V
Vik Rubenfeld
It looks like SWEN is getting stopped, at least on my ISP - I only got
24 yesterday, down from 100 a day previously.
24 yesterday, down from 100 a day previously.
V
Veronica Loell
Vik Rubenfeld wrote / skrev:
Could be that the infected computers that where sending you the emails
got cleaned? I have been writing letters to the ISP's of the originating
IP-adresses of some of the swen-mail I have gotten and so far I have
recieved 3 direct replies that they have informed their client that
he/she has an infected computer. That is at least 3 less computers
sending the stuff, maybe not that much but it's a start...
- Veronica Loell
Could be that the infected computers that where sending you the emails
got cleaned? I have been writing letters to the ISP's of the originating
IP-adresses of some of the swen-mail I have gotten and so far I have
recieved 3 direct replies that they have informed their client that
he/she has an infected computer. That is at least 3 less computers
sending the stuff, maybe not that much but it's a start...
- Veronica Loell
G
GSV Three Minds in a Can
from the wonderful person said:
You're about 100 behind me. 8>. .. although since I now bounce most at
the ISP's server, they don't get reported (plus SPAMCOP has gone all
tacky about using their service to report SWEN, GIBE, etc.).
J
John Coutts
******************* REPLY SEPARATER *******************
There seems to be at least 2 different scenarios at work with this virus. I
originally was getting over 500 a day, and every one I checked was from a
different IP address, with the first 10 or so originating from Amsterdam.
Actually they came in pairs, with no 2 pairs originating from the same IP, and
virtually all of them routed through legitimate mail servers. Of all the
members of our domain, I was the only one to receive the Swen virus in such
quantity, and I suspect that a distribution list is provided with each
infection that is only used once. After that, the virus searches the hard disk
for addresses and uses those. I believe those address lists to be swen0.dat &
swen1.dat, but I have not been able to get my hands on either one, nor have I
been able to determine where they were recovered from. There are no such lists
included in the initial load file itself, but it does reference both. Because
of that, I believe that every pair I receive is a new infection (I have lost
count now, but it is somewhere around 6000).
J.A. Coutts
Systems Engineer
MantaNet/TravPro
V
Veronica Loell
Yeah I have been recieving pairs as well. The worm as far as I
understand creates theese files after scanning the computer.
(From symantecs writeup
# Searches the .html, .asp, .eml, .dbx, .wab, and .mbx files on the hard
disk for email addresses.
# Creates the file, %Windir%\Germs0.dbv, where it stores the email
addresses it has found.
# Creates the file, %Windir%\Swen1.dat, where it stores a list of remote
news and mail servers.
--------
I don't think there are any distributionsfiles included, rather people
posting to newsgroups, and hence having a high visibility of their
adress will get more stuff because there will be a higher number of
people whos computers are infected.
F-secure writes that the worm actually sends NNTP-requests to get
emailadresses, symantec does not mention that.
- Veronica Loell
understand creates theese files after scanning the computer.
(From symantecs writeup
# Searches the .html, .asp, .eml, .dbx, .wab, and .mbx files on the hard
disk for email addresses.
# Creates the file, %Windir%\Germs0.dbv, where it stores the email
addresses it has found.
# Creates the file, %Windir%\Swen1.dat, where it stores a list of remote
news and mail servers.
--------
I don't think there are any distributionsfiles included, rather people
posting to newsgroups, and hence having a high visibility of their
adress will get more stuff because there will be a higher number of
people whos computers are infected.
F-secure writes that the worm actually sends NNTP-requests to get
emailadresses, symantec does not mention that.
- Veronica Loell
V
Veronica Loell
GSV Three Minds in a Can wrote / skrev:
Well, I have sent out maybe 60 or so and gotten automated replies from
most. As for spamcop, you can still use their service to look up the
address, but use SamSpade instead, pasting in my email-header log in the
mailheader-parser is just excellent, then just click on the first one,
magic-whois and there you are. Only problem with samspade is that when
there's refferral to RIPE or LACNIC it doesn't automatically do a whois
on thoose servers course it only takes a few seconds to do it manually.
- Veronica
Well, I have sent out maybe 60 or so and gotten automated replies from
most. As for spamcop, you can still use their service to look up the
address, but use SamSpade instead, pasting in my email-header log in the
mailheader-parser is just excellent, then just click on the first one,
magic-whois and there you are. Only problem with samspade is that when
there's refferral to RIPE or LACNIC it doesn't automatically do a whois
on thoose servers course it only takes a few seconds to do it manually.
