Re: virus-scan
From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 10/23/03
- Next message: roger: "Stealth_Boot Virus"
- Previous message: David H. Lipman: "Re: Virus Problem"
- In reply to: bandi: "Re: virus-scan"
- Next in thread: Br0wnbear: "Re: virus-scan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 23 Oct 2003 11:55:25 -0400
Don't worry -- I won't hold being Canadian against you...:-)
The gov't. agencies I mentioned are all US based. I am sure there are Canadian
counterparts.
Dave
"bandi" <anonymous@discussions.microsoft.com> wrote in message
news:075401c3997b$cb41a550$a001280a@phx.gbl...
| Many thanks for your prompt reply. I am asmed of that
| misspelling, but I am only a dull-witted Canadian.
|
| >-----Original Message-----
| >bandi:
| >
| >In no way are ISPs "tracking down" what you call "worm
| factories". It just isn't in their
| >espective charters. If an infected machine is on say
| AOL maybe, just maybe, an abuse
| >message indicating what machine is infected may help.
| Unfortunately due to the
| >methodologies that virus writers use to generate false
| sending addresses and infectors
| >having their own NNTP and/or SMTP clients built-in, this
| is becoming increasingly
| >impossible.
| >
| >That's why we have the National Infrastructure
| Protection Center (NIPC) Federal Computer
| >Incident Response Center (FedCIRC) and the Department of
| Homeland Security (DHS). It is
| >their jobs to protect the national interests against
| infectors on the net.
| >
| >BTW: It's "ranting" not "renting".
| >
| >
| >Dave
| >
| >
| >"bandi" <anonymous@discussions.microsoft.com> wrote in
| message
| >news:098101c3996f$377219b0$a601280a@phx.gbl...
| >| My question:
| >|
| >| Could it be known, if all those ISP's with vast
| resources
| >| (MSN, AOL, etc.) are making any effort to track down
| and
| >| eliminate the source of these "worm-factories", or are
| we
| >| condemned to put up with this particular threat for an
| >| undetermined time? Isn't there a competent law
| >| inforcement agency that can deal with this and similar
| >| threats?
| >| Please, excuse my renting, but I'm getting frustrated
| >| beyond any measure!
| >|
| >| >-----Original Message-----
| >| >The 'swen' worm and its effects, particularly on
| >| >
| >| >users with uninfected machines
| >| >
| >| >
| >| >
| >| >The flood of e-mail ('swen-mail') is being generated
| by
| >| the 'swen' worm.
| >| >Locally, there is not much you can do to stop the
| >| flood. Below you will
| >| >find a discussion of the effects of the 'swen' worm
| and
| >| ways you can handle
| >| >the flood you are getting, even though your machine
| may
| >| not be infected, and
| >| >may be well protected.
| >| >
| >| >
| >| >
| >| >Only your ISP can stop the flood of 'swen' generated
| e-
| >| mail; by scanning all
| >| >e-mail for virus infection.
| >| >
| >| >
| >| >
| >| >Until your ISP or e-mail service begins to scan all e-
| >| mail for virus
| >| >infection, you can use a filter and a program that
| >| allows partial
| >| >downloading of e-mail messages (Veronica Loell posts
| >| information about
| >| >these filters quite often; the information is also
| >| available at
| >| >http://nakawe.sf.net/MMM3.)
| >| >
| >| >
| >| >
| >| >
| >| >
| >| >
| >| >Symantec, the publisher of Norton AntiVirus, has a
| >| description of the
| >| >worm, how to remove it, and removal tools at
| >|
| >http://www.symantec.com/avcenter/venc/data/w32.swen.a@mm.
| >| html . Other
| >| >publishers of antivirus programs have similar
| webpages.
| >| Note well, removing
| >| >this worm after your system has been infected is not a
| >| simple task.
| >| >
| >| >
| >| >
| >| >
| >| >
| >| >The 'swen' worm can harvest e-mail addresses from
| >| newsgroup postings, so it
| >| >is very important to disguise your e-mail identity
| when
| >| posting to Usenet
| >| >newsgroups (like microsoft.public.security.virus and
| >| tens of thousands of
| >| >other active newsgroups .)
