If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
'Swen-mail' and the elapsed time between a Usenet newsgroup post with a valid e-mail addres and the arrival of the first infected message in the mail box
'Swen-mail' and the elapsed time between a Usenet newsgroup post with a
valid e-mail addres and the arrival of the first infected message in the mail box. I created a new mailbox and used it to post to microsoft.public.security.virus. Elapsed time to the first 'swen-mail'; 2 hours 2 minutes. -- Fade Away, |
#2
|
|||
|
|||
What Usenet Group was that ??? . Do you think what NG even matters? If they
have some bot that goes out and scans all the NG's I guess it probably doesn't matter. I kept getting an EMAIL distribution last week from people I didn't even know saying that one of you guys is sending me a virus from your address book. I responded with that I thought this security patch thing was from NG's ... it kind of looks like it is ... thanks for the experiment. "Phil Weldon" wrote in message hlink.net... 'Swen-mail' and the elapsed time between a Usenet newsgroup post with a valid e-mail addres and the arrival of the first infected message in the mail box. I created a new mailbox and used it to post to microsoft.public.security.virus. Elapsed time to the first 'swen-mail'; 2 hours 2 minutes. -- Fade Away, |
#3
|
|||
|
|||
The newsgroup was microsoft.public.security.net.
This current post to a.c.h.o is made with a mailbox identity that will be used only once. I'll check what 'swen-mail' arrives, and post the results here. Meanwhile, perhaps the following will help The 'swen' worm and its effects, particularly on users with uninfected machines The flood of e-mail ('swen-mail') is being generated by the 'swen' worm. Locally, there is not much you can do to stop the flood. Below you will find a discussion of the effects of the 'swen' worm and ways you can handle the flood you are getting, even though your machine may not be infected, and may be well protected. Only your ISP can stop the flood of 'swen' generated e-mail; by scanning all e-mail for virus infection. Until your ISP or e-mail service begins to scan all e-mail for virus infection, you can use a filter and a program that allows partial downloading of e-mail messages (Veronica Loell posts information about these filters quite often; the information is also available at http://nakawe.sf.net/MMM3.) Symantec, the publisher of Norton AntiVirus, has a description of the worm, how to remove it, and removal tools at . Other publishers of antivirus programs have similar webpages. Note well, removing this worm after your system has been infected is not a simple task. The 'swen' worm can harvest e-mail addresses from newsgroup postings, so it is very important to disguise your e-mail identity when posting to Usenet newsgroups (like microsoft.public.security.virus and tens of thousands of others). You can find out how at http://www.mailmsg.com/SPAM_munging.htm . This worm has two main effects, and some secondary effects I. Main effects A. It infects vulnerable systems and networks. B. It generates a FLOOD of infected e-mail that is sent to e-mail addresses it harvests from infected machine and networks. These infected e-mails are of two types 1. An HTML message that looks like a legitimate Microsoft Security Bulletin; the hotlinks in this message are valid Microsoft links, and will even lead you to a description that will allow you to identify this e-mail as bogus. The message has an attached 104 KByte file that contains the worm. If you don't have all appropriate Microsoft security patches and Service Packs installed, it may be possible for your system to be infected EVEN IF YOU DON'T OPEN THE MESSAGE. So far, the body of this message is always the same, though the Subject and From lines differ widely. This message, so far, can be easily be blocked by detecting the string 'Run attached file' in the body ( in fact, it would be a good practice to consider ANY e-mail that contains this string AND has an attachment to very, very likely to carry an infection. 2. A plain text message that purports to be a notification of an 'Undeliverable e-mail', with an attachment that purports to be a copy of the undeliverable e-mail. This attached file is 104 KBytes long and contains the worm. The Subject line, From line, and body present in thousands of combinations, and probably will continue to mutate. Even worse, real e-mail addresses harvested from infected systems and networks, and from Usenet newsgroup posts are tagged onto this type of message, causing one of the secondary effects. II. Secondary effects A. Spam effect 1. Mailboxes with an e-mail address that has been harvested from infected systems, networks and Usenet newsgroup postings begin to be flood with infected e-mail. [Personal example: my machines are not infected, but this worm began to flood my