G
glen
Can anyone tell me why all of a sudden
I`m getting dozens of emails with worms attached?
I have anti-virus software, but everyday worms!!
I`m getting dozens of emails with worms attached?
I have anti-virus software, but everyday worms!!
K
kurt wismer
glen said:
it's probably swen and lots of people here have been swamped with it,
even me (to the tune of 1000+ per day)... other peoples machines are
sending them and the headers are forged so there's no way to contact
those people... all you can do is filter your email...
for more info on it, try http://www.f-secure.com/v-descs/swen.shtml
H
Henry B Jobin
For some reason this ,massive attack isn't getting press coverage. You are
not alone by any means !
At the very least use a commercial anti virus software package to scan email
before reading and never open an attachment that you dont knoe "personally"
the sender !
It might be a hardship but also clean out your address (contact) book and
ask your contacts to remove your address from theirs !
Henry
Also, never post your address on a message board.
not alone by any means !
At the very least use a commercial anti virus software package to scan email
before reading and never open an attachment that you dont knoe "personally"
the sender !
It might be a hardship but also clean out your address (contact) book and
ask your contacts to remove your address from theirs !
Henry
Also, never post your address on a message board.
?
=?ISO-8859-1?Q?=BBQ=AB?=
Is there really no way to contact them? That F-Secure page says, "The
worm reads SMTP server address and user name from the Registry. However,
if it can't find this info, it shows a fake MAPI error dialog asking a
user to input that data." And all the Swen mails I have bothered to
look at have an e-mail address in the Return-Path header which fits with
the info in the lowermost Received header. Here's are a couple
grabbed at random from today's kill log:
Return-Path: <[email protected]>
Delivered-To: GMX delivery to (e-mail address removed)
Received: (qmail 23453 invoked by uid 65534); 27 Sep 2003 02:18:18 -0000
Received: from vsmtp1.tin.it (EHLO vsmtp1.tin.it) (212.216.176.221)
by mx0.gmx.net (mx031-rz3) with SMTP; 27 Sep 2003 04:18:18 +0200
Received: from nnrkh (80.117.34.27) by vsmtp1.tin.it (7.0.019)
id 3F6F8E1A003234C1; Sat, 27 Sep 2003 04:17:16 +0200
Return-Path: <[email protected]>
Delivered-To: GMX delivery to (e-mail address removed)
Received: (qmail 26197 invoked by uid 65534); 27 Sep 2003 01:54:42 -0000
Received: from smtp21.singnet.com.sg (EHLO smtp21.singnet.com.sg) (165.21.101.201)
by mx0.gmx.net (mx012) with SMTP; 27 Sep 2003 03:54:42 +0200
Received: from qtrss (bb220-255-51-163.singnet.com.sg [220.255.51.163])
by smtp21.singnet.com.sg (8.12.10/8.12.9) with SMTP id h8R1oKau013898;
Sat, 27 Sep 2003 09:50:20 +0800
B
Bart Bailey
In Message-ID:<[email protected]> posted on Fri,
(e-mail address removed)
The reason is that it's visible to any harvest bot that scours the news
groups that you post in. Or perhaps someone with your addy in their
address book has been infected.
google up "swen" and read from the many write ups about how it works and
the extent of people affected by it, you're not alone.
If this is your valid email addy:
(e-mail address removed)
The reason is that it's visible to any harvest bot that scours the news
groups that you post in. Or perhaps someone with your addy in their
address book has been infected.
google up "swen" and read from the many write ups about how it works and
the extent of people affected by it, you're not alone.
D
D McAuliffe
»Q« said:
Boxcars-
In your header of your original post:
From: "=?ISO-8859-1?Q?=BBQ=AB?=" <[email protected]>
I look upon this as begging to be bombed. If the above address is truly
yours, then on my machine, right now, there are 7 instances of your correct
address, 3 from your original post and 4 from this one. If I get Swen,
you'll could likely get 14 infected mails just from me (based on what I've
read in other NGs, it appears 2 versions of the mail may be sent to the same
recipient from the same infected - my only 2 Swen mails received thus far
doesn't contradict the theory). If someone responds to this post keeping in
the addresses and I read it, I'll have 11 and you'll get 22. Estimate how
many people read alt.comp.anti-virus that will become infected and multiply
that times 11 (for now) gives you your maximum exposure.
Kurt-
Are "Reply-To: (e-mail address removed)" or <[email protected]> valid
addresses?
