Apply these internet update

i still get that crap its annoying as hell!!!

The 'swen' worm and its effects, particularly on

users with uninfected machines



The flood of e-mail ('swen-mail') is being generated by the 'swen' worm.
Locally, there is not much you can do to stop the flood. Below you will
find a discussion of the effects of the 'swen' worm and ways you can handle
the flood you are getting, even though your machine may not be infected, and
may be well protected.



Only your ISP can stop the flood of 'swen' generated e-mail; by scanning all
e-mail for virus infection.



Until your ISP or e-mail service begins to scan all e-mail for virus
infection, you can use a filter and a program that allows partial
downloading of e-mail messages (Veronica Loell posts information about
these filters quite often; the information is also available at
http://nakawe.sf.net/MMM3.)






Symantec, the publisher of Norton AntiVirus, has a description of the
worm, how to remove it, and removal tools at
. Other
publishers of antivirus programs have similar webpages. Note well, removing
this worm after your system has been infected is not a simple task.





The 'swen' worm can harvest e-mail addresses from newsgroup postings, so it
is very important to disguise your e-mail identity when posting to Usenet
newsgroups (like microsoft.public.security.virus and tens of thousands of
other active newsgroups .)

"The worm also can search for e-mail addresses in various newsgroups. It
connects to NNTP servers listed in the SWEN1.DAT file, gets a list of all
newsgroups on that server and searches recent messages in these newsgroups
for 'nfrom:' and 'nreply-to:' tags. When such tags are found, the worm gets
e-mail addressed after them and writes them to the GERMS0.DBV file. This way
the worm can harvest a lot of e-mail addresses to send itself to. (From
F-secure, http://www.f-secure.com/v-descs/swen.shtml )

You can find out how at

http://www.mailmsg.com/SPAM_munging.htm .

This worm has two main effects, and some secondary effects




I. Main effects

A. It infects vulnerable systems and networks.

B. It generates a FLOOD of infected e-mail that is sent to e-mail
addresses it harvests from infected machine and networks. These infected
e-mails are of two types

1. An HTML message that looks like a legitimate Microsoft Security
Bulletin; the hotlinks in this message are valid Microsoft links, and will
even lead you to a description that will allow you to identify this e-mail
as bogus. The message has an attached 104 KByte file that contains the
worm. If you don't have all appropriate Microsoft security patches and
Service Packs installed, it may be possible for your system to be infected
EVEN IF YOU DON'T OPEN THE MESSAGE. So far, the body of this message is
always the same, though the Subject and From lines differ widely. This
message, so far, can be easily be blocked by detecting the string 'Run
attached file' in the body ( in fact, it would be a good practice to
consider ANY e-mail that contains this string AND has an attachment to very,
very likely to carry an infection.

2. A plain text message that purports to be a notification of an
'Undeliverable e-mail', with an attachment that purports to be a copy of the
undeliverable e-mail. This attached file is 104 KBytes long and contains the
worm. The Subject line, From line, and body present in thousands of
combinations, and probably will continue to mutate. Even worse, real e-mail
addresses harvested from infected systems and networks, and from Usenet
newsgroup posts are tagged onto this type of message, causing one of the
secondary effects.

II. Secondary effects
A. Spam effect
1. Mailboxes with an e-mail address that has been harvested from
infected systems, networks and Usenet newsgroup postings begin to be flood
with infected e-mail.
[Personal example: my machines are not infected, but this worm began to
flood my mailbox 17SEP03. I now receive more than 1500 infected e-mail
messages per day. I must empty my mailbox every 5 minutes, 24/7 to avoid
the possibility of having legitimate e-mail bounced. I had to install an
application just to segregate the cleaned, previously infected e-mail
from legitimate e-mail (standard spam blockers can't do this.) There are
filters and programs that can identify this 'swen-mail' and that require
downloading only a portion of an e-mail message to allow discarding or
keeping it based on whether it is

'swen-mail' or not. However, you still must arrange to do this operation
often enough to keep your mailbox from overflowing past the general 10 MByte
limit and bouncing subsequent e-mail. About 80 'swen-mail' messages take up
10 MBytes of storage. If you get 500 'swen-mail messages per day, that
means checking and clearing your mailbox at least every four hours, 24/7, to
insure that no valid e-mail messages are bounced.
B. Notifications from mail services that DO scan for infected
messages, but unfortunately do not realize that the e-mail addresses given
for the sender are either bogus or e-mail addresses harvested by the worm.
Thus, completely innocent mailboxes have insult added to injury.

