Original source vs. infected computers????

[Adam A. Wanderer]

Does anyone have any idea of how much this virus spew/spam is due to the
original source against how much is from infected computers. I don't
recognize any of this material as coming from anyone I know and none of the
headers show it to be from anyone I know. Thanks.
----------------------------------------------------------------------------

 

[Dan Sawyer]

The description says it comes with its own mailer.

I have the same quesiton though; I don't recognize any of the sender names.

I speculate it is somehow getting remote mailing lists.

Dan

 

[kurt wismer]

Does anyone have any idea of how much this virus spew/spam is due to the
original source against how much is from infected computers. I don't
recognize any of this material as coming from anyone I know and none of the
headers show it to be from anyone I know. Thanks.

it doesn't have to be anyone you know... if you're talking about swen,
it scans newsgroups for valid looking email addresses to send emails
too... no address books required...

 

[Zan Hecht]

The description says it comes with its own mailer.

I have the same quesiton though; I don't recognize any of the sender names.

I speculate it is somehow getting remote mailing lists.

It is very possible that the virus itself is programmed to scan usenet for
email addresses, which would explain the volume that newsgroup posters are
getting.

 

[Mike Pershing]

That's not surprising that the addresses come from Usenet. Most, if
not all, of those worms I've received have been addressed to the
alternate address that I use only for Usenet posts.

I've made good use of the alternate address feature that earthlink allows,
so that suspected sources of spam get one of my alternates instead of my
normal address. Then my mail rules can easily put input to those addresses
into alternate inboxes. The one for Usenet almost never contains anything
that I want to keep, so it's easy to delete or drag the whole batch, after
perusing the header list *without opening any of them*.

For this post, though, I modified that address (by adding "fake" ),
just because of that active worm.

Good luck, guys, especially you others on this thread who are using your
real addresses for the From field. Time to change?

 

[GSV Three Minds in a Can]

The description says it comes with its own mailer.

I have the same quesiton though; I don't recognize any of the sender names.

I speculate it is somehow getting remote mailing lists.

If you read the various AV vendor sites you'll find that it scans .wab
(as usual), plus .dbx, .mbx, .htm, and various other files on the
infected PC, looking for '(e-mail address removed)' format strings. It can also
download Newsgroup messages and scan for 'from' and 'reply to' tags (the
latter is a first, afaik).

 

[mzlindyone]

That's not surprising that the addresses come from Usenet.

Swen is News spelled backwards...

Most, if
not all, of those worms I've received have been addressed to the
alternate address that I use only for Usenet posts.

It would have to demunge mine before using, and I have been getting
them at this address. I'm also getting them on an address that was
only used publicly as a domain contact address. For these reasons I'd
say the ones I've been getting are almost exclusively from spammers'
computers - infected, or maybe not infected... YMMV

Oh, and those that make it through AOL's virus scanner appear to be
Swen "shooting blanks" - the executable file exists in name only and
otherwise contains nothing. There is no notice of it having been
cleaned, though it MAY have been somewhere along the line (but not by
AOL).

I'm usually the last one to get paranoid, but this puts me in mind of
recent DoS attacks on many DNS blocklist sites. As the anti-spammers
say, "somebody must be doing something right" to get this kind of
reaction. Just a thought.

Carol

 

[Steve M (remove wax for reply)]

That's not surprising that the addresses come from Usenet. Most, if
not all, of those worms I've received have been addressed to the
alternate address that I use only for Usenet posts.

I have only received copies of Swen (at least 70 copies) at the main
address that AFAIK was never used on Usenet. It's the one that I give
only to personal friends and relatives, and business acquaintances.

I have always created alternate "throwaway" addresses for Usenet. The
newest one is about 10 days old. This address has not yet gotten a
copy of Swen. Somewhere I read some speculation that the virus (or
worm) actually ignores any address containing the word "spam", on the
chance that it is munged or has decent filtering from zombie
computers.

http://www.technewsworld.com/perl/story/31627.html

[Swen spreads] " ... through e-mail, Internet Relay Chat (IRC) and
peer-to-peer (P2P) networks. [such as Kazaa]."

I'm guessing that not more than 100-150 people have my regular email
address. Any one of them could be infected with Swen.

 

[FromTheRafters]

I have only received copies of Swen (at least 70 copies) at the main
address that AFAIK was never used on Usenet. It's the one that I give
only to personal friends and relatives, and business acquaintances.

Addresses are harvested from the victims harddrive and news server,
so some of each type (friends and strrangers) is no surprise. The worm
uses the default server (from the registry) or some from a hardcoded
list.

I have always created alternate "throwaway" addresses for Usenet. The
newest one is about 10 days old. This address has not yet gotten a
copy of Swen. Somewhere I read some speculation that the virus (or
worm) actually ignores any address containing the word "spam", on the
chance that it is munged or has decent filtering from zombie
computers.

http://www.technewsworld.com/perl/story/31627.html

[Swen spreads] " ... through e-mail, Internet Relay Chat (IRC) and
peer-to-peer (P2P) networks. [such as Kazaa]."

....also posts to usenet from what I've read both here and
on referenced sites (such as f-secure and Trendmicro).