Re: Watch out for this
From: Phil Weldon (notdisclosed_at_mindjump.com)
Date: 10/07/03
- Next message: TravelingGun01: "way to get rid of spyware"
- Previous message: Harmon Koeltz: "swen e-mails"
- Maybe in reply to: pete: "Watch out for this"
- Next in thread: Kent W. England [MVP]: "Re: Watch out for this"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 07 Oct 2003 16:42:39 GMT
The 'swen' worm and its effects, particularly on
users with uninfected machines
The flood of e-mail ('swen-mail') is being generated by the 'swen' worm.
Locally, there is not much you can do to stop the flood. Below you will
find a discussion of the effects of the 'swen' worm and ways you can handle
the flood you are getting, even though your machine may not be infected, and
may be well protected.
Only your ISP can stop the flood of 'swen' generated e-mail; by scanning all
e-mail for virus infection.
Until your ISP or e-mail service begins to scan all e-mail for virus
infection, you can use a filter and a program that allows partial
downloading of e-mail messages (Veronica Loell posts information about
these filters quite often; the information is also available at
http://nakawe.sf.net/MMM3.)
Symantec, the publisher of Norton AntiVirus, has a description of the
worm, how to remove it, and removal tools at
http://www.symantec.com/avcenter/venc/data/w32.swen.a@mm.html . Other
publishers of antivirus programs have similar webpages. Note well, removing
this worm after your system has been infected is not a simple task.
The 'swen' worm can harvest e-mail addresses from newsgroup postings, so it
is very important to disguise your e-mail identity when posting to Usenet
newsgroups (like microsoft.public.security.virus and tens of thousands of
other active newsgroups .)
"The worm also can search for e-mail addresses in various newsgroups. It
connects to NNTP servers listed in the SWEN1.DAT file, gets a list of all
newsgroups on that server and searches recent messages in these newsgroups
for 'nfrom:' and 'nreply-to:' tags. When such tags are found, the worm gets
e-mail addressed after them and writes them to the GERMS0.DBV file. This way
the worm can harvest a lot of e-mail addresses to send itself to. (From
F-secure, http://www.f-secure.com/v-descs/swen.shtml )
You can find out how at
http://www.mailmsg.com/SPAM_munging.htm .
This worm has two main effects, and some secondary effects
I. Main effects
A. It infects vulnerable systems and networks.
B. It generates a FLOOD of infected e-mail that is sent to e-mail
addresses it harvests from infected machine and networks. These infected
e-mails are of two types
1. An HTML message that looks like a legitimate Microsoft Security
Bulletin; the hotlinks in this message are valid Microsoft links, and will
even lead you to a description that will allow you to identify this e-mail
as bogus. The message has an attached 104 KByte file that contains the
worm. If you don't have all appropriate Microsoft security patches and
Service Packs installed, it may be possible for your system to be infected
EVEN IF YOU DON'T OPEN THE MESSAGE. So far, the body of this message is
always the same, though the Subject and From lines differ widely. This
message, so far, can be easily be blocked by detecting the string 'Run
attached file' in the body ( in fact, it would be a good practice to
consider ANY e-mail that contains this string AND has an attachment to very,
very likely to carry an infection.
2. A plain text message that purports to be a notification of an
'Undeliverable e-mail', with an attachment that purports to be a copy of the
undeliverable e-mail. This attached file is 104 KBytes long and contains the
worm. The Subject line, From line, and body present in thousands of
combinations, and probably will continue to mutate. Even worse, real e-mail
addresses harvested from infected systems and networks, and from Usenet
newsgroup posts are tagged onto this type of message, causing one of the
secondary effects.
II. Secondary effects
A. Spam effect
1. Mailboxes with an e-mail address that has been harvested from
infected systems, networks and Usenet newsgroup postings begin to be flood
with infected e-mail.
[Personal example: my machines are not infected, but this worm began to
flood my mailbox 17SEP03. I now receive more than 1500 infected e-mail
messages per day. I must empty my mailbox every 5 minutes, 24/7 to avoid
the possibility of having legitimate e-mail bounced. I had to install an
application just to segregate the cleaned, previously infected e-mail
from legitimate e-mail (standard spam blockers can't do this.) There are
filters and programs that can identify this 'swen-mail' and that require
downloading only a portion of an e-mail message to allow discarding or
keeping it based on whether it is
'swen-mail' or not. However, you still must arrange to do this operation
often enough to keep your mailbox from overflowing past the general 10 MByte
limit and bouncing subsequent e-mail. About 80 'swen-mail' messages take up
10 MBytes of storage. If you get 500 'swen-mail messages per day, that
means checking and clearing your mailbox at least every four hours, 24/7, to
insure that no valid e-mail messages are bounced.
