PC Review Forums Newsgroups Windows 2000 Microsoft Windows 2000 Terminal Server Clients Swen VIRUS ->Check this patch

Reply

Swen VIRUS ->Check this patch
 
Thread Tools Rate Thread
Old 16-11-2003, 09:11 PM   #1
Don Taylor
Guest
 
Posts: n/a
Default Swen VIRUS ->Check this patch


>Microsoft User

>this is the latest version of security update, the
>"January 1999, Cumulative Patch" update which eliminates
>all known security vulnerabilities affecting
>MS Internet Explorer, MS Outlook and MS Outlook Express
>as well as three newly discovered vulnerabilities.
  Reply With Quote
Old 16-11-2003, 09:40 PM   #2
Frank Saunders, MS-MVP
Guest
 
Posts: n/a
Default Re: Swen VIRUS ->Check this patch
"Don Taylor" <dont@agora.rdrop.com> wrote in message
news:3fb7e814_5@127.0.0.1
>> Microsoft User
>
>> this is the latest version of security update, the
>> "January 1999, Cumulative Patch" update which eliminates
>> all known security vulnerabilities affecting
>> MS Internet Explorer, MS Outlook and MS Outlook Express
>> as well as three newly discovered vulnerabilities.

If this was email then the attachment is a virus.

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup. Do not send email
http://www.fjsmjs.com
  Reply With Quote
Old 17-11-2003, 02:52 AM   #3
Don Taylor
Guest
 
Posts: n/a
Default Re: Swen VIRUS ->Check this patch
"Frank Saunders, MS-MVP" <franksaunders@mvps.org> writes:
>"Don Taylor" <dont@agora.rdrop.com> wrote in message
>news:3fb7e814_5@127.0.0.1
>>> Microsoft User
>>
>>> this is the latest version of security update, the
>>> "January 1999, Cumulative Patch" update which eliminates
>>> all known security vulnerabilities affecting
>>> MS Internet Explorer, MS Outlook and MS Outlook Express
>>> as well as three newly discovered vulnerabilities.

>If this was email then the attachment is a virus.

No, it was a newsgroup posting AND the attachment is Swen virus.

I see several of these newsgroup Swen postings every day, some with
Swen attached and some have had it cut off by a filter but the same
pitch to use it remains. About half target the ie5 newsgroup,
probably because if you don't have the update to fix the bug that
allows infection without even opening the mail then you can't get it
anymore from Microsoft and you are a target. (what was MS thinking?!)

Here are the headers to prove it.
(below that I have some Swen statistics)

From: "Fam. Geers" <blfbzrysz@begqh.com>
Newsgroups: microsoft.public.win2000.termserv.apps,microsoft.public.win2000.termserv.clients,microsoft.public.win2000.windows_update,microsoft.public.win32.programmer.messaging,microsoft.public.windows.inetexplorer.ie5.gen.discussion
Subject: Check this patch
Mime-Version: 1.0
C o n t e n t - T y p e : m u l t i p a r t / m i x e d ; b o u n d a r y = " y n r x c q g n p q y k t "
NNTP-Posting-Host: tanya.215.conceptsfa.nl
Message-ID: <3fb75443_3@newsreader.concepts.nl>
Date: 16 Nov 2003 11:41:07 +0100
X-Trace: newsreader.concepts.nl 1068979267 213.197.4.215 (16 Nov 2003 11:41:07 +0100)
Lines: 2184
Path: corp-news!propagator3-maxim!feed-maxim.newsfeeds.com!pd7cy2so!pd7cy1no!shaw.ca!peer02.cox.net!cox.net!aotearoa.belnet.be!news.belnet.be!newsfeed.wxs.nl!news-x2.support.nl!newshub1.home.nl!home.nl!newsfeeder.concepts.nl!newsreader.concepts.nl!not-for-mail
Xref: 127.0.0.1 microsoft.public.win2000.termserv.apps:1481 microsoft.public.win2000.termserv.clients:1965 microsoft.public.win2000.windows_update:2107 microsoft.public.win32.programmer.messaging:758 microsoft.public.windows.inetexplorer.ie5.gen.discussion:670

And the (mangled) binary of the virus

- - y n r x c q g n p q y k t
C o n t e n t - T y p e : a p p l i c a t i o n / x - m s d o w n l o a d ; n a m e = " U p d a t e 4 4 . e x e "
C o n t e n t - T r a n s f e r - E n c o d i n g : b a s e 6 4
C o n t e n t - D i s p o s i t i o n : a t t a c h m e n t

