Problems with "MS Security patch" mails (probably "Sven" worm)

  • Thread starter Thread starter Jan Krumsiek
  • Start date Start date
J

Jan Krumsiek

Hi.

Everyday I receive emails with "Microsoft Security updates" (I think it
is the Sven worm, is that correct?).

The problem is that there are around 100 of those message every day on
each of my accounts. One of those emails is around 120kb so this is a
real problem for me and my email provider.

The next problem is that I don't seem to find any common pattern (in
subject, email or attachments)... nearly all messages differ from the
other ones... which makes it hard to create an appropriate filter to
block those mails.

Are there any known information on protection against this worm?

Regards,

Jan
 
Quoth the raven named Jan Krumsiek:
Are there any known information on protection against this worm?
Click to expand...

Stop posting your email address in newsgroups. Mung it to:
(e-mail address removed)

Swen harvests addresses from Usenet posts, in addition to getting the
address book on the infected users' computers.
 
If you're using Outlook Express, you might try the "Mail Rules". Also,
there're several software programs and antiviral programs to block
virus/worms/torjans and spam. You _might_ try the software search function
at http://www.download.com to start with. If nothing else, you might as if
your ISP will add filtering software to his mail server.
 
Everyday I receive emails with "Microsoft Security updates" (I think it
is the Sven worm, is that correct?).
Click to expand...

No, it's Swen. Sven is the England manager.
The problem is that there are around 100 of those message every day on
each of my accounts. One of those emails is around 120kb so this is a
real problem for me and my email provider.
Click to expand...

A popular filtering package is mmm3
http://mmm3.sourceforge.net/


Jim.
 
Quoth the raven named James Egan:
No, it's Swen. Sven is the England manager.
Click to expand...

Very few of the web pages and conversations about Swen mention that it
is "News" spelled backwards, and was not named for a Swedish guy...

Why? Because it's the first major virus to harvest addresses from
newsgroups! [Some don't know this.]
 
Hi Jan...

Jan Krumsiek said:
Hi.

Everyday I receive emails with "Microsoft Security updates" (I think it
is the Sven worm, is that correct?).

The problem is that there are around 100 of those message every day on
each of my accounts. One of those emails is around 120kb so this is a
real problem for me and my email provider.

The next problem is that I don't seem to find any common pattern (in
subject, email or attachments)... nearly all messages differ from the
other ones... which makes it hard to create an appropriate filter to
block those mails.

Are there any known information on protection against this worm?

Regards,

Jan
Click to expand...

Try MailWasher...it works...

Jan :-)
 
Hi.

Everyday I receive emails with "Microsoft Security updates" (I think it is
the Sven worm, is that correct?).

The problem is that there are around 100 of those message every day on
each of my accounts. One of those emails is around 120kb so this is a real
problem for me and my email provider.

The next problem is that I don't seem to find any common pattern (in
subject, email or attachments)... nearly all messages differ from the
other ones... which makes it hard to create an appropriate filter to block
those mails.

Are there any known information on protection against this worm?

Regards,

Jan
Click to expand...


Jan,

I have the following set up in ~/.procmailrc that might be of use?:


1 ###
2 # Swen detection / filtering
3 :0h
4 * To:.*\@(yourdomain|yourserver|mxserver|mxdomain|mailserver)\..*
5 /dev/null
6
7 :0B
8 * .*this is the latest version of security update.*
9 /dev/null
10
11 :0hfw
12 * ^Content-Type:.*boundary=\"[^-].*?\".*
13 | formail -I"Subject: [W32/Swen(1) Detected!]"
14
15 :0B
16 * .*Content-Type:.*audio\/.*name=.*\.(exe|com|scr|pif|bat).*
17 /dev/null


The boundary content-type match hasn't actually been triggered yet.. but
I'm not worried.

Some retard posted my mail addy here in hopes to screw over my inbox.. I
deliberately collected all I could overnight. I ended up with about 70 or
so I think. I implemented the above filters the following morning and have
since had none (yup, zero). All legit mail still appears to be getting
through fine too (have been monitoring this). I'm sure there's possible
other combinations of the To: header (I've added 2 extras there since I
implemented these rules) but so far, over the last week or so, I've been
sorted with the above =)


HTH.



Regards,

Ian
 
Back
Top