Re: SWEN virus

From: Matt Scarborough (vexversa_at_verizon.net)
Date: 09/27/03

• Next message: Keith: "Am I the only one? Please help!"
• Previous message: karllo: "Re: Microsoft is NOT sending ANY emails to you. Read this."
• Next in thread: Matt Scarborough: "Re: SWEN virus"
• Maybe reply: Matt Scarborough: "Re: SWEN virus"
• Reply: Bill Sanderson: "Re: SWEN virus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sat, 27 Sep 2003 03:23:50 +0000

On Fri, 26 Sep 2003 11:49:47 GMT, Phil Weldon wrote
<vJVcb.13760$ai7.723@newsread1.news.atl.earthlink.net>

> Well, the fact that 'swen' is 'news' backwards is of little help, since
> neither string (word) appears in either type of infected e-mails.

The palindrome was used to illustrate that NNTP propagation method is known to
a lumbering Microsoft and Microsoft's antivirus partners.

> Any solution specific to THIS set of infected e-mail, while better than
> nothing, won't help with the next.

Copies of W32/Swen@MM are propagating to msnews.microsoft.com from infected
users and available to readers of for example microsoft.public.security.virus

News:/msnews.microsoft.com/microsoft.public.security.virus
is a prominent and repeated link at microsoft.com. For example, subscribing to
microsoft.public.security.virus is recommended in

MSKB article "826955 - Virus Alert About the Blaster Worm and Its Variants,"
http://support.microsoft.com/?kbid=826955

"Improving Web Application Security: Threats and Countermeasures"
http://microsoft.com/downloads/details.aspx?FamilyId=E9C4BFAA-AF88-4AA5-88D4-0DEA898C31B9

and is a second tier group under Community Newsgroups
     Security
          Virus Discussion
at
http://support.microsoft.com/newsgroups/default.aspx

So,

* We have a live worm writhing its way around the Internet, posting
auto-executing content directly to msnews.microsoft.com

* Those infected posts are not being control canceled or removed in a timely
fashion, or not being removed at all.

* We expect users seeking help for virus related issues to connect their
Outlook Expresses to microsoft.public.security.virus and start downloading
messages into their preview pane (the default for users already affected by
Swen.)

* A unique string that could be used to flag and instantly remove existing
posts from the message store, and halt further propagation, and meant to be
helpful and immediate and an encouragement to the untiring Bill, is somehow...
not enough or wrong or not far reaching enough or has no new features or what?

Is this from the same camp announcing an RPC firewall is in development for
the next generation of Windows to protect against last month's Blaster
outbreak?

Maybe I'm just nuts, but halting virus propagation on severs and networks just
feels right. Especially when we encourage users to visit those same (infected)
servers for help with virus related issues.

Matt Scarborough 2003-09-27

PS: Another incoming virus from a Swen infected user posted on
2003-09-26 17:38:29 Check the
Path: TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
before telling me this isn't under Microsoft control...

From: "SAND GONES" <bqaeisbyq_ntrehmmg@phd.com>
Subject: Check out the corrective package from Microsoft Corp.
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="iaolgmxvnuv"
Message-ID: <OcafAUFhDHA.3784@tk2msftngp13.phx.gbl>
Newsgroups:
microsoft.public.scripting.wsh,microsoft.public.security,microsoft.public.security.hfnetchk,microsoft.public.security.toolkit,microsoft.public.security.virus,microsoft.public.serverappliance,microsoft.public.servicesforunix.general,microsoft.public.sfn5.beta
Date: Fri, 26 Sep 2003 10:38:29 -0700
NNTP-Posting-Host: 81.193.105.70
Path: TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
Lines: 1
Xref: TK2MSFTNGP08.phx.gbl microsoft.public.security:37712
microsoft.public.security.hfnetchk:3618 microsoft.public.security.toolkit:2080
microsoft.public.security.virus:30558 microsoft.public.serverappliance:1225
microsoft.public.servicesforunix.general:6275 microsoft.public.sfn5.beta:791
microsoft.public.scripting.wsh:64570

---

• Next message: Keith: "Am I the only one? Please help!"
• Previous message: karllo: "Re: Microsoft is NOT sending ANY emails to you. Read this."
• Next in thread: Matt Scarborough: "Re: SWEN virus"
• Maybe reply: Matt Scarborough: "Re: SWEN virus"
• Reply: Bill Sanderson: "Re: SWEN virus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: SWEN virus ... > neither string appears in either type of infected e-mails. ... The palindrome was used to illustrate that NNTP propagation method is known to ... a lumbering Microsoft and Microsoft's antivirus partners. ... MSKB article "826955 - Virus Alert About the Blaster Worm and Its Variants," ... (microsoft.public.security) Re: SWEN virus ... > neither string appears in either type of infected e-mails. ... The palindrome was used to illustrate that NNTP propagation method is known to ... a lumbering Microsoft and Microsoft's antivirus partners. ... MSKB article "826955 - Virus Alert About the Blaster Worm and Its Variants," ... (microsoft.public.security.virus) Re: SWEN virus ... > neither string appears in either type of infected ... The palindrome was used to illustrate that NNTP propagation ... a lumbering Microsoft and Microsoft's antivirus partners. ... MSKB article "826955 - Virus Alert About the Blaster Worm ... (microsoft.public.security.virus) Blank Pages on Virus & Window Patches Pages ... In Norman Virus Control the following message comes us. ... Dear Windows Support ... From: Microsoft Australia Product Support ... please use the System Configuration Utility. ... (microsoft.public.windows.inetexplorer.ie6.browser) Re: trojan virus PLEASE HELP! ... Tip 9 should help you get rid of a virus. ... Microsoft has these suggestions for Protecting your computer from the ... I'll mainly work around Windows XP, as that is what the bulk of this ... (microsoft.public.windowsupdate)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)