T V q Q A A M A A A A E A A A A / / 8 A A L g A A A A A A A A A Q A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A
<snip>

Here are my top Swen spewing hosts on the net, and how many they sent me.

libertysurf.net 288
so-net.ne.jp 304
bigpond.com 309
singnet.com.sg 326
online.no 347
inet.fi 362
wanadoo.fr 427
dion.ne.jp 456
btinternet.com 500 + blueyonder.co.uk 131 + other BT domains
dublin.eircom.net 571
tiscali.it 790
tin.it 851
hetnet.nl 867

Those are just the biggest offenders on the net today, all who appear
to actively be doing nothing to stop their spewing Swen to the planet.
(the time limit for "gosh, we were surprised by this" ran out weeks ago)

Total Swen email received and reported in the last month: 15829
Receiving and reporting somewhat under 1000 swen every day lately.

If you look at that list it is obvious that wiping out some of the
european internet would go a long way towards stopping the ongoing
spread of Swen in the world, not to mention fraud and spam.

Fortunately, 80% of the 1332 hosts who have sent me Swen quickly
responded, tracked their infections down, put a stop to this and
never spewed more than half a dozen or so. And then we have the
few dozen problem children of the net spewing hundreds of millions
of these a day, infecting everyone they can find and doing nothing
about it, refusing to accept compaints in some of the cases,
ignoring them in all the rest.

There used to be something called a UDP (Usenet Death Penalty).
If a host was causing enough of a problem and just refused to do
anything about it then they were issued a UDP. Their name simply
disappeared from the routing tables on the net. And in a few hours
it was as if they just ceased to exist, they could not get anyone
to recognize messages from them and they became their own little
local area net (well, actually sometimes they couldn't even talk
to themselves because they use the same tables). A few years ago
uunet in the UK had this done because they refused to stop a flood
of spam that was burying the world and they didn't want to fix it.
Within a couple of days of ceasing to exist they decided that maybe
they would change their mind and did think they should fix this.

Maybe it is (past) time to issue UDP's to the Swen spewers.

Help stop Swen.
  Reply With Quote
Old 17-11-2003, 10:45 PM   #4
lesbussing
Guest
 
Posts: n/a
Default Re: Swen VIRUS ->Check this patch
Don, where's the patch?
"Don Taylor" <dont@agora.rdrop.com> wrote in message
news:3fb7e814_5@127.0.0.1...
> >Microsoft User
>
> >this is the latest version of security update, the
> >"January 1999, Cumulative Patch" update which eliminates
> >all known security vulnerabilities affecting
> >MS Internet Explorer, MS Outlook and MS Outlook Express
> >as well as three newly discovered vulnerabilities.
  Reply With Quote
Old 18-11-2003, 07:52 PM   #5
Tom Delany
Guest
 
Posts: n/a
Default Re: Swen VIRUS ->Check this patch
Amen. I get a couple hundred of these @#$#! Swen e-mails a day,
most days. I can't delete them fast enough.

Tom Delany

On Sun, 16 Nov 2003 20:52:52 -0600, Don Taylor wrote:

