Re: Still getting SWEN?
From: ah (ahayeNOSPAM_at_fsmail.net)
Date: 10/22/03
- Next message: Meinolf Freiburg: "Is this a new virus ???"
- Previous message: Penna Elabi: "Re: QHOSTS virus removal problems"
- In reply to: Phil Weldon: "Re: Still getting SWEN?"
- Next in thread: Phil Weldon: "Re: Still getting SWEN?"
- Reply: Phil Weldon: "Re: Still getting SWEN?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 22 Oct 2003 08:21:44 +0100
My ISP can scan email for virus for £2.50/month BUT they send you an email
for each email scanned!!!!!!! i.e. no improvement in the quantity of email
you receive. How smart!
ah
-------------------
"Phil Weldon" <notdisclosed@example.com> wrote in message
news:mUjlb.10159$W16.3892@newsread2.news.atl.earthlink.net...
> Until the last infected system that has harvested your e-mail address is
> disinfected. Contact your ISP and ask them to scan all e-mail for virus
> infection. And read the explanation I posted earlier in this thread.
>
>
> The 'swen' worm and its effects, particularly on
>
> users with uninfected machines
>
>
>
> The flood of e-mail ('swen-mail') is being generated by the 'swen' worm.
> Locally, there is not much you can do to stop the flood. Below you will
> find a discussion of the effects of the 'swen' worm and ways you can
handle
> the flood you are getting, even though your machine may not be infected,
and
> may be well protected.
>
>
>
> Only your ISP can stop the flood of 'swen' generated e-mail; by scanning
all
> e-mail for virus infection.
>
>
>
> Until your ISP or e-mail service begins to scan all e-mail for virus
> infection, you can use a filter and a program that allows partial
> downloading of e-mail messages (Veronica Loell posts information about
> these filters quite often; the information is also available at
> http://nakawe.sf.net/MMM3.)
>
>
>
>
>
>
> Symantec, the publisher of Norton AntiVirus, has a description of the
> worm, how to remove it, and removal tools at
> http://www.symantec.com/avcenter/venc/data/w32.swen.a@mm.html . Other
> publishers of antivirus programs have similar webpages. Note well,
removing
> this worm after your system has been infected is not a simple task.
>
>
>
>
>
> The 'swen' worm can harvest e-mail addresses from newsgroup postings, so
it
> is very important to disguise your e-mail identity when posting to Usenet
> newsgroups (like microsoft.public.security.virus and tens of thousands of
> other active newsgroups .)
>
> "The worm also can search for e-mail addresses in various newsgroups. It
> connects to NNTP servers listed in the SWEN1.DAT file, gets a list of all
> newsgroups on that server and searches recent messages in these newsgroups
> for 'nfrom:' and 'nreply-to:' tags. When such tags are found, the worm
gets
> e-mail addressed after them and writes them to the GERMS0.DBV file. This
way
> the worm can harvest a lot of e-mail addresses to send itself to. (From
> F-secure, http://www.f-secure.com/v-descs/swen.shtml )
>
> You can find out how at
>
> http://www.mailmsg.com/SPAM_munging.htm .
>
> This worm has two main effects, and some secondary effects
>
>
>
>
> I. Main effects
>
> A. It infects vulnerable systems and networks.
>
> B. It generates a FLOOD of infected e-mail that is sent to e-mail
> addresses it harvests from infected machine and networks. These infected
> e-mails are of two types
>
> 1. An HTML message that looks like a legitimate Microsoft
Security
> Bulletin; the hotlinks in this message are valid Microsoft links, and will
> even lead you to a description that will allow you to identify this e-mail
> as bogus. The message has an attached 104 KByte file that contains the
> worm. If you don't have all appropriate Microsoft security patches and
> Service Packs installed, it may be possible for your system to be infected
> EVEN IF YOU DON'T OPEN THE MESSAGE. So far, the body of this message is
> always the same, though the Subject and From lines differ widely. This
> message, so far, can be easily be blocked by detecting the string 'Run
> attached file' in the body ( in fact, it would be a good practice to
> consider ANY e-mail that contains this string AND has an attachment to
very,
> very likely to carry an infection.
>
> 2. A plain text message that purports to be a notification of
an
> 'Undeliverable e-mail', with an attachment that purports to be a copy of
the
> undeliverable e-mail. This attached file is 104 KBytes long and contains
the
> worm. The Subject line, From line, and body present in thousands of
> combinations, and probably will continue to mutate. Even worse, real
e-mail
> addresses harvested from infected systems and networks, and from Usenet
> newsgroup posts are tagged onto this type of message, causing one of the
> secondary effects.
>
> II. Secondary effects
> A. Spam effect
> 1. Mailboxes with an e-mail address that has been harvested
from
> infected systems, networks and Usenet newsgroup postings begin to be flood
> with infected e-mail.