- Veronica
J
Jason Wade
I'v sent over 400 swen infection notices, and I'm still getting
Swen, but a lot fewer now. Evidently ISPs are getting more clued-in
to Swen.
A couple of days ago, I got a human response saying that the
infected machine was found, and the user's account was
disabled until the user cleans up the machine.
"Wow!" I thought; but then I wondered, how does he/she get
the Swen cleaning software from the AV company web sites?
V
Veronica Loell
Jason Wade wrote / skrev:
Maybe the ISP sends him a disc? Otherwise hopefully someone he/she knows
can do that. The real replies that I got said that they had informed the
person in question which I think is a much better way to go about it.
A good ISP would care about its customers welfare, after all the
customer is the one that pays the bills, but not everone might think
about that.
I do a breather for a couple days before sending out more notices, that
way the ISP's will have a chance to contact their clients and people
will have a chance to clean up their machines.
- Veronica Loell
Maybe the ISP sends him a disc? Otherwise hopefully someone he/she knows
can do that. The real replies that I got said that they had informed the
person in question which I think is a much better way to go about it.
A good ISP would care about its customers welfare, after all the
customer is the one that pays the bills, but not everone might think
about that.
I do a breather for a couple days before sending out more notices, that
way the ISP's will have a chance to contact their clients and people
will have a chance to clean up their machines.
- Veronica Loell
B
Bart Bailey
In Message-ID:<[email protected]> posted on Sat, 04 Oct 2003
I doubt the Dorks of Dallas (SBC) even realize that critical aspect of
corporate finance.
I got two notices on wednesday and today's was the last straw, with SBC
that is, and their nastygram accusing me (win95b) of being infected with
blaster. I called their service dept and told them that there was no way
I could be infected with that worm, and every nastygram threatening to
suspend my service only increased my stress and anxiety level, until at
some point I would seek and find a greedy lawyer to convert that stress
into a dollar figure of sufficient magnitude such as to create an
overwhelming necessity to reconfigure their spambot to delete my name.
The tech woman said I was not alone, so I suggested maybe a class action
suit might be appropriate. To her credit she was very professional and
understanding, but because of this, I don't place too much weight on
spambot generated infection notices.
BTW: The SBC nastygram is here:
http://virusfix.sbcglobal.net/
note this line:
---begin---
"Unfortunately, we have reason to believe that your computer has been
infected with a variant of the Blaster worm"
---end---
Like hell they do!
I doubt the Dorks of Dallas (SBC) even realize that critical aspect of
corporate finance.
I got two notices on wednesday and today's was the last straw, with SBC
that is, and their nastygram accusing me (win95b) of being infected with
blaster. I called their service dept and told them that there was no way
I could be infected with that worm, and every nastygram threatening to
suspend my service only increased my stress and anxiety level, until at
some point I would seek and find a greedy lawyer to convert that stress
into a dollar figure of sufficient magnitude such as to create an
overwhelming necessity to reconfigure their spambot to delete my name.
The tech woman said I was not alone, so I suggested maybe a class action
suit might be appropriate. To her credit she was very professional and
understanding, but because of this, I don't place too much weight on
spambot generated infection notices.
BTW: The SBC nastygram is here:
http://virusfix.sbcglobal.net/
note this line:
---begin---
"Unfortunately, we have reason to believe that your computer has been
infected with a variant of the Blaster worm"
---end---
Like hell they do!
R
Robert LaCasse
I get about 50 a day, my site is not SPEW'd, and is all open to the
104kb Automat.AHB type of virus...really slow DL. I use a Spameater and other
Filters.
Interesting about *KLEZ*@MM types, you get to know who has you in their
address book. like the fuzz or other!
Bob
|>It looks like SWEN is getting stopped, at least on my ISP - I only got
|>24 yesterday, down from 100 a day previously.
104kb Automat.AHB type of virus...really slow DL. I use a Spameater and other
Filters.
Interesting about *KLEZ*@MM types, you get to know who has you in their
address book. like the fuzz or other!
Bob
|>It looks like SWEN is getting stopped, at least on my ISP - I only got
|>24 yesterday, down from 100 a day previously.
J
Jason Wade
Could you be infected with something else?
G
Gabriele Neukam
On that special day, Veronica Loell, ([email protected]) said...
