now receive
more than 1500 infected e-mail messages per day. I must
empty my mailbox every 5 minutes, 24/7 to avoid
the possibility of having legitimate e-mail bounced. I
had to install an application just to segregate the
cleaned, previously infected e-mail from legitimate e-mail
(standard spam blockers can't do this.) There are filters
and programs that can identify this 'swen-mail' and that
require downloading only a portion of an e-mail message to
allow discarding or keeping it based on whether it
is 'swen-mail' or not. However, you still must arrange to
do this operation often enough to keep your mailbox from
overflowing past the general 10 MByte limit and bouncing
subsequent e-mail. About 80 'swen-mail' messages take up
10 MBytes of storage. If you get 500 'swen-mail messages
per day, that means checking and clearing your mailbox at
least every four hours, 24/7, to insure that no valid e-
mail messages are bounced.
B. Notifications from mail services that DO scan for
infected messages, but unfortunately do not realize that
the e-mail addresses given for the sender are either bogus
or e-mail addresses harvested by the worm.
Thus, completely innocent mailboxes have insult added to
injury.
>-----Original Message-----
>Soory I meant to include my email addrsss.
>
>
>.
>
- Next message: John R: "Re: PC Mag Utility MenuZap"
- Previous message: Dominique Geoffroy: "Re: windows OS boot, close, etc embeded sound files?"
- In reply to: Spencer: "Run Feature"
- Next in thread: Paras Wadehra: "Re: Run Feature"
- Reply: Paras Wadehra: "Re: Run Feature"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