****

What can you do locally as an individual (i.e. in a SmallOfficeHomeOffice
environment, and /or as a recreational user)?
#1. You can use a remote virus scan from one of the antivirus program
publishers
THEN
#2. You can remove any infections discovered
THEN
#3. You install a good antivirus program, keep it active, keep the virus
definitions up-to-date (at the moment you should update these definitions
EVERY day), and set to scan all incoming e-mails and downloads.
THEN
#4. You can install all appropriate Microsoft security patches and Service
Packs.
THEN
#5. You can consider additional security (DCHP server, firewall, boric acid
[for roaches], .....

If you begin to be flooded with these infected messages, COMPLAIN to your
ISP; send them this URL
http://xtra.co.nz/products/0,,8969,00.html of an ISP that scans incoming
e-mail before passing it to a mailbox. Ask for an increased mailbox size
(if you are getting 1500 of these infected e-mails per day, you will need a
mailbox size over 150 MBytes just to avoid the necessity of completely
emptying it EVERY DAY. Ask about the implicit duty of the ISP to provide
reliable e-mail service, and if they have received notification of any
pending class actions you might join. Ask if they will unbundle their
services so you can opt out of e-mail service and save that cost. That's
about
all you can do about the e-mail flood; only your ISP or other e-mail
provider can come close to solving this problem.

When the e-mail flood becomes too painful, find an ISP or other e-mail
provider that DOES scan and discard infected e-mail before passing it to
your mailbox, and then change to that ISP and/or e-mail provider. Changing
your e-mail address is no solution; as soon as your new e-mail address is
harvested from an infected system or network, the problem starts again.



In the meantime you can use a filter and a program that allows partial
downloading of e-mail messages (Veronica Loell posts information about
these filters quite often; the information is also available at
http://nakawe.sf.net/MMM3 .)

When a mailserver is scanning and not just deleting infected e-mail, but is
also sending an e-mail to notify the sender, write the administrator a nasty
note asking them to stop sending these notices.

****
That's about it; you can proof your system against infection, but only
changes at the mailserver level can stop reception of a flood of infected
e-mails and increasing numbers of inappropriate notices that you've sent
infected e-mail from arriving in your mailbox.

Phil Weldon


--
Phil Weldon, pweldonatmindjumpdotcom
For communication,
replace "at" with the 'at sign'
replace "mindjump" with "mindspring."
replace "dot" with "."

"U N Me" wrote in message
...
Pug Fugley wrote:

That's the good thing about Earthlink, they don't let them through. Yout
can't expect much from Hotmail.

I wanted to check and see if anyone in this newsgroup was still getting
these
phony security messages. It appears so,

Regarding Earthlink, they are brain dead on this matter. I expected them
to
take some action on this but if they have, they must still be in the
discussion and planning stages or else have bypassed my account.

Phil Weldon wrote:

The 'swen' worm and its effects, particularly on

users with uninfected machines

The flood of e-mail ('swen-mail') is being generated by the 'swen' worm.
Locally, there is not much you can do to stop the flood. Below you will
find a discussion of the effects of the 'swen' worm and ways you can handle
the flood you are getting, even though your machine may not be infected, and
may be well protected.

Only your ISP can stop the flood of 'swen' generated e-mail; by scanning all
e-mail for virus infection.

That's true. For myself, I set up a new account, contacted everybody, and use
that for my e-mail. Every so often I go and check the status of my old e-mail
address...messages stuffed.

I have a VB OCX for e-mail. I might write a database program for dialup where I
can enter subject lines to be deleted if on the ISP server. Then run the
program in the background, maybe set a timer interval of every 10 minutes to
query the ISP server and check all unread messages against the delete list. If
found, automatically delete the emssage. Unless the ISP's start acting on it,
this may be the way to go.

"U N Me" wrote
Pug Fugley wrote:

That's the good thing about Earthlink, they don't
let them through. Yout can't expect much from Hotmail.

I wanted to check and see if anyone in this newsgroup
was still getting these phony security messages. It appears so,
Regarding Earthlink, they are brain dead on this matter.
I expected them to take some action on this but if they have,
they must still be in the discussion and planning stages or
else have bypassed my account.

