Swen.A

  • Thread starter Thread starter WB5803
  • Start date Start date
W

WB5803

Is there a virus that
PC-Cillin 2002 and NOD32 did not find that could have done this?
Click to expand...

Probably, but unless you have a crystal ball we can borrow we won't have an
answer to your relative's problem.
 
I was just
trying to find out if there is a know virus doing the rounds now that
can crash a computer and is picked up by Norton only after rebooting
Click to expand...

It's very possible.
 
(e-mail address removed) pounced upon this pigeonhole and pronounced:
Since I installed NOD32 several days ago I hve been getting dozens of
emails/day with the Win32/Swen.A worm. Today of a total of 303 email
26 claimed to come from MS and contained Swen. Does everyone get this
sort of numbers of Swen in a day? Until yesterday I was using OE and
tried blocking the senders but without effect. Now OE won't connect to
the mail server so I have switched to Netscape mail.
Click to expand...

Is that your real email address up there? Well, that's why you are
getting the Swen. This virus harvests addresses from Usenet. Learn to
mung. (e-mail address removed)

BTW, Microsoft never sends patches via email. I'm sure you didn't execute
any of them, right?
IE 6 has beeen unable to access internet for some time now and now OE
has also stopped accessing the mail I was wondering if the problem
might be caused by an undetected virus. I have tried updating both and
reinstalling W2k but still neither will work.
Click to expand...

Sounds like you've infected yourself... :-(
 
Since I installed NOD32 several days ago I hve been getting dozens of
emails/day with the Win32/Swen.A worm. Today of a total of 303 email
26 claimed to come from MS and contained Swen. Does everyone get this
sort of numbers of Swen in a day? Until yesterday I was using OE and
tried blocking the senders but without effect. Now OE won't connect to
the mail server so I have switched to Netscape mail.

IE 6 has beeen unable to access internet for some time now and now OE
has also stopped accessing the mail I was wondering if the problem
might be caused by an undetected virus. I have tried updating both and
reinstalling W2k but still neither will work.

Thanks
Mike
 
In
WB5803 said:
Probably, but unless you have a crystal ball we can borrow we won't
have an answer to your relative's problem.
Click to expand...


Hummm. Has anyone a Web address where to buy this kind of ball ? Sounds to
me it's an indispensable complement to any antivirus software right now.
Isn't it ?

lol
 
I have just received a phonecall from a relative who said his computer
crashed within 2 minutes of reading an email I sent him and after
switching the power off and back on his Norton AV program spent more
than an hour cleaning up his computer. He is blaming my email, sent
with the OE that can now send but not receive. Is there a virus that
PC-Cillin 2002 and NOD32 did not find that could have done this?

Thanks
Mike
 
I realize no one can tell me exactly what the problem is. I was just
trying to find out if there is a know virus doing the rounds now that
can crash a computer and is picked up by Norton only after rebooting.

Mike
 
(e-mail address removed) pounced upon this pigeonhole and pronounced:
I have not opened any of the MS attachments, even before I installed
NOD32. I know MS updates from the web, I use it myself, and suspected
they could be infected. I right clicked on the message to block the
sender and delete it.
Click to expand...

Look at the headers of these messages you're blocking. It is likely that
they are all "from" different addresses (noting that Swen frequently comes
in pairs). What you are probably doing is adding to a huge blocked sender
list for one occasion of each. The address will never be seen again, and
just waste processing on your computer.

You're still not munging your address. More Swen will come...
 
(e-mail address removed) pounced upon this pigeonhole and pronounced:

Is that your real email address up there? Well, that's why you are
getting the Swen. This virus harvests addresses from Usenet. Learn to
mung. (e-mail address removed)

BTW, Microsoft never sends patches via email. I'm sure you didn't execute
any of them, right?
Click to expand...

I have not opened any of the MS attachments, even before I installed
NOD32. I know MS updates from the web, I use it myself, and suspected
they could be infected. I right clicked on the message to block the
sender and delete it.
 
I have not opened any of the MS attachments, even before I installed
NOD32. I know MS updates from the web, I use it myself, and suspected
they could be infected. I right clicked on the message to block the
sender and delete it.
Click to expand...

You don't need to open any attachments.

This swen scans for certain newsgroups only, not all of them.
The list is posted somewhere.
Microsoft groups are in the set. Because that's the target, Microsoft
users.

I did the following recently:

we added to our helpdesk a new email address on 10/31:

(e-mail address removed)-html.org

so participants in the helpdesk can post free help under a helpdesk
address, where email answers would end up in a pool.