B. Notifications from mail services that DO scan for infected
messages, but unfortunately do not realize that the e-mail addresses given
for the sender are either bogus or e-mail addresses harvested by the worm.
Thus, completely innocent mailboxes have insult added to injury.
****
What can you do locally as an individual (i.e. in a SmallOfficeHomeOffice
environment, and /or as a recreational user)?
#1. You can use a remote virus scan from one of the antivirus program
publishers
THEN
#2. You can remove any infections discovered
THEN
#3. You install a good antivirus program, keep it active, keep the virus
definitions up-to-date (at the moment you should update these definitions
EVERY day), and set to scan all incoming e-mails and downloads.
THEN
#4. You can install all appropriate Microsoft security patches and Service
Packs.
THEN
#5. You can consider additional security (DCHP server, firewall, boric acid
[for roaches], .....
If you begin to be flooded with these infected messages, COMPLAIN to your
ISP; send them this URL
http://xtra.co.nz/products/0,,8969,00.html of an ISP that scans incoming
e-mail before passing it to a mailbox. Ask for an increased mailbox size
(if you are getting 1500 of these infected e-mails per day, you will need a
mailbox size over 150 MBytes just to avoid the necessity of completely
emptying it EVERY DAY. Ask about the implicit duty of the ISP to provide
reliable e-mail service, and if they have received notification of any
pending class actions you might join. Ask if they will unbundle their
services so you can opt out of e-mail service and save that cost. That's
about
all you can do about the e-mail flood; only your ISP or other e-mail
provider can come close to solving this problem.
When the e-mail flood becomes too painful, find an ISP or other e-mail
provider that DOES scan and discard infected e-mail before passing it to
your mailbox, and then change to that ISP and/or e-mail provider. Changing
your e-mail address is no solution; as soon as your new e-mail address is
harvested from an infected system or network, the problem starts again.
In the meantime you can use a filter and a program that allows partial
downloading of e-mail messages (Veronica Loell posts information about
these filters quite often; the information is also available at
http://nakawe.sf.net/MMM3 .)
When a mailserver is scanning and not just deleting infected e-mail, but is
also sending an e-mail to notify the sender, write the administrator a nasty
note asking them to stop sending these notices.
****
That's about it; you can proof your system against infection, but only
changes at the mailserver level can stop reception of a flood of infected
e-mails and increasing numbers of inappropriate notices that you've sent
infected e-mail from arriving in your mailbox.
Phil Weldon
-- Phil Weldon, pweldonatmindjumpdotcom For communication, replace "at" with the 'at sign' replace "mindjump" with "mindspring." replace "dot" with "." "R" <iwanttoknow@ntlwolrd.com> wrote in message news:jdzgb.19868$4D.9949843@newsfep2-win.server.ntli.net... > I too have been receiving 100 swen emails per hour. How so many people have > my email address I do not know. I have been replying to them with an email > saying that they need to check their PCs vor viruses. You have to look up > the mime header for the true return address though. I have also posted > information on some newsgroups. > > > > THIS IS NOT A SPAM EMAIL/NEWSGROUP POST. You may be unaware but there is a > new malicious virus going around that causes you to send out emails with > viruses. These emails will already have been sent to everyone on your > contact list/address book if you have it. Please urgently forward this > email to everyone on your contacts/address book so that they may check their > own PC. Do not worry about sending them the virus, you will have already > done so if you do have the virus! This is microsoft's report on this virus. > http://www.microsoft.com/security/antivirus/authenticate_mail.asp > > The fact that you are sending out these virus infected emails indicates that > you probably have a virus on your PC that is automatically sending out > emails with viruses without your knowledge. You can verify below whether or > not you may have the virus. After reading this you should virus check your > PC with the latest anti virus definitions. If you do not have anti virus > software you should connect to the internet and click here Scan your PC for > viruses now! > http://click.linksynergy.com/fs-bin/click?id=jGkJDpd6dW0&offerid=50252.6&type=1&subid=0 > > Only email me if you wish to be added to an opt in mail list for information > and offers. > -------------------------------------------------------------------------- -- > ---- > > Extract