Re: W32.SwenA@mm virus is so dammed annoying.
From: Phil Weldon (notdisclosed_at_example.com)
Date: 11/12/03
- Next message: Hector Santos: "Too many IE 6.0 problems since Update - need to revert"
- Previous message: Joe M: "Re: W32.SwenA@mm virus is so dammed annoying."
- In reply to: Joe M: "Re: W32.SwenA@mm virus is so dammed annoying."
- Next in thread: Veronica Loell: "Re: W32.SwenA@mm virus is so dammed annoying."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 12 Nov 2003 07:35:05 GMT
Magic Mail Monitor does not require a client. It is a stand-alone program
that can request partial downloads from a POP3 mail server (for example, the
first 25 lines only; which can be quite a savings since a full swenmail
message is about 150,000 bytes), then delete the message from the POP3
server based on the filters. Depending on how your e-mail is made available
by your ISP, MMM could function independently of any local mail program.
--
Phil Weldon, philweldonatmindjumpdotcom
For communication,
replace "at" with the 'at sign'
replace "mindjump" with "mindspring."
replace "dot" with "."
"Joe M" <huytuan@tpg.com.au> wrote in message
news:eNd2FQOqDHA.1672@TK2MSFTNGP09.phx.gbl...
> Thanks Phil, but this MMM3 seems to work only for an Outlook/Outlook
Express
> client . It does not work for Exchange server or Lotus Domino Server . It
> happens that I've got a Lotus Domino Mail Server that replicates with an
ISP
> Lotus Domino Mail Server and it is during this replication that all
W32.Swen
> emails get through...
>
>
> "Phil Weldon" <notdisclosed@example.com> wrote in message
> news:8ejsb.10141$6c3.3780@newsread1.news.pas.earthlink.net...
> > The 'swen' worm and its effects, particularly on
> >
> > users with uninfected machines
> >
> >
> >
> > The flood of e-mail ('swen-mail') is being generated by the 'swen' worm.
> > Locally, there is not much you can do to stop the flood. Below you will
> > find a discussion of the effects of the 'swen' worm and ways you can
> handle
> > the flood you are getting, even though your machine may not be infected,
> and
> > may be well protected.
> >
> >
> >
> > Only your ISP can stop the flood of 'swen' generated e-mail; by scanning
> all
> > e-mail for virus infection.
> >
> >
> >
> > Until your ISP or e-mail service begins to scan all e-mail for virus
> > infection, you can use a filter and a program that allows partial
> > downloading of e-mail messages (Veronica Loell posts information about
> > these filters quite often; the information is also available at
> > http://nakawe.sf.net/MMM3.)
> >
> >
> >
> >
> >
> >
> > Symantec, the publisher of Norton AntiVirus, has a description of the
> > worm, how to remove it, and removal tools at
> > http://www.symantec.com/avcenter/venc/data/w32.swen.a@mm.html . Other
> > publishers of antivirus programs have similar webpages. Note well,
> removing
> > this worm after your system has been infected is not a simple task.
> >
> >
> >
> >
> >
> > The 'swen' worm can harvest e-mail addresses from newsgroup postings, so
> it
> > is very important to disguise your e-mail identity when posting to
Usenet
> > newsgroups (like microsoft.public.security.virus and tens of thousands
of
> > other active newsgroups .)
> >
> > "The worm also can search for e-mail addresses in various newsgroups. It
> > connects to NNTP servers listed in the SWEN1.DAT file, gets a list of
all
> > newsgroups on that server and searches recent messages in these
newsgroups
> > for 'nfrom:' and 'nreply-to:' tags. When such tags are found, the worm
> gets
> > e-mail addressed after them and writes them to the GERMS0.DBV file. This
> way
> > the worm can harvest a lot of e-mail addresses to send itself to. (From
> > F-secure, http://www.f-secure.com/v-descs/swen.shtml )
> >
> > You can find out how at
> >
> > http://www.mailmsg.com/SPAM_munging.htm .
> >
> > This worm has two main effects, and some secondary effects
> >
> >
> >
> >
> > I. Main effects
> >
> > A. It infects vulnerable systems and networks.
> >
> > B. It generates a FLOOD of infected e-mail that is sent to e-mail
> > addresses it harvests from infected machine and networks. These infected
> > e-mails are of two types
> >
> > 1. An HTML message that looks like a legitimate Microsoft
> Security
> > Bulletin; the hotlinks in this message are valid Microsoft links, and
will
> > even lead you to a description that will allow you to identify this
e-mail
> > as bogus. The message has an attached 104 KByte file that contains the
> > worm. If you don't have all appropriate Microsoft security patches and
> > Service Packs installed, it may be possible for your system to be
infected
> > EVEN IF YOU DON'T OPEN THE MESSAGE. So far, the body of this message is
> > always the same, though the Subject and From lines differ widely. This
> > message, so far, can be easily be blocked by detecting the string 'Run
> > attached file' in the body ( in fact, it would be a good practice to
> > consider ANY e-mail that contains this string AND has an attachment to
> very,
> > very likely to carry an infection.
> >
> > 2. A plain text message that purports to be a notification of
> an
> > 'Undeliverable e-mail', with an attachment that purports to be a copy of
> the
> > undeliverable e-mail. This attached file is 104 KBytes long and contains
> the
> > worm. The Subject line, From line, and body present in thousands of
> > combinations, and probably will continue to mutate. Even worse, real
> e-mail
> > addresses harvested from infected systems and networks, and from Usenet
> > newsgroup posts are tagged onto this type of message, causing one of the
> > secondary effects.
> >
> > II. Secondary effects
> > A. Spam effect
> > 1. Mailboxes with an e-mail address that has been harvested
> from
> > infected systems, networks and Usenet newsgroup postings begin to be
flood
> > with infected e-mail.