The first swen email came in not even 30 minuts after the news group
posting started to show up in news servers (we found the first posting
appeared about 1:30 after the sending of the post, all posted via
deja.com).

From then on we receive a couple of swen emails an hour on that
address, from all over the globe.

Here is how we actually stop now, after watching long enough, the
swine trickle we receive (note, I do not capitalize the first letter,
and right the real name of the author instead ;-} ):


(e-mail address removed)-html.org is never sending email, only receiving,
and functioning as handle for free help we post here and there.

So no reason for helper@ to ever receive a bounce email like that fake
non delivery notification.
We filter all delivery failure notifications that come in for
(e-mail address removed)-html.com (and spam goes to the spam registration
network, so spammers who hit it are actually instantly flagged
worldwide! that's another reason we decided to use a real email, we
want the spam there!).

Each swine infestation sends two emails:
one that delivery notification, which we can delete on a purely
inbound mailbox.
The other is that nice microsoft announcement.

It has a typical Asian grammatical flaw (nothing against Asians, but
if you read a lot of Asian system and device manuals, you get a hang
of the typical grammatical errors made):

The text sez:

this is the latest version of security update, the
"November 2003, Cumulative Patch" update which eliminates
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express
as well as three newly discovered vulnerabilities.

Analysis:

1) article missing in front of 'security update'
2) bad runon
3) logic break through the sentence: starts to enumerate affected
systems,
but continues the enumeration with unrelated, opposite objects,
'three
newly discovered vulnerabilities': the enumeration set contains
objects of opposite semantics.

This is so easy to filter:

filter all incoming mail this way:


if the body contains "the latest version of security update, the" then
discard.


So, to successfully not to have to deal with swine mails due to
newsgroup postings, but want to have a real email address so people
can answer:

1) use a purely inbound address for news posting
since that address never sends email, you can discard
any and all 'delivery notification' messages, that look
like smtp delivery notifications in the mail body
2) discard all incoming email everywhere, that has that typical
grammar error. Chances are very slim anyone will receive a real
email with exactly that string in the message body

Then we do for all other incoming mailboxes, where from time to time a
swen message arrives, not due to news group postings, but due to
communication with people who have infected systems:


You need the ability to filter the entire email body. This means, no
interpretation of attachments or attachment boundaries: an email
source based filter:


All swineries contain exactly the same binary:
it starts with a new mime section boundary and is always exactly
identical:

start quote:

--efhfnkvwjj--

--logsyswfzd
Content-Type: application/x-msdownload; name="q434688.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAAB+i6hSOurGATrqxgE66sYBQfbKATvqxgG59sgBLerGAdL1zAEA6sYBWPXV
ASvqxgE66scBnurGAdL1zQEx6sYBguzAATvqxgFSaWNoOurGAQAAAAAAAAAAUEUAAEwBBABwy2E/
AAAAAAAAAADgAA8BCwEGAADQAAAAQAEAAAAAAIWuAAAAEAAAAOAAAAAAQAAAEAAAABAAAAQAAAAA


end quote

SMTP based filter software can filter for that string:


if the message body contains 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ' then
discard.


This gets rid of all those.
Nope, I don't run a statistic how many get killed in all the different
systems we are running.


Here is what Joe normaluser can do:


So, the filter hints should help you, the news posting strategy (post
with a purely inbound email address) should enable to eliminate all
worm emails that would come in due to news group postings.

And both filters help to eliminate the very few emails you get when
you accidentally communicate with an infected system.


It's not rocket science! Most email providers have filtering
capabilities.

One very good one I can recommend: attglobal.net
Best for POP3 based email, they have a very good spam flagging system,
and can support the filters described in this email.

Mike, one of the (e-mail address removed)-html.org



'
 
All swineries contain exactly the same binary: it starts with a new mime
section boundary and is always exactly identical:

start quote:

--efhfnkvwjj--

--logsyswfzd
Content-Type: application/x-msdownload; name="q434688.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAAB+i6hSOurGATrqxgE66sYBQfbKATvqxgG59sgBLerGAdL1zAEA6sYBWPXV
ASvqxgE66scBnurGAdL1zQEx6sYBguzAATvqxgFSaWNoOurGAQAAAAAAAAAAUEUAAEwBBABwy2E/
AAAAAAAAAADgAA8BCwEGAADQAAAAQAEAAAAAAIWuAAAAEAAAAOAAAAAAQAAAEAAAABAAAAQAAAAA
Click to expand...


Hmm.. so why are a lot of mine being killed matching:


Content-Type: audio/x-wav; name="somefile.exe"


Content-types are _not_ fixed in Swen.. thus none of the above is "always
identical to" at all.