from Anti Virus companies regarding "W32.Swen.A@mm" worm. > NOTE: This threat was previously detected as Worm.Automat.AHB > > Due to an increase in submissions, this has been upgraded W32.Swen.A@mm to > Category 3, as of 6:30pm Thursday, September 18, 2003. It is also rapidly > heading towards being a high risk. > > W32.Swen.A@mm is a mass-mailing worm that uses its own SMTP engine to spread > itself. > > The worm can arrive as an email attachment. The subject, body, and from > address of the email may vary. Some examples claim to be patches for > Microsoft Internet Explorer, or delivery failure notices from qmail. > > This worm exploits a vulnerability in Microsoft Outlook and Outlook Express > in an attempt to execute itself when you open or even preview the email. If > you do not have anti virus software you should connect to the internet and > click here Scan your PC for viruses now! > > > Information and a patch for the vulnerability IF YOU DO NOT ALREADY HAVE THE > VIRUS can be found at > http://www.microsoft.com/technet/security/bulletin/MS01-020.asp > however this will only protect you IF YOU DO NOT ALREADY HAVE THE VIRUS. > Install this patch after you confirm that you are clear of the virus. > > Here is some information on what the virus does: > > 1. This virus attempts to trick you into installing it by pretending to be > a security vulnerability patch from Microsoft. > > 2. Upon executing it asks if you want to install the latest security > patch. > > 3. If you say no, it still installs itself but without your knowledge. If > you say yes then it displays messages that appear that it is installing an > update to windows. > > 4. Modifies the value: > > "DisableRegistryTools" = "1" > > in the registry key: > > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System > > TO PREVENT THE USER RUNNING REGEDIT ON THE COMPUTER (see below*) > > 5. Puts a copy of itself to %Windir% with a randomly generated filename. > > > 6. Searches .html, .asp, .eml, .dbx, .wab, .mbx files on the computer for > email addresses. > > > 7. Creates the file, %Windir%\Germs0.dbv, where it stores the email > addresses it has found. > > > 8. Creates the file, %Windir%\Swen1.dat, where it stores a list of remote > news and mail servers. > > > 9. Adds the following values to the registry: > > "Server"="<The IP address of the SMTP server that the worm retrieves from > the registry>" > "Mirc Install Folder"="<location of mirc client on system>" > "Installed"="...by Begbie" > "Install Item"="<random>" > "Unfile"="<random>" > "CacheBox Outfit"="yes" > "ZipName"="<random>" > "Email Address"="<The current users email address that the worm retrieves > from the registry>" > to the key: > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\<rando > m set of letters> > > > 10. So that it can run itself it adds a randomly named value to: > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run > > 11. Modifies the registry keys: > HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command > HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command > HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command > HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command > HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command > HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command > > 12. Checks the computer to find messages sent by itself and deletes them > so there is no trace that the PC has sent any virus infected emails. > > How do you know if you've been infected? > > Display of a series of dialog boxes > Unexpected termination of various security and anti-virus products. > Inability to run RegEdit on the victim's machine > > > *IF YOU CANNOT RUN REGEDIT ON YOUR PC YOU ARE PROBABLY INFECTED or this has > been turned off by your computer system administrator. If you are on a > network check with your system administrator. > > Click <start>, Click <run>, type regedit and click <OK>. Registry editor > should run, it looks similar to windows explorer but has a name of Registry > Editor in the name bar at the top. If it has run ok then close it with the > X in top right. If the program ran ok this does not confirm that you are > not infected. It could mean that your registry may be corrupted and the > virus was unable to stop the program from running. > > For further information visit Anti Virus now! > > http://click.linksynergy.com/fs-bin/click?id=jGkJDpd6dW0&offerid=50252.6&type=1&subid=0 > > > > >
- Next message: TravelingGun01: "way to get rid of spyware"
- Previous message: Harmon Koeltz: "swen e-mails"
- Maybe in reply to: pete: "Watch out for this"
- Next in thread: Kent W. England [MVP]: "Re: Watch out for this"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