Regarding Earthlink, I'm pretty disgusted with their lack of action on this
.... but I have found a somewhat reliable solution. Before using Outlook
Express to download my mail to my computer, I log into Earthlink's webmail
and delete everything I *know* to be bad there [you can tell from the
headers, which don't seem to change much.]. Then I switch over to Outlook
Express and allow the real mail to download. This saves a ton of time
because my McAfee virus software grinds its little heart out over every
virus-laden piece o' ****e that is actually downloaded, and that can take
hours.
Jerri

"Jerri" wrote in message
ink.net...
"U N Me" wrote
Pug Fugley wrote:

That's the good thing about Earthlink, they don't
let them through. Yout can't expect much from Hotmail.

I wanted to check and see if anyone in this newsgroup
was still getting these phony security messages. It appears so,
Regarding Earthlink, they are brain dead on this matter.
I expected them to take some action on this but if they have,
they must still be in the discussion and planning stages or
else have bypassed my account.

Regarding Earthlink, I'm pretty disgusted with their lack of action on
this
... but I have found a somewhat reliable solution. Before using Outlook
Express to download my mail to my computer, I log into Earthlink's webmail
and delete everything I *know* to be bad there [you can tell from the
headers, which don't seem to change much.]. Then I switch over to Outlook
Express and allow the real mail to download. This saves a ton of time
because my McAfee virus software grinds its little heart out over every
virus-laden piece o' ****e that is actually downloaded, and that can take
hours.
Jerri


You could also create a "Message Rule" for your "Mail" account to "delete
from the server" any message over 100K in size. All these virus laden
"updates" are over that size. That will save you from logging on to
Earthlink's Web Mail unless you want to. Drop the size to 25K and you can
eliminate some of the more extravagant Spam. Once you do this your McAfee
can go back to sleep ;-)

Frank Hagan

Jerri wrote:

"U N Me" wrote
Pug Fugley wrote:

That's the good thing about Earthlink, they don't
let them through. Yout can't expect much from Hotmail.

I wanted to check and see if anyone in this newsgroup
was still getting these phony security messages. It appears so,
Regarding Earthlink, they are brain dead on this matter.
I expected them to take some action on this but if they have,
they must still be in the discussion and planning stages or
else have bypassed my account.

Regarding Earthlink, I'm pretty disgusted with their lack of action on this
... but I have found a somewhat reliable solution. Before using Outlook
Express to download my mail to my computer, I log into Earthlink's webmail
and delete everything I *know* to be bad there [you can tell from the
headers, which don't seem to change much.]. Then I switch over to Outlook
Express and allow the real mail to download. This saves a ton of time
because my McAfee virus software grinds its little heart out over every
virus-laden piece o' ****e that is actually downloaded, and that can take
hours.
Jerri

I had been getting a lot of that type of e-mail and started using WebMail. I
set the Spaminator to it's highest setting. This blocks every e-mail that
doesn't have match an address in the on-line address book. When I started using
it, I was getting a couple of hundred e-mails a day. It has since dropped off
but I'm sticking with Webmail for a while, just in case. Another benefit of
using Webmail, I've been getting a lot of foreign e-mails with funny
characters. With Webmail, I've been able to block most of them by using thier
`block sender' option.

One problem I'm still having is quite a few `returned' e-mails that I never
sent. So far I've not had much luck blocking them, but I'm not getting many of
them now.


--
"And that the said Constitution be never construed...to prevent
the people of the United States who are peaceable citizens from
keeping their own arms"
Samuel Adams February 6, 1788

"Frank Hagan" wrote
"Jerri" wrote
"U N Me" wrote
Pug Fugley wrote:

That's the good thing about Earthlink, they don't
let them through. Yout can't expect much from Hotmail.

I wanted to check and see if anyone in this newsgroup
was still getting these phony security messages. It appears so,
Regarding Earthlink, they are brain dead on this matter.
I expected them to take some action on this but if they have,
they must still be in the discussion and planning stages or
else have bypassed my account.

Regarding Earthlink, I'm pretty disgusted with their lack
of action on this ... but I have found a somewhat reliable
solution. Before using Outlook Express to download my
mail to my computer, I log into Earthlink's webmail
and delete everything I *know* to be bad there [you can
tell from the headers, which don't seem to change much.].
Then I switch over to Outlook Express and allow the real
mail to download. This saves a ton of time because my
McAfee virus software grinds its little heart out over every
virus-laden piece o' ****e that is actually downloaded, and
that can take hours.