Regards,

Ian
 
I'm sorry I'm responding to this so late. But I have to respond to
this responder ([email protected]),

As you can see from my email address, it's not for real. Like you, I
am trying to ward off spam, and it does a good job of that. But it
does not do anything to ward off viruses.

Second, if someone was using Outlook or Outlook Express and was sent
the swen virus, just opening the email, not necessarily the
attachment, could have executed the virus. Just a little Microsoft
problem that's not true with all viruses but has been known to happen.
(It happened to me.) Microsoft has a patch for that, but it's
understandable if you're wary of their patches.

The swen virus automatically disables antivirus software. So if
someone doesn't detect a virus, it isn't necessarily because they did
something wrong.

Beth.
 
Quoth the raven named Elizabeth:
I'm sorry I'm responding to this so late. But I have to respond to
this responder ([email protected]),
Click to expand...

Ok. I suppose that's me.
As you can see from my email address, it's not for real. Like you,
I am trying to ward off spam, and it does a good job of that. But
it does not do anything to ward off viruses.
Click to expand...

In the case of Swen, munging your address will help prevent infected
users harvesting from the newsgroups and sending you more. Some have
complained of receiving hundreds of Swen per day. I've gotten none.

No, it will not stop you from executing the attachment. Only common
sense and training can do that.
Second, if someone was using Outlook or Outlook Express and was
sent the swen virus, just opening the email, not necessarily the
attachment, could have executed the virus. Just a little Microsoft
problem that's not true with all viruses but has been known to
happen. (It happened to me.) Microsoft has a patch for that, but
it's understandable if you're wary of their patches.
Click to expand...

No matter what software you use, practice safe hex, eh?
The swen virus automatically disables antivirus software. So if
someone doesn't detect a virus, it isn't necessarily because they
did something wrong.
Click to expand...

If they executed an unsolicited attachment in an email, they did
something wrong.
 
I have now updated my PC-Cillin 2002 to 2004 and the Swen-infected
attachments are being deleted at about 30/day. The main problem now is
emptying my mailbox often enough to prevent legit email from bouncing.
That just became a bit harder because my email server is "undergoing
maintenance", which I suspect means they have been swamped by the
virus flood. This is my first attempt at "munging" my email address,
so I don't know if I have done it correctly.

I have now got IE6 & OE6 working again, somehow my ISP address had
been changed to the Norton Antivirus address, though only the
Microsoft products were affected, I could still connect correctly with
Netscape and FreeAgent.

Mike
 
Quoth the raven named (e-mail address removed):
This is my first attempt at "munging" my email address,
so I don't know if I have done it correctly.
Click to expand...

Some have said harvesters are getting smarter, and can remove common
words such as your DELETETHIS or REMOVE or NOSPAM etc. It would
probably be better if you changed it to (e-mail address removed)
 
Use something like mailwasher and it won't matter what mail client you use
as far as getting a virus (common sense on the part of the user assumed) and
getting bombed with attachments at least becomes manageable.
Dave Cohen
 
Quoth the raven named Elizabeth:

If they executed an unsolicited attachment in an email, they did
something wrong.
Click to expand...

That's right. I was thinking of my own case. I used Outlook. I knew
better than to open the attachment. I didn't realize that Outlook
would execute it if I just opened the email. Microsoft had a patch for
that; I didn't know that, either.

Beth
 
Oh, I hope you're wrong!

I had heard that email addresses are harvested by a nonhuman so would
grab an email address with "deletethis" only to have it bounce. No?

Beth
 
Oh, I hope you're wrong!

I had heard that email addresses are harvested by a nonhuman so would grab
an email address with "deletethis" only to have it bounce. No?

Beth
Click to expand...


I downloaded one of these newsgroup mail addy harvesters a while ago but
haven't had a chance to examine it yet. My _only_ reason for downloading
this was for the very same curiosity as yourself.. just how far have these
harvesters come and how "smart" are they? With regards to your question
above, imagine this very simple example:


foreach (@harvested_addys) {
$_ =~ s/.*(deletethis|nospam|remove|munged).*//g;
push(@cleaned_addy, $_);
}


That'd strip one of the 4 demo munging strings from an array of addresses
and store the stripped address into a 'cleaned_addys' array ready to pipe
through sendmail.

I use a Perl example here as it's a "quick hack demo" but it really is
that simple. Whether the final resulting address after being "cleaned" is
valid is another story.. but if I can do the above in 2 seconds while
posting this msg... I'm sure spammers that spend their lives trying to
evade anti-spam filters can come up with the same and better / more
complex.



Regards,

Ian
 
Back
Top