mailbox 17SEP03. I now receive more than 1500 infected e-mail messages per day. I must empty my mailbox every 5 minutes, 24/7 to avoid the possibility of having legitimate e-mail bounced. I had to install an application just to segregate the cleaned, previously infected e-mail from legitimate e-mail (standard spam blockers can't do this.) There are filters and programs that can identify this 'swen-mail' and that require downloading only a portion of an e-mail message to allow discarding or keeping it based on whether it is 'swen-mail' or not. However, you still must arrange to do this operation often enough to keep your mailbox from overflowing past the general 10 MByte limit and bouncing subsequent e-mail. About 80 'swen-mail' messages take up 10 MBytes of storage. If you get 500 'swen-mail messages per day, that means checking and clearing your mailbox at least every four hours, 24/7, to insure that no valid e-mail messages are bounced. B. Notifications from mail services that DO scan for infected messages, but unfortunately do not realize that the e-mail addresses given for the sender are either bogus or e-mail addresses harvested by the worm. Thus, completely innocent mailboxes have insult added to injury. **** What can you do locally as an individual (i.e. in a SmallOfficeHomeOffice environment, and /or as a recreational user)? #1. You can use a remote virus scan from one of the antivirus program publishers THEN #2. You can remove any infections discovered THEN #3. You install a good antivirus program, keep it active, keep the virus definitions up-to-date (at the moment you should update these definitions EVERY day), and set to scan all incoming e-mails and downloads. THEN #4. You can install all appropriate Microsoft security patches and Service Packs. THEN #5. You can consider additional security (DCHP server, firewall, boric acid [for roaches], ..... If you begin to be flooded with these infected messages, COMPLAIN to your ISP; send them this URL http://xtra.co.nz/products/0,,8969,00.html of an ISP that scans incoming e-mail before passing it to a mailbox. Ask for an increased mailbox size (if you are getting 1500 of these infected e-mails per day, you will need a mailbox size over 150 MBytes just to avoid the necessity of completely emptying it EVERY DAY. Ask about the implicit duty of the ISP to provide reliable e-mail service, and if they have received notification of any pending class actions you might join. Ask if they will unbundle their services so you can opt out of e-mail service and save that cost. That's about all you can do about the e-mail flood; only your ISP or other e-mail provider can come close to solving this problem. When the e-mail flood becomes too painful, find an ISP or other e-mail provider that DOES scan and discard infected e-mail before passing it to your mailbox, and then change to that ISP and/or e-mail provider. Changing your e-mail address is no solution; as soon as your new e-mail address is harvested from an infected system or network, the problem starts again. In the meantime you can use a filter and a program that allows partial downloading of e-mail messages (Veronica Loell posts information about these filters quite often; the information is also available at http://nakawe.sf.net/MMM3 .) When a mailserver is scanning and not just deleting infected e-mail, but is also sending an e-mail to notify the sender, write the administrator a nasty note asking them to stop sending these notices. **** That's about it; you can proof your system against infection, but only changes at the mailserver level can stop reception of a flood of infected e-mails and increasing numbers of inappropriate notices that you've sent infected e-mail from arriving in your mailbox. Phil Weldon -- Phil Weldon, pweldonatmindjumpdotcom For communication, replace "at" with the 'at sign' replace "mindjump" with "mindspring." replace "dot" with "." replace "dot" with a "." replace mindjump with mindspring "Wookie" wrote in message newsJdgb.691661$Ho3.147954@sccrnsc03... What Usenet Group was that ??? . Do you think what NG even matters? If they have some bot that goes out and scans all the NG's I guess it probably doesn't matter. I kept getting an EMAIL distribution last week from people I didn't even know saying that one of you guys is sending me a virus from your address book. I responded with that I thought this security patch thing was from NG's ... it kind of looks like it is ... thanks for the experiment. "Phil Weldon" wrote in message hlink.net... 'Swen-mail' and the elapsed time between a Usenet newsgroup post with a valid e-mail addres and the arrival of the first infected message in the mail box. I created a new mailbox and used it to post to microsoft.public.security.virus. Elapsed time to the first 'swen-mail'; 2 hours 2 minutes. -- Fade Away, |
#4
|
|||
|
|||
Well, the results are in.
