Re: Note on Swen from a newbie victim
From: Bill Unruh (unruh_at_string.physics.ubc.ca)
Date: 09/29/03
- Next message: RGDetroit: "Magnetic Security tags"
- Previous message: Chris Gilbert: "Re: Hotmail spam"
- In reply to: Charles Packer: "Note on Swen from a newbie victim"
- Next in thread: Bill Unruh: "Re: Note on Swen from a newbie victim"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 29 Sep 2003 10:12:41 +0000 (UTC)
mailbox@cpacker.org (Charles Packer) writes:
]I'm new to virus attacks, and my take on them is somewhat different,
]because I don't use Windows and because e-mail isn't so important
]to me. The current blitz from Swen has piqued my curiosity more than
]fueled a rage.
]I use Linux and read my e-mail from a Web-based service maintained
]my by Web-hosting site, so my machine won't be infected by the
]currently fashionable vehicles. But the Swen worm running elsewhere
]has found my e-mail address, almost certainly from my Usenet postings.
]I've had to abandon that address, I hope temporarily. I phoned the
Have the system set up so that any executable email is erased. Ie if the
email contains an executable, it is erased. This takes car of most
viruses. DO not send it back as this will just subject some other poor
unfortunate to being flooded. This virus forges the return address.
This will take care of your mailbox filling up since each virus email
contains a 150K executable.
]two relatives with whom I correspond regularly and told them not to
]send me e-mail for the time being, as I'm now deleting the mail file
]from my Web-hosting service daily via ftp. The worm-sent messages
]use up my free disk space there in a short time.
Yes, it would.
]However, closing that mailbox and opening a private one will be
]the option of last resort after I've learned everything I can
]from the attack.
]Does the worm run continuously on an infected machine and send
]repeatedly to its targets? The writeup at F-Secure,
Yes. And the targets are obtained by scanning the hard drive of the
infected person.
]http://www.f-secure.com/v-descs/swen.shtml
]doesn't say. I'm wondering if I'm the target of one or a few
]machines hitting me repeatedly or simply being bombarded from
May be both. You can tell wehre they came from by looking at the last
Received: line in the header of the message. (The received luines are
added right after X-Original_To: and/or Delivered-To: lines in the
header so the oldest is last.)
]everywhere randomly. Will the arrival times of the messages or
]other aspects of the headers provide any clues? If it's random,
]I guess I should see an exponential decline in traffic over time
]as infected machines net-wide are cleaned up.
The problem is some absolute idiots of system admins have put virus
checkers on their outgoing mail and then send the recipient a warning
that someone tried to send them a virus. The actual virus email is a lot
lot easier to handle than these warnings. Those sysadmins should be
taken out and shot.
- Next message: RGDetroit: "Magnetic Security tags"
- Previous message: Chris Gilbert: "Re: Hotmail spam"
- In reply to: Charles Packer: "Note on Swen from a newbie victim"
- Next in thread: Bill Unruh: "Re: Note on Swen from a newbie victim"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
