Re: Swen annoyances to everyone: wakeup call
From: Richard Mueller (rlmueller_at_ameritech.net)
Date: 09/22/03
- Next message: Lanwench [MVP - Exchange]: "Re: _RussiaN_Balar_"
- Previous message: Silver Blade: "gremlin"
- In reply to: Tom Pepper Willett: "Re: Swen annoyances to everyone: wakeup call"
- Next in thread: Robert Moir: "Re: Swen annoyances to everyone: wakeup call"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 21 Sep 2003 16:01:29 -0700
You are correct. I was fooled because when I used
LiveUpdate on 9/19 and 9/20 it indicated no new signature
file. Further checking reveals Symantec updated their
virus signature file late 9/18. I guess this new one is
identical to the beta signaure file I downloaded earlier
9/18.
However, I still wish Symantec would upgrade this threat
to Category 4 (out of 5). Sobig.F was category 4 at one
time. So far I have 10 times more copies of Swen. I also
see more reports of people with overloaded inboxes. My
guess is that some companies will discover a mess on
Monday morning.
Richard
>-----Original Message-----
>Look again. They updated the signature file on the
18th. Also intelligent
>updater.
>
>Tom
>
>"Richard Mueller" <rlmueller@ameritech.net> wrote in
message
>news:052c01c38004$04282470$a401280a@phx.gbl...
>| I tend to agree. I am shocked that the latest signature
>| file from Symantec is dated 9/17/03 and does not
recognize
>| W32.Swen. They don't plan to issue another until 9/24.
>| They directed me to an ftp site where I downloaded a
beta
>| signature file that does recognize this, but most people
>| don't know to do this and are unprotected.
>|
>| Also, even people diligent enough to not click on the
>| *.exe attachment don't realize that reading one of the
>| many mail delivery failure messages can infect you. It
>| took me a long time to figure out that these things are
>| infected, even though they have no apparent attachment.
My
>| IE is version 6, so I'm protected, but an unpatched IE 5
>| is vulnerable. The html source in the message uses
>| something called the iframe filedownload exploit to
trick
>| IE into running a binary attachment. Almost no one knows
>| about this.
>|
>| Also, this has not yet been rated high risk or high
>| distribution. The Sobig.F virus was eventually (after
>| several days) rated 4 out of 5 by Symantec, but they
still
>| rate Swen only 3. I think I received about 100 copies of
>| Sobig.F (or the related mail delivery failure messages).
>| So far I think I have about 600+ copies of Swen. Mail
>| servers are being flooded with this.
>|
>| It seems that most mail servers do not yet recognize
this
>| virus. This was also the case with Sobig.F. Many copies
of
>| both viruses are blocked because they are recognized as
>| spam, not because they are recognized as infected. Many
>| copies of the Sobig.F virus were rejected because of a
bad
>| email address, but the message was scanned and declared
>| clean.
>|
>| Finally, many people get this spoofed message and go to
>| the Microsoft web site for guidance. I don't think they
>| get the information they need. And, the advice to alert
>| the isp of the sender of the message makes no sense.
There
>| is no way to tell the real source of these things. How
can
>| Microsoft recommend to complain to the guy whose address
>| was harvested from someone else's infected machine.
>|
>| Sorry for the ranting, but this is getting out of hand.
>|
>| Richard Mueller
>| Microsoft MVP Scripting and ADSI
>| >-----Original Message-----
>| >I think that this recent Swen virus seems to have
>| affected a group of
>| >people that have never seen this sort of thing before.
>| >
>| >Note that even diligent people who never open
attachments
>| and
>| >are always up to date with their antivirus definitions,
>| this one seems
>| >to have become a real annoyance.
>| >
>| >It raises the spectre of a massive email meltdown in
>| which ISPs
>| >are not really prepared or sufficiently reactive for
>| massive mailbox
>| >overflowing with subsequent loss of important business
>| email.
>| >
>| >Better enterprises have good gateway email-blocking
>| infrastructure and
>| >fast-response teams, but that is not everyone by a long
>| shot!
>| >
>| >
>| >Also, a lot of folks actually believe they are infected
>| simply because
>| >they are being spammed with all this psuedo-MS viral
>| spam!!
>| >
>| >So, imo, a lot more needs to be done than just telling
>| people to
>| >not open email attachments, uptodate their AV defs, and
>| get a firewall,
>| >although these ARE essential rules to follow.
>| >
>| >It is not difficult to imagine that the virus planted
in
>| the attachment
>| >could have been much more sinister .. (people keep
saying
>| this, don't they?)
>| >
>| >In a sense, with email worm viruses, "you are who you
>| know" :-)
>| >
>| >Cheers
>| > - Mitch Gallant
>| > MVP Security
>| >
>| >
>| >
>| >.
>| >
>
>
>.
>
- Next message: Lanwench [MVP - Exchange]: "Re: _RussiaN_Balar_"
- Previous message: Silver Blade: "gremlin"
- In reply to: Tom Pepper Willett: "Re: Swen annoyances to everyone: wakeup call"
- Next in thread: Robert Moir: "Re: Swen annoyances to everyone: wakeup call"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