If anyone is looking for the proper addresses, they are found here:
http://www.ripe.net/perl/whois
http://lacnic.net/en/index.html
At times it may be even helpful to use the Pacific Whois.
http://www.apnic.net/apnic-bin/whois2.pl
(at least if the abuse went over a Singaporean computer. They do
something about it)
And for those that aren't afraid of a German web site (which has few
text and is quite intuitive)
http://www.iks-jena.de/cgi-bin/whois
provides infos for a limited number of queries per IP number (to avoid
address harvesting)
Gabriele Neukam
(e-mail address removed)
If anyone is looking for the proper addresses, they are found here:
http://www.ripe.net/perl/whois
http://lacnic.net/en/index.html
At times it may be even helpful to use the Pacific Whois.
http://www.apnic.net/apnic-bin/whois2.pl
(at least if the abuse went over a Singaporean computer. They do
something about it)
And for those that aren't afraid of a German web site (which has few
text and is quite intuitive)
http://www.iks-jena.de/cgi-bin/whois
provides infos for a limited number of queries per IP number (to avoid
address harvesting)
Gabriele Neukam
(e-mail address removed)
B
Bart Bailey
In Message-ID:<[email protected]> posted
I "could" infect myself with a vast number of things, having one of the
most targeted OSes in history, but such is not the case, and in the SBC
nastygram they specifically named something that doesn't play here.
Per Symantec:
http://tinyurl.com/jozm
---begin---
Systems Affected: Windows 2000, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 95, Windows
98, Windows Me, Windows NT
---end---
I "could" infect myself with a vast number of things, having one of the
most targeted OSes in history, but such is not the case, and in the SBC
nastygram they specifically named something that doesn't play here.
Per Symantec:
http://tinyurl.com/jozm
---begin---
Systems Affected: Windows 2000, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 95, Windows
98, Windows Me, Windows NT
---end---
G
Guest
No real slowdown. This is incredible: two weeks, already!
G
GSV Three Minds in a Can
from the said:
I'm seeing one here .. I'm down to a mere 20% of the peak level (which
is still =way= too many though).
D
David Stites
GSV Three Minds in a Can said:
I munged my address a couple of days ago and my mail server logs already
show rejections for the new address. It is slowing down but is still quite
active.
Dave
G
Greg P.
I gave up last week. I temporarily suspended the email account that
was receiving 1000+ per day, and took it out of outlook.
This morning I reinstanted it, added that accoutn back to outlook, and
gave it a whirl. Within a 1/2 hour I still had over 50 SWEN emails, so
I said screw it. Time to shut that email down again.
I sure hope they find the guy who started this thing...and turn him
over to me :-o
G
GSV Three Minds in a Can
from the said:
You'll have to get in line .. and here won't be but a grease-spot left
by the time your turn comes. 8>.
I'm still running at 200-300 a day (all bounced at the ISP's server).
Goodness knows how many legitimate emails may have been bounced too .. I
can't even be bothered to read the filter logs (66k bytes, yesterday) to
see.
J
Jan Il
Hi - to ..ahmm...at least one of your minds..sorry....
Please pardon my intrusion, I truly don't mean to just jump in here in the
middle, but, after the last two weeks of also fighting on many fronts to
combat the Swen messages, including some rogue messages that managed to
download in spite of the OE Rules, I have suddenly not had one today.
Nothing...
nada...zippo...not even a rogue message. In fact, I've had to go to
my Hotmail to get a virus sample. Yeah...I've had a few of the normal spam
messages...just the usual...loans, prescriptions, your place or mine,
Viagra, adjustments of body parts, etc., but, not one Swen message of any
kind...? I mean....sheesh.......do I offend???
Jan
GSV Three Minds in a Can said:
Please pardon my intrusion, I truly don't mean to just jump in here in the
middle, but, after the last two weeks of also fighting on many fronts to
combat the Swen messages, including some rogue messages that managed to
download in spite of the OE Rules, I have suddenly not had one today.
Nothing...
nada...zippo...not even a rogue message. In fact, I've had to go to
my Hotmail to get a virus sample. Yeah...I've had a few of the normal spam
messages...just the usual...loans, prescriptions, your place or mine,
Viagra, adjustments of body parts, etc., but, not one Swen message of any
kind...? I mean....sheesh.......do I offend???
Jan
G
GSV Three Minds in a Can
from the wonderful person said:
Maybe your ISP is heading them off at the pass? There are still plenty
going around, honest!