LET"S STOP THE SWEN VIRUS AND GET THE GUY

  • Thread starter Thread starter Steve
  • Start date Start date
S

Steve

Let's combine forces and see if we can stop the Swen virus
that is coming off email addesses harvested from this
site. I think that someone is deliberatly maintain a
Database and hitting those who ppsot here because the
virus is hitting mostly those who posted here.

To determine where the emails are coming from chose one
that has been through the Norton or McCafee AV to be sure
the virus is stripped off. Right click on it and select
properties (JUST TO BE SAFE, NOT OPEN IT UNDER ANY
CIRCUMSTANCES). Chose Detail Tab then Message Source.
There is a line, about 5 down that reads "Message-ID."
Just above that is a line which is recieved from and an IP
address and computer name. That is probably where that
email origninated. If you recognize who sent it call
them. If you don't recognize them, post the IP and
computer name here. Let's see if we are all getting
hammered by the same people or many different ones. The
only people I know who are getting hammered are those who
posted their email addresses on this site.
 
Received: from qvbrsgbx (bb-203-125-108-2.singnet.com.sg
[203.125.108.2])
by smtp22.singnet.com.sg (8.12.10/8.12.9) with
SMTP id h8Q7ZiK1004652

Received: from qrxf (bb-203-125-108-2.singnet.com.sg
[203.125.108.2])
by smtp22.singnet.com.sg (8.12.10/8.12.9) with
SMTP id h8Q7cOK1015866;
 
Let's combine forces and see if we can stop the Swen virus
that is coming off email addesses harvested from this
site. I think that someone is deliberatly maintain a
Database and hitting those who ppsot here because the
virus is hitting mostly those who posted here.

To determine where the emails are coming from chose one
that has been through the Norton or McCafee AV to be sure
the virus is stripped off. Right click on it and select
properties (JUST TO BE SAFE, NOT OPEN IT UNDER ANY
CIRCUMSTANCES). Chose Detail Tab then Message Source.
There is a line, about 5 down that reads "Message-ID."
Just above that is a line which is recieved from and an IP
address and computer name. That is probably where that
email origninated. If you recognize who sent it call
them. If you don't recognize them, post the IP and
computer name here. Let's see if we are all getting
hammered by the same people or many different ones. The
only people I know who are getting hammered are those who
posted their email addresses on this site.
Click to expand...



i use microsoft outlook that comes with office xp (sbe). Is there any
way in there to find out the message transfer details like in outlook
express.

I have searched all over and still cannot find it? because it would be
really handy for me to then program my firewall to block this ip
 
In
Steve said:
Let's combine forces and see if we can stop the Swen virus
that is coming off email addesses harvested from this
site. I think that someone is deliberatly maintain a
Database and hitting those who ppsot here because the
virus is hitting mostly those who posted here.

To determine where the emails are coming from chose one
that has been through the Norton or McCafee AV to be sure
the virus is stripped off. Right click on it and select
properties (JUST TO BE SAFE, NOT OPEN IT UNDER ANY
CIRCUMSTANCES). Chose Detail Tab then Message Source.
There is a line, about 5 down that reads "Message-ID."
Just above that is a line which is recieved from and an IP
address and computer name. That is probably where that
email origninated. If you recognize who sent it call
them. If you don't recognize them, post the IP and
computer name here. Let's see if we are all getting
hammered by the same people or many different ones. The
only people I know who are getting hammered are those who
posted their email addresses on this site.
Click to expand...


http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

note

"Transmission through newsgroups
The worm will enumerate the registry looking for newsgroup server
addresses, then attempt to contact that newsgroup server. If a
newsgroup
server is not configured on the system, the worm will randomly
select one
from a predefined list. The worm will download the available
groups and
post messages to randomly selected groups. The messages posted to
the
newsgroups are generated according to the same routine used for
sending
email."
 
To view the header in Outlook, right-click the entry in you inbox and select
"Options". A very strange way to access headers.....

With regards to the strategy to snoop to find who sent them and if they are
one or more is likely an uphill battle, however noble in intent. You WILL
find that there are multiple senders (even if it is one!). That is the
nature of spamming, I'm afraid.
 
yes.

One is not looking for the email address that it is from
but rather the initiating IP address. Sometimes one will
get 20 different senders but the source is all the same IP
address. That address can be tracked back to an ISP
usually. Send the admin at the ISP a note that you think
the IP addresss is sending out viruses (copy the header to
show them) and let the ISP deal with it. Usually they
will because it is affecting them and it can infect their
servers and cause much damage to them. They'll turn off
that IP and tell the owner to fix it before coming back
online.
 
I think it would be better if the repositry of addresses is on a webpage,
instead of usenet. Anyone game?
 
Waste of time.
The OP is working under the assumption that it's mostly people posting to
this group that are getting hit. That is not the case. I have gotten as many
as 1800 copies in less then an hour on our server, and not a single one of
our users postes to ANY groups. The virus is wide spread, not just in the
groups.
There is nothing really special about this worm or the way it spreads. The
only reason it is doing so well is the fact that people do not know any
better and think it is really from MS and install it.
Just read through the groups and you can see how many people have said they
installed it and just wanted the notifications to stop, not realising it was
a virus until someone told them. The only way to stop it is to educate users
NOT to open attachments they recieve unless they know for a fact where it
came from.
 
Back
Top