The only use of the exclusively_forpostingto_acho(at)mindspring.com was one post to this newsgroup at 4:14 PM EDT 06OCT03. The first 'swen-mail' arrived at that mailbox 4:31 PM EDT 06OCT03. Elapsed time, 17 minutes. The clear winner - alt.comp.hardware.overclocking beats microsoft.public.security.virus by 1 hour 15 minutes, spreading the 'swen' worm 700% as fast. What an overclock! -- Phil Weldon pweldonatmindjumpdotcom For communication, replace "at" with the 'at sign' replace "mindjump" with "mindspring." replace "dot" with "." replace "dot" with a "." replace mindjump with mindspring "Phil Weldon" wrote in message k.net... The newsgroup was microsoft.public.security.net. This current post to a.c.h.o is made with a mailbox identity that will be used only once. I'll check what 'swen-mail' arrives, and post the results here. Meanwhile, perhaps the following will help The 'swen' worm and its effects, particularly on users with uninfected machines The flood of e-mail ('swen-mail') is being generated by the 'swen' worm. Locally, there is not much you can do to stop the flood. Below you will find a discussion of the effects of the 'swen' worm and ways you can handle the flood you are getting, even though your machine may not be infected, and may be well protected. Only your ISP can stop the flood of 'swen' generated e-mail; by scanning all e-mail for virus infection. Until your ISP or e-mail service begins to scan all e-mail for virus infection, you can use a filter and a program that allows partial downloading of e-mail messages (Veronica Loell posts information about these filters quite often; the information is also available at http://nakawe.sf.net/MMM3.) Symantec, the publisher of Norton AntiVirus, has a description of the worm, how to remove it, and removal tools at . Other publishers of antivirus programs have similar webpages. Note well, removing this worm after your system has been infected is not a simple task. The 'swen' worm can harvest e-mail addresses from newsgroup postings, so it is very important to disguise your e-mail identity when posting to Usenet newsgroups (like microsoft.public.security.virus and tens of thousands of others). You can find out how at http://www.mailmsg.com/SPAM_munging.htm . This worm has two main effects, and some secondary effects I. Main effects A. It infects vulnerable systems and networks. B. It generates a FLOOD of infected e-mail that is sent to e-mail addresses it harvests from infected machine and networks. These infected e-mails are of two types 1. An HTML message that looks like a legitimate Microsoft Security Bulletin; the hotlinks in this message are valid Microsoft links, and will even lead you to a description that will allow you to identify this e-mail as bogus. The message has an attached 104 KByte file that contains the worm. If you don't have all appropriate Microsoft security patches and Service Packs installed, it may be possible for your system to be infected EVEN IF YOU DON'T OPEN THE MESSAGE. So far, the body of this message is always the same, though the Subject and From lines differ widely. This message, so far, can be easily be blocked by detecting the string 'Run attached file' in the body ( in fact, it would be a good practice to consider ANY e-mail that contains this string AND has an attachment to very, very likely to carry an infection. 2. A plain text message that purports to be a notification of an 'Undeliverable e-mail', with an attachment that purports to be a copy of the undeliverable e-mail. This attached file is 104 KBytes long and contains the worm. The Subject line, From line, and body present in thousands of combinations, and probably will continue to mutate. Even worse, real addresses harvested from infected systems and networks, and from Usenet newsgroup posts are tagged onto this type of message, causing one of the secondary effects. II. Secondary effects A. Spam effect 1. Mailboxes with an e-mail address that has been harvested from infected systems, networks and Usenet newsgroup postings begin to be flood with infected e-mail. [Personal example: my machines are not infected, but this worm began to flood my mailbox 17SEP03. I now receive more than 1500 infected e-mail messages per day. I must empty my mailbox every 5 minutes, 24/7 to avoid the possibility of having legitimate e-mail bounced. I had to install an application just to segregate the cleaned, previously infected e-mail from legitimate e-mail (standard spam