| >| >
| >| >"The worm also can search for e-mail addresses in
| >| various newsgroups. It
| >| >connects to NNTP servers listed in the SWEN1.DAT file,
| >| gets a list of all
| >| >newsgroups on that server and searches recent messages
| >| in these newsgroups
| >| >for 'nfrom:' and 'nreply-to:' tags. When such tags are
| >| found, the worm gets
| >| >e-mail addressed after them and writes them to the
| >| GERMS0.DBV file. This way
| >| >the worm can harvest a lot of e-mail addresses to send
| >| itself to. (From
| >| >F-secure, http://www.f-secure.com/v-descs/swen.shtml )
| >| >
| >| >You can find out how at
| >| >
| >| >http://www.mailmsg.com/SPAM_munging.htm .
| >| >
| >| >This worm has two main effects, and some secondary
| >| effects
| >| >
| >| >
| >| >
| >| >
| >| >I. Main effects
| >| >
| >| > A. It infects vulnerable systems and networks.
| >| >
| >| > B. It generates a FLOOD of infected e-mail that
| is
| >| sent to e-mail
| >| >addresses it harvests from infected machine and
| >| networks. These infected
| >| >e-mails are of two types
| >| >
| >| > 1. An HTML message that looks like a
| >| legitimate Microsoft Security
| >| >Bulletin; the hotlinks in this message are valid
| >| Microsoft links, and will
| >| >even lead you to a description that will allow you to
| >| identify this e-mail
| >| >as bogus. The message has an attached 104 KByte file
| >| that contains the
| >| >worm. If you don't have all appropriate Microsoft
| >| security patches and
| >| >Service Packs installed, it may be possible for your
| >| system to be infected
| >| >EVEN IF YOU DON'T OPEN THE MESSAGE. So far, the body
| of
| >| this message is
| >| >always the same, though the Subject and From lines
| >| differ widely. This
| >| >message, so far, can be easily be blocked by detecting
| >| the string 'Run
| >| >attached file' in the body ( in fact, it would be a
| good
| >| practice to
| >| >consider ANY e-mail that contains this string AND has
| an
| >| attachment to very,
| >| >very likely to carry an infection.
| >| >
| >| > 2. A plain text message that purports to
| be a
| >| notification of an
| >| >'Undeliverable e-mail', with an attachment that
| purports
| >| to be a copy of the
| >| >undeliverable e-mail. This attached file is 104 KBytes
| >| long and contains the
| >| >worm. The Subject line, From line, and body present
| in
| >| thousands of
| >| >combinations, and probably will continue to mutate.
| >| Even worse, real e-mail
| >| >addresses harvested from infected systems and
| networks,
| >| and from Usenet
| >| >newsgroup posts are tagged onto this type of message,
| >| causing one of the
| >| >secondary effects.
| >| >
| >| >II. Secondary effects
| >| > A. Spam effect
| >| > 1. Mailboxes with an e-mail address that
| has
| >| been harvested from
| >| >infected systems, networks and Usenet newsgroup
| postings
| >| begin to be flood
| >| >with infected e-mail.
| >| >[Personal example: my machines are not infected, but
| >| this worm began to
| >| >flood my mailbox 17SEP03. I now receive more than
| 1500
| >| infected e-mail
| >| >messages per day. I must empty my mailbox every 5
| >| minutes, 24/7 to avoid
| >| >the possibility of having legitimate e-mail bounced.
| I
| >| had to install an
| >| >application just to segregate the cleaned, previously
| >| infected e-mail
| >| >from legitimate e-mail (standard spam blockers can't
| do
| >| this.) There are
| >| >filters and programs that can identify this 'swen-
| mail'
| >| and that require
| >| >downloading only a portion of an e-mail message to
| allow
| >| discarding or
| >| >keeping it based on whether it is
| >| >
| >| >'swen-mail' or not. However, you still must arrange
| to
| >| do this operation
| >| >often enough to keep your mailbox from overflowing
| past
| >| the general 10 MByte
| >| >limit and bouncing subsequent e-mail. About 80 'swen-
| >| mail' messages take up
| >| >10 MBytes of storage. If you get 500 'swen-mail
| >| messages per day, that
| >| >means checking and clearing your mailbox at least
| every
| >| four hours, 24/7, to
| >| >insure that no valid e-mail messages are bounced.
| >| > B. Notifications from mail services that DO scan
| >| for infected
| >| >messages, but unfortunately do not realize that the e-
| >| mail addresses given
| >| >for the sender are either bogus or e-mail addresses
| >| harvested by the worm.
| >| >Thus, completely innocent mailboxes have insult added
| to
| >| injury.
| >| >
| >| >****
| >| >
| >| >What can you do locally as an individual (i.e. in a
| >| SmallOfficeHomeOffice
| >| >environment, and /or as a recreational user)?