> > [Personal example: my machines are not infected, but this worm began to
> > flood my mailbox 17SEP03. I now receive more than 1500 infected e-mail
> > messages per day. I must empty my mailbox every 5 minutes, 24/7 to
avoid
> > the possibility of having legitimate e-mail bounced. I had to install
an
> > application just to segregate the cleaned, previously infected e-mail
> > from legitimate e-mail (standard spam blockers can't do this.) There
are
> > filters and programs that can identify this 'swen-mail' and that require
> > downloading only a portion of an e-mail message to allow discarding or
> > keeping it based on whether it is
> >
> > 'swen-mail' or not. However, you still must arrange to do this
operation
> > often enough to keep your mailbox from overflowing past the general 10
> MByte
> > limit and bouncing subsequent e-mail. About 80 'swen-mail' messages
take
> up
> > 10 MBytes of storage. If you get 500 'swen-mail messages per day, that
> > means checking and clearing your mailbox at least every four hours,
24/7,
> to
> > insure that no valid e-mail messages are bounced.
> > B. Notifications from mail services that DO scan for infected
> > messages, but unfortunately do not realize that the e-mail addresses
given
> > for the sender are either bogus or e-mail addresses harvested by the
worm.
> > Thus, completely innocent mailboxes have insult added to injury.
> >
> > ****
> >
> > What can you do locally as an individual (i.e. in a
SmallOfficeHomeOffice
> > environment, and /or as a recreational user)?
> > #1. You can use a remote virus scan from one of the antivirus program
> > publishers
> > THEN
> > #2. You can remove any infections discovered
> > THEN
> > #3. You install a good antivirus program, keep it active, keep the
virus
> > definitions up-to-date (at the moment you should update these
definitions
> > EVERY day), and set to scan all incoming e-mails and downloads.
> > THEN
> > #4. You can install all appropriate Microsoft security patches and
> Service
> > Packs.
> > THEN
> > #5. You can consider additional security (DCHP server, firewall, boric
> acid
> > [for roaches], .....
> >
> > If you begin to be flooded with these infected messages, COMPLAIN to
your
> > ISP; send them this URL
> > http://xtra.co.nz/products/0,,8969,00.html of an ISP that scans incoming
> > e-mail before passing it to a mailbox. Ask for an increased mailbox
size
> > (if you are getting 1500 of these infected e-mails per day, you will
need
> a
> > mailbox size over 150 MBytes just to avoid the necessity of completely
> > emptying it EVERY DAY. Ask about the implicit duty of the ISP to
provide
> > reliable e-mail service, and if they have received notification of any
> > pending class actions you might join. Ask if they will unbundle their
> > services so you can opt out of e-mail service and save that cost.
That's
> > about
> > all you can do about the e-mail flood; only your ISP or other e-mail
> > provider can come close to solving this problem.
> >
> > When the e-mail flood becomes too painful, find an ISP or other e-mail
> > provider that DOES scan and discard infected e-mail before passing it to
> > your mailbox, and then change to that ISP and/or e-mail provider.
> Changing
> > your e-mail address is no solution; as soon as your new e-mail address
is
> > harvested from an infected system or network, the problem starts again.
> >
> >
> >
> > In the meantime you can use a filter and a program that allows partial
> > downloading of e-mail messages (Veronica Loell posts information about
> > these filters quite often; the information is also available at
> > http://nakawe.sf.net/MMM3 .)
> >
> > When a mailserver is scanning and not just deleting infected e-mail, but
> is
> > also sending an e-mail to notify the sender, write the administrator a
> nasty
> > note asking them to stop sending these notices.
> >
> > ****
> > That's about it; you can proof your system against infection, but only
> > changes at the mailserver level can stop reception of a flood of
infected
> > e-mails and increasing numbers of inappropriate notices that you've sent
> > infected e-mail from arriving in your mailbox.
> >
> > Phil Weldon
> >
> >
> > --
> > Phil Weldon, pweldonatmindjumpdotcom
> > For communication,
> > replace "at" with the 'at sign'
> > replace "mindjump" with "mindspring."
> > replace "dot" with "."
> >
> > "Joe M" <huy.nguyen@mineman.com> wrote in message
> > news:eEF6riNqDHA.1740@TK2MSFTNGP12.phx.gbl...
> > > Who's the author of this f.ken W32.Swen.A@mm virus. What does he
achieve
> > > from it??? I've got around 1500+ emails(all from a different email
> > addresses
> > > everytime) for the last few weeks since this virus came out. What joy
or
> > > glory does he get from it I wonder?? I've got Symantec Antivirus to
> > > quarantine all emails with W32.Swen.A@mm attachments. But the f.ken
> thing
> > > just keeps coming and adds 100Mb per company email address a day.
Which
> > cost
> > > the company huge amount of download internet traffic and money wasted
> for
> > > nothing. My mail hosting does not have a mail relay service which
> filters
> > > out the virus and the virus emails are just forwarded to the company.
> What
> > > can be done about it??
> > > Even if I have an inhouse mail server, the smtp emails would still be
> > routed
> > > to the company before it is being denied and is still accounted for in
> the
> > > internet download charges..
> > >
> > >
> > >
> >
> >
>
>
- Next message: Hector Santos: "Too many IE 6.0 problems since Update - need to revert"
- Previous message: Joe M: "Re: W32.SwenA@mm virus is so dammed annoying."
- In reply to: Joe M: "Re: W32.SwenA@mm virus is so dammed annoying."
- Next in thread: Veronica Loell: "Re: W32.SwenA@mm virus is so dammed annoying."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