blockers can't do this.) There are filters and programs that can identify this 'swen-mail' and that require downloading only a portion of an e-mail message to allow discarding or keeping it based on whether it is 'swen-mail' or not. However, you still must arrange to do this operation often enough to keep your mailbox from overflowing past the general 10 MByte limit and bouncing subsequent e-mail. About 80 'swen-mail' messages take up 10 MBytes of storage. If you get 500 'swen-mail messages per day, that means checking and clearing your mailbox at least every four hours, 24/7, to insure that no valid e-mail messages are bounced. B. Notifications from mail services that DO scan for infected messages, but unfortunately do not realize that the e-mail addresses given for the sender are either bogus or e-mail addresses harvested by the worm. Thus, completely innocent mailboxes have insult added to injury. **** What can you do locally as an individual (i.e. in a SmallOfficeHomeOffice environment, and /or as a recreational user)? #1. You can use a remote virus scan from one of the antivirus program publishers THEN #2. You can remove any infections discovered THEN #3. You install a good antivirus program, keep it active, keep the virus definitions up-to-date (at the moment you should update these definitions EVERY day), and set to scan all incoming e-mails and downloads. THEN #4. You can install all appropriate Microsoft security patches and Service Packs. THEN #5. You can consider additional security (DCHP server, firewall, boric acid [for roaches], ..... If you begin to be flooded with these infected messages, COMPLAIN to your ISP; send them this URL http://xtra.co.nz/products/0,,8969,00.html of an ISP that scans incoming e-mail before passing it to a mailbox. Ask for an increased mailbox size (if you are getting 1500 of these infected e-mails per day, you will need a mailbox size over 150 MBytes just to avoid the necessity of completely emptying it EVERY DAY. Ask about the implicit duty of the ISP to provide reliable e-mail service, and if they have received notification of any pending class actions you might join. Ask if they will unbundle their services so you can opt out of e-mail service and save that cost. That's about all you can do about the e-mail flood; only your ISP or other e-mail provider can come close to solving this problem. When the e-mail flood becomes too painful, find an ISP or other e-mail provider that DOES scan and discard infected e-mail before passing it to your mailbox, and then change to that ISP and/or e-mail provider. Changing your e-mail address is no solution; as soon as your new e-mail address is harvested from an infected system or network, the problem starts again. In the meantime you can use a filter and a program that allows partial downloading of e-mail messages (Veronica Loell posts information about these filters quite often; the information is also available at http://nakawe.sf.net/MMM3 .) When a mailserver is scanning and not just deleting infected e-mail, but is also sending an e-mail to notify the sender, write the administrator a nasty note asking them to stop sending these notices. **** That's about it; you can proof your system against infection, but only changes at the mailserver level can stop reception of a flood of infected e-mails and increasing numbers of inappropriate notices that you've sent infected e-mail from arriving in your mailbox. Phil Weldon -- Phil Weldon, pweldonatmindjumpdotcom For communication, replace "at" with the 'at sign' replace "mindjump" with "mindspring." replace "dot" with "." replace "dot" with a "." replace mindjump with mindspring "Wookie" wrote in message newsJdgb.691661$Ho3.147954@sccrnsc03... What Usenet Group was that ??? . Do you think what NG even matters? If they have some bot that goes out and scans all the NG's I guess it probably doesn't matter. I kept getting an EMAIL distribution last week from people I didn't even know saying that one of you guys is sending me a virus from your address book. I responded with that I thought this security patch thing was from NG's ... it kind of looks like it is ... thanks for the experiment. "Phil Weldon" wrote in message hlink.net... 'Swen-mail' and the elapsed time between a Usenet newsgroup post with a valid e-mail addres and the arrival of the first infected message in the mail box. I created a new mailbox and used it to post to microsoft.public.security.virus. Elapsed time to the first 'swen-mail'; 2 hours 2 minutes. -- Fade Away, |
