Internet worm Sven seems to mutate

  • Thread starter Thread starter Wim Hamhuis
  • Start date Start date
W

Wim Hamhuis

Sometimes it *PASSES* the scanner, and sometimes it is detected. How is this
possible ??

With friendly greetings,
Wim Hamhuis
The Netherlands

I'm getting LOADS of e-mails over here saying "the infection is removed by
X-scanner" but i downloaded the patch from Microsoft on the WEBSITE
www.windowsupdate.com so my attachements will not automatically open. As a
result of this i threw away the infected messages which came through the
X-scanner anyway.

Keep your systems patched ONLY via WEBSITE , NEVER via E-MAIL.
 
Sometimes it *PASSES* the scanner, and sometimes it is detected. How is this
possible ??

With friendly greetings,
Wim Hamhuis
The Netherlands

I'm getting LOADS of e-mails over here saying "the infection is removed by
X-scanner" but i downloaded the patch from Microsoft on the WEBSITE
www.windowsupdate.com so my attachements will not automatically open. As a
result of this i threw away the infected messages which came through the
X-scanner anyway.

Keep your systems patched ONLY via WEBSITE , NEVER via E-MAIL.
Click to expand...


I'm seeing many apparent SWEN emails that seem broken. They have
a mime attachment labeled as a application/x-msdownload, with
a name usually ending in ".exe", but no base64 data in that
MIME partition. There is usually a couple of GIF's
enclosed too.

Whether this is some silent anti-viris work by some ISP's mail
server or what, I don't know. But a zero length .exe file is
not going to trigger an antivirus scanner.

Using linux, these are just nuicence emails to me, but I
have spamassassin flagging most of them with the following
rules

score MICROSOFT_EXECUTABLE 6.000

header REPAIRED_VIRUS X-Virus-Scan-Result =~ /Repaired/
describe REPAIRED_VIRUS Someone caught a virus for us
score REPAIRED_VIRUS 6.000


The MICROSOFT_EXECUTABLE rule comes with spamassassin, and I just changed its
score to make .exe's (it actually tests the binary file despite name)
as always spam.

The REPAIRED_VIRUS rules I made up to take advantage of when Roadrunner's
incoming mail scanner catches a virus. It inserts a header I could
make spamassassin key on.

Still pondering how to make it catch these 'empty' messages.
 
Wim Hamhuis pounced upon this pigeonhole and pronounced:
... but i downloaded the patch from Microsoft on the WEBSITE
www.windowsupdate.com so my attachements will not automatically open. ...
Click to expand...

Some of the upgrades/patches reset the option to open attachments, without
telling you. In your Outhouse Express:

Tools > Options > Security:
[ ] Do not allow attachments to be saved... etc.

This gets [X] by the upgrade/patch.
Keep your systems patched ONLY via WEBSITE , NEVER via E-MAIL.
Click to expand...

MS never ever emails patches, or any other software.
 
Nurk said:
I put on the patch ages ago and I'm still being bombarded. This is obscene.
Click to expand...

i don't understand this logic... what makes you think patching *your*
system is going to do anything about the other systems sending you email?
 
I've gotten at least one email that looked like swen, but the virus
wasn't detetected by my antivirus (in many other emails swen was
detected). I sent it to the f-prot support people but haven't heard
back from them yet.
 
Wim Hamhuis said:
Sometimes it *PASSES* the scanner, and sometimes it is detected. How is this
possible ??
Click to expand...

Assuming this is true (and I have no reason to doubt you) it could
be that the definition used needs to be tweaked somewhat.
 
FromTheRafters said:
Assuming this is true (and I have no reason to doubt you) it could
be that the definition used needs to be tweaked somewhat.
Click to expand...

or that the worm has been neutered... or that it has cross-bred with
something else...
 
FromTheRafters said:
Assuming this is true (and I have no reason to doubt you) it could
be that the definition used needs to be tweaked somewhat.
Click to expand...

Well, yesterday i continued to delete my inbox for sven spam mail, but
then something weird happened. I couldn't rightclick the messages
anymore, to see their properties. Then the delete function was
disabled. I continued to shut down outlook rusty express and went to
look at website www.bitdefender.com to download the removal tool to
clean my obviously infected computer.

But it detects nothing. Then i wanted to do a memory scan to see
what's in the memory, what shutted down the delete option in Outlook
Express. But then something really wrong happened. My computer
suddenly froze and smoke came out the vents. Quickly i powered down
the system.

When i opened the cabinet, the cooler was glowing red.

I have my system still turned off now, but when i return home i will
examine it. Maybe the virusprogram has a payload which destroys the
processor, especially a old pentium cyrix 686 by maxing out the
processortime.

I am now with a friend who has a mac. I hope to repair my system soon.

with friendly greetings,
Wim Hamhuis
 
You shoulda shutted off your computer when it first froze, instead of
playing around with it. Could be your hard disk literally froze and you
allowed it to burn up-literally. Always be absolutely certain that your hard
disk is spinning freely-listen to sound from hard disk for instance. If not
certain, immediately unplug the computer.
 
scoopdamedia said:
You shoulda shutted off your computer when it first froze, instead of
playing around with it.
Click to expand...

I did and my system is functioning again, full force. I'm glad i turned it
off in time. This was the result of a not too carefull fly who ended up in
pieces by the coolervent.

Could be your hard disk literally froze and you
allowed it to burn up-literally.
Click to expand...

well it seemed it took the heat but didn't burn up.

Always be absolutely certain that your hard
disk is spinning freely-listen to sound from hard disk for instance. If not
certain, immediately unplug the computer.
Click to expand...

I did and this saved my system because i was in time.

All attachements have length 156kB and 144kB, and the attachement is 106kB ,
it's I-net worm SVEN , it will fill up all mailboxes throughout the world if
it's not stopped.

i delete every mail from it, today i had 419 mails with virus spam and still
counting...

Wim Hamhuis
 
Back
Top