Swen VIRUS ->Check this patch

  • Thread starter Thread starter Don Taylor
  • Start date Start date
If this was email then the attachment is a virus.

No, it was a newsgroup posting AND the attachment is Swen virus.

I see several of these newsgroup Swen postings every day, some with
Swen attached and some have had it cut off by a filter but the same
pitch to use it remains. About half target the ie5 newsgroup,
probably because if you don't have the update to fix the bug that
allows infection without even opening the mail then you can't get it
anymore from Microsoft and you are a target. (what was MS thinking?!)

Here are the headers to prove it.
(below that I have some Swen statistics)

From: "Fam. Geers" <[email protected]>
Newsgroups: microsoft.public.win2000.termserv.apps,microsoft.public.win2000.termserv.clients,microsoft.public.win2000.windows_update,microsoft.public.win32.programmer.messaging,microsoft.public.windows.inetexplorer.ie5.gen.discussion
Subject: Check this patch
Mime-Version: 1.0
C o n t e n t - T y p e : m u l t i p a r t / m i x e d ; b o u n d a r y = " y n r x c q g n p q y k t "
NNTP-Posting-Host: tanya.215.conceptsfa.nl
Message-ID: <[email protected]>
Date: 16 Nov 2003 11:41:07 +0100
X-Trace: newsreader.concepts.nl 1068979267 213.197.4.215 (16 Nov 2003 11:41:07 +0100)
Lines: 2184
Path: corp-news!propagator3-maxim!feed-maxim.newsfeeds.com!pd7cy2so!pd7cy1no!shaw.ca!peer02.cox.net!cox.net!aotearoa.belnet.be!news.belnet.be!newsfeed.wxs.nl!news-x2.support.nl!newshub1.home.nl!home.nl!newsfeeder.concepts.nl!newsreader.concepts.nl!not-for-mail
Xref: 127.0.0.1 microsoft.public.win2000.termserv.apps:1481 microsoft.public.win2000.termserv.clients:1965 microsoft.public.win2000.windows_update:2107 microsoft.public.win32.programmer.messaging:758 microsoft.public.windows.inetexplorer.ie5.gen.discussion:670

And the (mangled) binary of the virus

- - y n r x c q g n p q y k t
C o n t e n t - T y p e : a p p l i c a t i o n / x - m s d o w n l o a d ; n a m e = " U p d a t e 4 4 . e x e "
C o n t e n t - T r a n s f e r - E n c o d i n g : b a s e 6 4
C o n t e n t - D i s p o s i t i o n : a t t a c h m e n t

T V q Q A A M A A A A E A A A A / / 8 A A L g A A A A A A A A A Q A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A
<snip>

Here are my top Swen spewing hosts on the net, and how many they sent me.

libertysurf.net 288
so-net.ne.jp 304
bigpond.com 309
singnet.com.sg 326
online.no 347
inet.fi 362
wanadoo.fr 427
dion.ne.jp 456
btinternet.com 500 + blueyonder.co.uk 131 + other BT domains
dublin.eircom.net 571
tiscali.it 790
tin.it 851
hetnet.nl 867

Those are just the biggest offenders on the net today, all who appear
to actively be doing nothing to stop their spewing Swen to the planet.
(the time limit for "gosh, we were surprised by this" ran out weeks ago)

Total Swen email received and reported in the last month: 15829
Receiving and reporting somewhat under 1000 swen every day lately.

If you look at that list it is obvious that wiping out some of the
european internet would go a long way towards stopping the ongoing
spread of Swen in the world, not to mention fraud and spam.

Fortunately, 80% of the 1332 hosts who have sent me Swen quickly
responded, tracked their infections down, put a stop to this and
never spewed more than half a dozen or so. And then we have the
few dozen problem children of the net spewing hundreds of millions
of these a day, infecting everyone they can find and doing nothing
about it, refusing to accept compaints in some of the cases,
ignoring them in all the rest.

There used to be something called a UDP (Usenet Death Penalty).
If a host was causing enough of a problem and just refused to do
anything about it then they were issued a UDP. Their name simply
disappeared from the routing tables on the net. And in a few hours
it was as if they just ceased to exist, they could not get anyone
to recognize messages from them and they became their own little
local area net (well, actually sometimes they couldn't even talk
to themselves because they use the same tables). A few years ago
uunet in the UK had this done because they refused to stop a flood
of spam that was burying the world and they didn't want to fix it.
Within a couple of days of ceasing to exist they decided that maybe
they would change their mind and did think they should fix this.

Maybe it is (past) time to issue UDP's to the Swen spewers.

Help stop Swen.
 
Amen. I get a couple hundred of these @#$#! Swen e-mails a day,
most days. I can't delete them fast enough.

Tom Delany
 
Back
Top