#5
|
|||
|
|||
Phil Weldon wrote: 'Swen-mail' and the elapsed time between a Usenet newsgroup post with a valid e-mail addres and the arrival of the first infected message in the mail box. I created a new mailbox and used it to post to microsoft.public.security.virus. Elapsed time to the first 'swen-mail'; 2 hours 2 minutes. Which effectively means it took a whole 2 hours before someone using an infected machine read your post. I'm *really* glad I have access to server-side filters and can dump this crud before it clogs my mailbox - the flood has slowed somewhat, but the filters are still deleting a couple of hundred swens daily. |
#6
|
|||
|
|||
Not exactly; I believe the 'swen' worm get the e-mail addresses directly
from the newsgroup postings. I open another new mailbox, posted ONCE to alt.comp.hardware.overclocking, and then killed that newsreader account, but kept the mailbox. It took 17 minutes for the first 'swen-mail' to arrive at that mailbox. -- Phil Weldon, pweldonatmindjumpdotcom For communication, replace "at" with the 'at sign' replace "mindjump" with "mindspring." replace "dot" with "." "Triffid" wrote in message ... Phil Weldon wrote: 'Swen-mail' and the elapsed time between a Usenet newsgroup post with a valid e-mail addres and the arrival of the first infected message in the mail box. I created a new mailbox and used it to post to microsoft.public.security.virus. Elapsed time to the first 'swen-mail'; 2 hours 2 minutes. Which effectively means it took a whole 2 hours before someone using an infected machine read your post. I'm *really* glad I have access to server-side filters and can dump this crud before it clogs my mailbox - the flood has slowed somewhat, but the filters are still deleting a couple of hundred swens daily. |
#7
|
|||
|
|||
It gets them from the *.dbx files.
- Phil Weldon stood up at show-n-tell, in , and said: Not exactly; I believe the 'swen' worm get the e-mail addresses directly from the newsgroup postings. I open another new mailbox, posted ONCE to alt.comp.hardware.overclocking, and then killed that newsreader account, but kept the mailbox. It took 17 minutes for the first 'swen-mail' to arrive at that mailbox. "Triffid" wrote in message ... Phil Weldon wrote: 'Swen-mail' and the elapsed time between a Usenet newsgroup post with a valid e-mail addres and the arrival of the first infected message in the mail box. I created a new mailbox and used it to post to microsoft.public.security.virus. Elapsed time to the first 'swen-mail'; 2 hours 2 minutes. Which effectively means it took a whole 2 hours before someone using an infected machine read your post. I'm *really* glad I have access to server-side filters and can dump this crud before it clogs my mailbox - the flood has slowed somewhat, but the filters are still deleting a couple of hundred swens daily. -- Strontium "If you get tired, of satellite flyers. And, fame, has let you down. Under the wire. And, over the Moon, I'm around... When you gonna grow up?" - Angie Aparo |
#8
|
|||
|
|||
Not exactly; I believe the 'swen' worm get the e-mail addresses directly
from the newsgroup postings. How do you suppose it does that? There is no evidence of the worm connecting to news servers and reading headers. It doesn't, it waits for the infected user to run his newsreader, scoops addresses from the headers (via files created by the newsreader), and adds them to it's list of targets. I open another new mailbox, posted ONCE to alt.comp.hardware.overclocking, and then killed that newsreader account, but kept the mailbox. It took 17 minutes for the first 'swen-mail' to arrive at that mailbox. Exactly. 17 minutes until an infected user read your post. -- Phil Weldon, pweldonatmindjumpdotcom For communication, replace "at" with the 'at sign' replace "mindjump" with "mindspring." replace "dot" with "." "Triffid" wrote in message ... Phil Weldon wrote: 'Swen-mail' and the elapsed time between a Usenet newsgroup post with a valid e-mail addres and the arrival of the first infected message in the mail box. I created a new mailbox and used it to post to microsoft.public.security.virus. Elapsed time to the first 'swen-mail'; 2 hours 2 minutes. Which effectively means it took a whole 2 hours before someone using an infected machine read your post. I'm *really* glad I have access to server-side filters and can dump this crud before it clogs my mailbox - the flood has slowed somewhat, but the filters are still deleting a couple of hundred swens daily. |