> "Frank Saunders, MS-MVP" <franksaunders@mvps.org> writes:
>>"Don Taylor" <dont@agora.rdrop.com> wrote in message
>>news:3fb7e814_5@127.0.0.1
>>>> Microsoft User
>>>
>>>> this is the latest version of security update, the
>>>> "January 1999, Cumulative Patch" update which eliminates
>>>> all known security vulnerabilities affecting
>>>> MS Internet Explorer, MS Outlook and MS Outlook Express
>>>> as well as three newly discovered vulnerabilities.
>
>>If this was email then the attachment is a virus.
>
> No, it was a newsgroup posting AND the attachment is Swen virus.
>
> I see several of these newsgroup Swen postings every day, some with
> Swen attached and some have had it cut off by a filter but the same
> pitch to use it remains. About half target the ie5 newsgroup,
> probably because if you don't have the update to fix the bug that
> allows infection without even opening the mail then you can't get it
> anymore from Microsoft and you are a target. (what was MS thinking?!)
>
> Here are the headers to prove it.
> (below that I have some Swen statistics)
>
> From: "Fam. Geers" <blfbzrysz@begqh.com>
> Newsgroups: microsoft.public.win2000.termserv.apps,microsoft.public.win2000.termserv.clients,microsoft.public.win2000.windows_update,microsoft.public.win32.programmer.messaging,microsoft.public.windows.inetexplorer.ie5.gen.discussion
> Subject: Check this patch
> Mime-Version: 1.0
> C o n t e n t - T y p e : m u l t i p a r t / m i x e d ; b o u n d a r y = " y n r x c q g n p q y k t "
> NNTP-Posting-Host: tanya.215.conceptsfa.nl
> Message-ID: <3fb75443_3@newsreader.concepts.nl>
> Date: 16 Nov 2003 11:41:07 +0100
> X-Trace: newsreader.concepts.nl 1068979267 213.197.4.215 (16 Nov 2003 11:41:07 +0100)
> Lines: 2184
> Path: corp-news!propagator3-maxim!feed-maxim.newsfeeds.com!pd7cy2so!pd7cy1no!shaw.ca!peer02.cox.net!cox.net!aotearoa.belnet.be!news.belnet.be!newsfeed.wxs.nl!news-x2.support.nl!newshub1.home.nl!home.nl!newsfeeder.concepts.nl!newsreader.concepts.nl!not-for-mail
> Xref: 127.0.0.1 microsoft.public.win2000.termserv.apps:1481 microsoft.public.win2000.termserv.clients:1965 microsoft.public.win2000.windows_update:2107 microsoft.public.win32.programmer.messaging:758 microsoft.public.windows.inetexplorer.ie5.gen.discussion:670
>
> And the (mangled) binary of the virus
>
> - - y n r x c q g n p q y k t
> C o n t e n t - T y p e : a p p l i c a t i o n / x - m s d o w n l o a d ; n a m e = " U p d a t e 4 4 . e x e "
> C o n t e n t - T r a n s f e r - E n c o d i n g : b a s e 6 4
> C o n t e n t - D i s p o s i t i o n : a t t a c h m e n t
>
> T V q Q A A M A A A A E A A A A / / 8 A A L g A A A A A A A A A Q A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A
> <snip>
>
> Here are my top Swen spewing hosts on the net, and how many they sent me.
>
> libertysurf.net 288
> so-net.ne.jp 304
> bigpond.com 309
> singnet.com.sg 326
> online.no 347
> inet.fi 362
> wanadoo.fr 427
> dion.ne.jp 456
> btinternet.com 500 + blueyonder.co.uk 131 + other BT domains
> dublin.eircom.net 571
> tiscali.it 790
> tin.it 851
> hetnet.nl 867
>
> Those are just the biggest offenders on the net today, all who appear
> to actively be doing nothing to stop their spewing Swen to the planet.
> (the time limit for "gosh, we were surprised by this" ran out weeks ago)
>
> Total Swen email received and reported in the last month: 15829
> Receiving and reporting somewhat under 1000 swen every day lately.
>
> If you look at that list it is obvious that wiping out some of the
> european internet would go a long way towards stopping the ongoing
> spread of Swen in the world, not to mention fraud and spam.
>
> Fortunately, 80% of the 1332 hosts who have sent me Swen quickly
> responded, tracked their infections down, put a stop to this and
> never spewed more than half a dozen or so. And then we have the
> few dozen problem children of the net spewing hundreds of millions
> of these a day, infecting everyone they can find and doing nothing
> about it, refusing to accept compaints in some of the cases,
> ignoring them in all the rest.
>
> There used to be something called a UDP (Usenet Death Penalty).
> If a host was causing enough of a problem and just refused to do
> anything about it then they were issued a UDP. Their name simply
> disappeared from the routing tables on the net. And in a few hours
> it was as if they just ceased to exist, they could not get anyone
> to recognize messages from them and they became their own little
> local area net (well, actually sometimes they couldn't even talk
> to themselves because they use the same tables). A few years ago
> uunet in the UK had this done because they refused to stop a flood
> of spam that was burying the world and they didn't want to fix it.
> Within a couple of days of ceasing to exist they decided that maybe
> they would change their mind and did think they should fix this.
>
> Maybe it is (past) time to issue UDP's to the Swen spewers.
>
> Help stop Swen.
  Reply With Quote
Reply

Archive


Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off