You could also create a "Message Rule" for your "Mail"
account to "delete from the server" any message over
100K in size. All these virus laden "updates" are over
that size. That will save you from logging on to Earthlink's
Web Mail unless you want to. Drop the size to 25K and
you can eliminate some of the more extravagant Spam.
Once you do this your McAfee can go back to sleep ;-)

I *wish* McAfee would go to sleep .... never mind, never mind ... I have a
history with my McAfee software. Anywho, it seems that McAfee de-viruses
anything that downloads, even if it's only going to move it to the "delete"
folder ... no doubt because it's not automatically deleted and I can go
ahead and open it and infect my computer while it's in the delete folder. I
have a lot of the common subject headings set to for deletion, and they are
cleaned, bright and shiny, before McAfee lets them into my in delete folder.
I think I'm stuck with the webmail scheme ... which does me no good at all,
if the webmail function is not working which it wasn't when I was out of
town ... and we don't want to get into that at all, because Earthlink's
"support" person told me it was my cookies. No. It was acting up on two
completely separate computers in two completely separate states all week
long ... now it seems to be working. It's been an interesting week. Not a
fun week.
Jerri

"Jerri" wrote in message
ink.net...
"Frank Hagan" wrote
"Jerri" wrote
"U N Me" wrote
Pug Fugley wrote:

That's the good thing about Earthlink, they don't
let them through. Yout can't expect much from Hotmail.

I wanted to check and see if anyone in this newsgroup
was still getting these phony security messages. It appears so,
Regarding Earthlink, they are brain dead on this matter.
I expected them to take some action on this but if they have,
they must still be in the discussion and planning stages or
else have bypassed my account.

Regarding Earthlink, I'm pretty disgusted with their lack
of action on this ... but I have found a somewhat reliable
solution. Before using Outlook Express to download my
mail to my computer, I log into Earthlink's webmail
and delete everything I *know* to be bad there [you can
tell from the headers, which don't seem to change much.].
Then I switch over to Outlook Express and allow the real
mail to download. This saves a ton of time because my
McAfee virus software grinds its little heart out over every
virus-laden piece o' ****e that is actually downloaded, and
that can take hours.

You could also create a "Message Rule" for your "Mail"
account to "delete from the server" any message over
100K in size. All these virus laden "updates" are over
that size. That will save you from logging on to Earthlink's
Web Mail unless you want to. Drop the size to 25K and
you can eliminate some of the more extravagant Spam.
Once you do this your McAfee can go back to sleep ;-)

I *wish* McAfee would go to sleep .... never mind, never mind ... I have a
history with my McAfee software. Anywho, it seems that McAfee de-viruses
anything that downloads, even if it's only going to move it to the
"delete"
folder ... no doubt because it's not automatically deleted and I can go
ahead and open it and infect my computer while it's in the delete folder.
I
have a lot of the common subject headings set to for deletion, and they
are
cleaned, bright and shiny, before McAfee lets them into my in delete
folder.
I think I'm stuck with the webmail scheme ... which does me no good at
all,
if the webmail function is not working which it wasn't when I was out of
town ... and we don't want to get into that at all, because Earthlink's
"support" person told me it was my cookies. No. It was acting up on two
completely separate computers in two completely separate states all week
long ... now it seems to be working. It's been an interesting week. Not a
fun week.
Jerri



Use "delete from server" !! The messages never download. It is a great
option.

Frank Hagan

P.S. I use Norton System Works 2003

"Frank Hagan" wrote

Use "delete from server" !! The messages never
download. It is a great option.

Uh ... I don't seem to have that option available. I can "delete" but I
can't "delete from server". It is a tough row I hoe. I weep for me, but I'll
get over it.
Jerri

"Jerri" wrote in message
ink.net...
"Frank Hagan" wrote

Use "delete from server" !! The messages never
download. It is a great option.

Uh ... I don't seem to have that option available. I can "delete" but I
can't "delete from server". It is a tough row I hoe. I weep for me, but
I'll
get over it.
Jerri


I'm using I.E.6, might need to upgrade?

Frank Hagan