Re: Swen annoyances to everyone: wakeup call
From: Michel Gallant (neutron_at_nspxistar.ca)
Date: 09/21/03
- Next message: dave: "Memory access violation in module kernal32"
- Previous message: charles: "Re: ms updates?????"
- In reply to: Tom Pepper Willett: "Re: Swen annoyances to everyone: wakeup call"
- Next in thread: Bill Sanderson: "Re: Swen annoyances to everyone: wakeup call"
- Reply: Bill Sanderson: "Re: Swen annoyances to everyone: wakeup call"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 21 Sep 2003 10:50:47 -0400
Yeah, the sarc.com site was not too clear about when updates should be
expected, but auto-update in fact pushed the new defs out on the 18.
I think Richard's point below about IE6/IE5 is also worth stressing
It is always good security practice to update your applications, particularly
the vulnerable browser and email clients, as soon as new versions or
security updated are available.
When I do a quick perusal of a friend's PC, I check:
- is their AV client defs. up to date?
- what version of web browser are they using (almost always way out of date!)
- if using OE/O email clients, are the basic security settings locked down?
- go to windowsupdate site and do a client scan,. and recommend going to
that web page at least once a week
- oh yeah, mustn't forget the firewall (although I think for home users, firewalls
are highly overrated compared to other basic security measures <GD&R>
I am constantly amazed at the number of clients that have AV software, but
who have not kept up their subscriptions (and who think they are virus-protected).
- Mitch
"Tom Pepper Willett" <tompepper@mvps.org> wrote in message
news:%23ZC0WvDgDHA.2364@TK2MSFTNGP09.phx.gbl...
> Look again. They updated the signature file on the 18th. Also intelligent
> updater.
>
> Tom
>
> "Richard Mueller" <rlmueller@ameritech.net> wrote in message
> news:052c01c38004$04282470$a401280a@phx.gbl...
> | I tend to agree. I am shocked that the latest signature
> | file from Symantec is dated 9/17/03 and does not recognize
> | W32.Swen. They don't plan to issue another until 9/24.
> | They directed me to an ftp site where I downloaded a beta
> | signature file that does recognize this, but most people
> | don't know to do this and are unprotected.
> |
> | Also, even people diligent enough to not click on the
> | *.exe attachment don't realize that reading one of the
> | many mail delivery failure messages can infect you. It
> | took me a long time to figure out that these things are
> | infected, even though they have no apparent attachment. My
> | IE is version 6, so I'm protected, but an unpatched IE 5
> | is vulnerable. The html source in the message uses
> | something called the iframe filedownload exploit to trick
> | IE into running a binary attachment. Almost no one knows
> | about this.
> |
> | Also, this has not yet been rated high risk or high
> | distribution. The Sobig.F virus was eventually (after
> | several days) rated 4 out of 5 by Symantec, but they still
> | rate Swen only 3. I think I received about 100 copies of
> | Sobig.F (or the related mail delivery failure messages).
> | So far I think I have about 600+ copies of Swen. Mail
> | servers are being flooded with this.
> |
> | It seems that most mail servers do not yet recognize this
> | virus. This was also the case with Sobig.F. Many copies of
> | both viruses are blocked because they are recognized as
> | spam, not because they are recognized as infected. Many
> | copies of the Sobig.F virus were rejected because of a bad
> | email address, but the message was scanned and declared
> | clean.
> |
> | Finally, many people get this spoofed message and go to
> | the Microsoft web site for guidance. I don't think they
> | get the information they need. And, the advice to alert
> | the isp of the sender of the message makes no sense. There
> | is no way to tell the real source of these things. How can
> | Microsoft recommend to complain to the guy whose address
> | was harvested from someone else's infected machine.
> |
> | Sorry for the ranting, but this is getting out of hand.
> |
> | Richard Mueller
> | Microsoft MVP Scripting and ADSI
> | >-----Original Message-----
> | >I think that this recent Swen virus seems to have
> | affected a group of
> | >people that have never seen this sort of thing before.
> | >
> | >Note that even diligent people who never open attachments
> | and
> | >are always up to date with their antivirus definitions,
> | this one seems
> | >to have become a real annoyance.
> | >
> | >It raises the spectre of a massive email meltdown in
> | which ISPs
> | >are not really prepared or sufficiently reactive for
> | massive mailbox
> | >overflowing with subsequent loss of important business
> | email.
> | >
> | >Better enterprises have good gateway email-blocking
> | infrastructure and
> | >fast-response teams, but that is not everyone by a long
> | shot!
> | >
> | >
> | >Also, a lot of folks actually believe they are infected
> | simply because
> | >they are being spammed with all this psuedo-MS viral
> | spam!!
> | >
> | >So, imo, a lot more needs to be done than just telling
> | people to
> | >not open email attachments, uptodate their AV defs, and
> | get a firewall,
> | >although these ARE essential rules to follow.
> | >
> | >It is not difficult to imagine that the virus planted in
> | the attachment
> | >could have been much more sinister .. (people keep saying
> | this, don't they?)
> | >
> | >In a sense, with email worm viruses, "you are who you
> | know" :-)
> | >
> | >Cheers
> | > - Mitch Gallant
> | > MVP Security
> | >
> | >
> | >
> | >.
> | >
>
>
- Next message: dave: "Memory access violation in module kernal32"
- Previous message: charles: "Re: ms updates?????"
- In reply to: Tom Pepper Willett: "Re: Swen annoyances to everyone: wakeup call"
- Next in thread: Bill Sanderson: "Re: Swen annoyances to everyone: wakeup call"
- Reply: Bill Sanderson: "Re: Swen annoyances to everyone: wakeup call"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