#9
|
|||
|
|||
AND
"The worm also can search for e-mail addresses in various newsgroups. It connects to NNTP servers listed in the SWEN1.DAT file, gets a list of all newsgroups on that server and searches recent messages in these newsgroups for 'nfrom:' and 'nreply-to:' tags. When such tags are found, the worm gets e-mail addressed after them and writes them to the GERMS0.DBV file. This way the worm can harvest a lot of e-mail addresses to send itself to." (From FSecure at http://www.f-secure.com/v-descs/swen.shtml .) -- Phil Weldon, pweldonatmindjumpdotcom For communication, replace "at" with the 'at sign' replace "mindjump" with "mindspring." replace "dot" with "." "Strontium" wrote in message ... It gets them from the *.dbx files. - Phil Weldon stood up at show-n-tell, in , and said: Not exactly; I believe the 'swen' worm get the e-mail addresses directly from the newsgroup postings. I open another new mailbox, posted ONCE to alt.comp.hardware.overclocking, and then killed that newsreader account, but kept the mailbox. It took 17 minutes for the first 'swen-mail' to arrive at that mailbox. "Triffid" wrote in message ... Phil Weldon wrote: 'Swen-mail' and the elapsed time between a Usenet newsgroup post with a valid e-mail addres and the arrival of the first infected message in the mail box. I created a new mailbox and used it to post to microsoft.public.security.virus. Elapsed time to the first 'swen-mail'; 2 hours 2 minutes. Which effectively means it took a whole 2 hours before someone using an infected machine read your post. I'm *really* glad I have access to server-side filters and can dump this crud before it clogs my mailbox - the flood has slowed somewhat, but the filters are still deleting a couple of hundred swens daily. -- Strontium "If you get tired, of satellite flyers. And, fame, has let you down. Under the wire. And, over the Moon, I'm around... When you gonna grow up?" - Angie Aparo |
#10
|
|||
|
|||
Right. That's the 'from' and 'to' lines. Not the body of the message. It
also gets email addresses from the body, using the .dbx files. I feel for all those, out there, that are naive enough to even post to usenet with a real address. I learned my lesson, 5yrs ago, after getting 5-10 spams a day after just one post with my real email address. Switched ISP's and stopped using real address. I don't get spam. - Phil Weldon stood up at show-n-tell, in t, and said: AND "The worm also can search for e-mail addresses in various newsgroups. It connects to NNTP servers listed in the SWEN1.DAT file, gets a list of all newsgroups on that server and searches recent messages in these newsgroups for 'nfrom:' and 'nreply-to:' tags. When such tags are found, the worm gets e-mail addressed after them and writes them to the GERMS0.DBV file. This way the worm can harvest a lot of e-mail addresses to send itself to." (From FSecure at http://www.f-secure.com/v-descs/swen.shtml .) "Strontium" wrote in message ... It gets them from the *.dbx files. - Phil Weldon stood up at show-n-tell, in , and said: Not exactly; I believe the 'swen' worm get the e-mail addresses directly from the newsgroup postings. I open another new mailbox, posted ONCE to alt.comp.hardware.overclocking, and then killed that newsreader account, but kept the mailbox. It took 17 minutes for the first 'swen-mail' to arrive at that mailbox. "Triffid" wrote in message ... Phil Weldon wrote: 'Swen-mail' and the elapsed time between a Usenet newsgroup post with a valid e-mail addres and the arrival of the first infected message in the mail box. I created a new mailbox and used it to post to microsoft.public.security.virus. Elapsed time to the first 'swen-mail'; 2 hours 2 minutes. Which effectively means it took a whole 2 hours before someone using an infected machine read your post. I'm *really* glad I have access to server-side filters and can dump this crud before it clogs my mailbox - the flood has slowed somewhat, but the filters are still deleting a couple of hundred swens daily. -- Strontium "If you get tired, of satellite flyers. And, fame, has let you down. Under the wire. And, over the Moon, I'm around... When you gonna grow up?" - Angie Aparo -- Strontium "If you get tired, of satellite flyers. And, fame, has let you down. Under the wire. And, over the Moon, I'm around... When you gonna grow up?" - Angie Aparo |
|
Thread Tools | |
Display Modes | |
|
|