> [Personal example: my machines are not infected, but this worm began to
> flood my mailbox 17SEP03. I now receive more than 1500 infected e-mail
> messages per day. I must empty my mailbox every 5 minutes, 24/7 to avoid
> the possibility of having legitimate e-mail bounced. I had to install an
> application just to segregate the cleaned, previously infected e-mail
> from legitimate e-mail (standard spam blockers can't do this.) There are
> filters and programs that can identify this 'swen-mail' and that require
> downloading only a portion of an e-mail message to allow discarding or
> keeping it based on whether it is
>
> 'swen-mail' or not. However, you still must arrange to do this operation
> often enough to keep your mailbox from overflowing past the general 10
MByte
> limit and bouncing subsequent e-mail. About 80 'swen-mail' messages take
up
> 10 MBytes of storage. If you get 500 'swen-mail messages per day, that
> means checking and clearing your mailbox at least every four hours, 24/7,
to
> insure that no valid e-mail messages are bounced.
> B. Notifications from mail services that DO scan for infected
> messages, but unfortunately do not realize that the e-mail addresses given
> for the sender are either bogus or e-mail addresses harvested by the worm.
> Thus, completely innocent mailboxes have insult added to injury.
>
> ****
>
> What can you do locally as an individual (i.e. in a SmallOfficeHomeOffice
> environment, and /or as a recreational user)?
> #1. You can use a remote virus scan from one of the antivirus program
> publishers
> THEN
> #2. You can remove any infections discovered
> THEN
> #3. You install a good antivirus program, keep it active, keep the virus
> definitions up-to-date (at the moment you should update these definitions
> EVERY day), and set to scan all incoming e-mails and downloads.
> THEN
> #4. You can install all appropriate Microsoft security patches and
Service
> Packs.
> THEN
> #5. You can consider additional security (DCHP server, firewall, boric
acid
> [for roaches], .....
>
> If you begin to be flooded with these infected messages, COMPLAIN to your
> ISP; send them this URL
> http://xtra.co.nz/products/0,,8969,00.html of an ISP that scans incoming
> e-mail before passing it to a mailbox. Ask for an increased mailbox size
> (if you are getting 1500 of these infected e-mails per day, you will need
a
> mailbox size over 150 MBytes just to avoid the necessity of completely
> emptying it EVERY DAY. Ask about the implicit duty of the ISP to provide
> reliable e-mail service, and if they have received notification of any
> pending class actions you might join. Ask if they will unbundle their
> services so you can opt out of e-mail service and save that cost. That's
> about
> all you can do about the e-mail flood; only your ISP or other e-mail
> provider can come close to solving this problem.
>
> When the e-mail flood becomes too painful, find an ISP or other e-mail
> provider that DOES scan and discard infected e-mail before passing it to
> your mailbox, and then change to that ISP and/or e-mail provider.
Changing
> your e-mail address is no solution; as soon as your new e-mail address is
> harvested from an infected system or network, the problem starts again.
>
>
>
> In the meantime you can use a filter and a program that allows partial
> downloading of e-mail messages (Veronica Loell posts information about
> these filters quite often; the information is also available at
> http://nakawe.sf.net/MMM3 .)
>
> When a mailserver is scanning and not just deleting infected e-mail, but
is
> also sending an e-mail to notify the sender, write the administrator a
nasty
> note asking them to stop sending these notices.
>
> ****
> That's about it; you can proof your system against infection, but only
> changes at the mailserver level can stop reception of a flood of infected
> e-mails and increasing numbers of inappropriate notices that you've sent
> infected e-mail from arriving in your mailbox.
>
> Phil Weldon
>
>
>
> --
> Phil Weldon, philweldonatmindjumpdotcom
> For communication,
> replace "at" with the 'at sign'
> replace "mindjump" with "mindspring."
> replace "dot" with "."
>
> "ah" <ah@fsmail.net> wrote in message
> news:uKhlb.14086$kA.3596787@wards.force9.net...
> > Yes, me too, still. How long is this going to last?
> >
> > ah
> >
> > ---------------------
> > "Phil" <anonymous@discussions.microsoft.com> wrote in message
> > news:007c01c397ea$132cf240$a301280a@phx.gbl...
> > > I am still getting the SWEN virus in my email by the
> > > hundreds per day. The attachments are getting quarantined
> > > by Norton at the server but its still hundreds of emails.
> > > Are all of you still experiencing this? Im the only one
> > > in the company still getting them. Im the network
> > > administrator and Im always posting to these boards so I
> > > guess that could contribute. I have ran the removal tool
> > > many times and my updates are always up to date, so I was
> > > just wondering if many people are still experiencing the
> > > SWEN virus by the boatloads every day.
> > > Thanks.
> >
> >
> >
>
>
- Next message: Meinolf Freiburg: "Is this a new virus ???"
- Previous message: Penna Elabi: "Re: QHOSTS virus removal problems"
- In reply to: Phil Weldon: "Re: Still getting SWEN?"
- Next in thread: Phil Weldon: "Re: Still getting SWEN?"
- Reply: Phil Weldon: "Re: Still getting SWEN?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