| >| >#1. You can use a remote virus scan from one of the
| >| antivirus program
| >| >publishers
| >| >THEN
| >| >#2. You can remove any infections discovered
| >| >THEN
| >| >#3. You install a good antivirus program, keep it
| >| active, keep the virus
| >| >definitions up-to-date (at the moment you should
| update
| >| these definitions
| >| >EVERY day), and set to scan all incoming e-mails and
| >| downloads.
| >| >THEN
| >| >#4. You can install all appropriate Microsoft
| security
| >| patches and Service
| >| >Packs.
| >| >THEN
| >| >#5. You can consider additional security (DCHP
| server,
| >| firewall, boric acid
| >| >[for roaches], .....
| >| >
| >| >If you begin to be flooded with these infected
| messages,
| >| COMPLAIN to your
| >| >ISP; send them this URL
| >| >http://xtra.co.nz/products/0,,8969,00.html of an ISP
| >| that scans incoming
| >| >e-mail before passing it to a mailbox. Ask for an
| >| increased mailbox size
| >| >(if you are getting 1500 of these infected e-mails per
| >| day, you will need a
| >| >mailbox size over 150 MBytes just to avoid the
| necessity
| >| of completely
| >| >emptying it EVERY DAY. Ask about the implicit duty of
| >| the ISP to provide
| >| >reliable e-mail service, and if they have received
| >| notification of any
| >| >pending class actions you might join. Ask if they
| will
| >| unbundle their
| >| >services so you can opt out of e-mail service and save
| >| that cost. That's
| >| >about
| >| >all you can do about the e-mail flood; only your ISP
| or
| >| other e-mail
| >| >provider can come close to solving this problem.
| >| >
| >| >When the e-mail flood becomes too painful, find an ISP
| >| or other e-mail
| >| >provider that DOES scan and discard infected e-mail
| >| before passing it to
| >| >your mailbox, and then change to that ISP and/or e-
| mail
| >| provider. Changing
| >| >your e-mail address is no solution; as soon as your
| new
| >| e-mail address is
| >| >harvested from an infected system or network, the
| >| problem starts again.
| >| >
| >| >
| >| >
| >| >In the meantime you can use a filter and a program
| that
| >| allows partial
| >| >downloading of e-mail messages (Veronica Loell posts
| >| information about
| >| >these filters quite often; the information is also
| >| available at
| >| >http://nakawe.sf.net/MMM3 .)
| >| >
| >| >When a mailserver is scanning and not just deleting
| >| infected e-mail, but is
| >| >also sending an e-mail to notify the sender, write the
| >| administrator a nasty
| >| >note asking them to stop sending these notices.
| >| >
| >| >****
| >| >That's about it; you can proof your system against
| >| infection, but only
| >| >changes at the mailserver level can stop reception of
| a
| >| flood of infected
| >| >e-mails and increasing numbers of inappropriate
| notices
| >| that you've sent
| >| >infected e-mail from arriving in your mailbox.
| >| >
| >| >Phil Weldon
| >| >
| >| >
| >| >--
| >| >Phil Weldon, philweldonatmindjumpdotcom
| >| >For communication,
| >| >replace "at" with the 'at sign'
| >| >replace "mindjump" with "mindspring."
| >| >replace "dot" with "."
| >| >
| >| >"bandi" <anonymous@discussions.microsoft.com> wrote in
| >| message
| >| >news:010d01c398ce$d9655e90$a601280a@phx.gbl...
| >| >> My e-mail has been flooded with, what I believe,
| SWEN
| >| for
| >| >> about 3-4 weeks at the rate of about 100/day, on the
| >| >> average. My ISP has a virus filter set up, I have
| been
| >| >> using a continously updated Norton Antivirus 2002. I
| >| have
| >| >> also swept my system several times with the
| appropriate
| >| >> Norton product for Swen. Yet, time to time Ido
| receive
| >| e-
| >| >> mail that is obviously fake (Microsoft security
| patch,
| >| >> Undelivered mail, etc.),which is never picked up by
| >| >> either the ISP filter or my Norton. I have never had
| >| the
| >| >> guts to open them; are they likely just hoax, or can
| >| they
| >| >> contain a well masked virus in the attachment?
| >| >> Thanks for listnening.
| >| >
| >| >
| >| >.
| >| >
| >
| >
| >.
| >
- Next message: roger: "Stealth_Boot Virus"
- Previous message: David H. Lipman: "Re: Virus Problem"
- In reply to: bandi: "Re: virus-scan"
- Next in thread: Br0wnbear: "Re: virus-scan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