--
~~~~~~~~~~~~~~~~~~
Dave McAuliffe
<Central Mass> USA
Remove X from address
~~~~~~~~~~~~~~~~~~
?
=?ISO-8859-1?Q?=BBQ=AB?=
I don't.
emailx.com is a valid domain. If you are going to use a munged
address, the domain should be invalid, and it should end with the
tld .invalid.
If you were infected, it would not matter whether ever read a.c.a-v
or whether you had my address on your HDD. You copy of Swen would
have a peek at Usenet and find my address there. Afaik, each
infected machine sends two to each address it finds, but not two for
each instance of that address.
F
FromTheRafters
Interesting to note that apparently the worm uses
massive crossposting to help the spread of e-mail
addresses to other newsgroups, as well as to try
to infect posters with itself. Swen makes a post to
usenet, and the thread takes off....sort of like those
ants that garden their own food supply.
F
FromTheRafters
Bart Bailey said:
In addition, anyone replying to a post after yours that decided
to crosspost (assuming that your address wasn't edited out)
would cause your address to spread to groups that you never
posted in.
D
D McAuliffe
From EmailX.com:
Contact us if you are interested in above domain.
If I remember correctly from '98, signing up for posting to
news.uni-berlin.de required the "from" to be a valid domain.
»Q«, I can only come to conclusions and make recommendations based on what
I've read and from my own experiences. Admittedly, I'm mainly just a home
user doing basic functions. I based my post on what is written at
http://www.us.sophos.com/virusinfo/analyses/w32gibef.html, "W32/Gibe-F is a
worm which spreads by emailing itself via its own SMTP engine to addresses
extracted from various sources on the victim's drives (e.g. MBX and DBX
files)." Since the a.c.a-v posts I have are stored in a DBX file, I saw the
potential for a lot a mails going out.
My error is not taking into consideration those that read through their
browser. That could (dramatically?) cut down the maximum exposure. Are
read browser messages stored (or can they be saved) at all on the user's
HDD, and if so in what type of file?
From http://vil.nai.com/vil/content/v_100662.htm
"Propagation via Newsgroups:
The worm carries a compressed list of newsgroup servers. At run time, the
list is decompressed and written to a temp file. The worm uses the default
newsgroup server from the machine or one from the list to post messages to a
randomly selected group. The message is the same from the email
propagation."
I focused on "to post messages", that is, it does not get addresses from
this action, but sends a post (in hopes of) getting someone to open the
message and get infected via a very old exploit, or DL and/or open the
attachment.
Concerning "not two for each instance of that address"; I have no clue as to
what actually happens. My math was based on how I thought this thing was
operating. If I were the programmer, would I do the extra code to compare
each address to what I already had in order to exclude duplicates (would I
think, up front, there would be many duplicates to exclude in order to make
the mail more believable?) or would I just get an address and send, then
repeat. The number of mails some people are receiving per minute are so
great that I believed they were coming from multiple instances from the same
machine ("from" address changed for each set) rather than from an incredibly
huge number of infected machines. Because this hit the home user, and it
installs to repeat, it appears a whole new round of mails go out under a
different IP at startup / log-on.
If I'm out-of-sync I apologize, and, where did I go astray? (The EmailX.com
though is non-negotiable. Your point is taken and I consider it to be
valid.)
--
~~~~~~~~~~~~~~~~~~
Dave McAuliffe
<Central Mass> USA
Remove X from address
~~~~~~~~~~~~~~~~~~
?
=?ISO-8859-1?Q?=BBQ=AB?=
More than that, it required it to be a valid address belonging to
you, and still does. news.individual.net = news.uni-berlin.de now.
<http://news.individual.net/rules.html>
Users of the newsserver are expected to follow this set of
rules. Disregarding the rules may cause termination of access
privileges without further notice.
* Accurate Sender Address
The e-mail addresses in From:, Reply-To:, and Sender: fields
must belong to you and they have to be valid. Using
identifiers of other individuals without their permission or
e-mail addresses that will bounce is not permitted. (For more
details see paragraph 5.3 of the FAQ.)
<http://news.individual.net/faq.html#5.3
5.3 May I mangle my "From:" header address so that I do not get
SPAM?
No. We recommend to get an account with a free e-mail provider
(such as GMX, Yahoo, Hotmail, Bigfoot...) and to not read mails
that go to that address at all, only sporadically or in
combination with suitable filter mechanisms.
This has the same effect, but does not violate the netiquette,
our policy or other guidelines.
Another way is the usage of "(e-mail address removed)". The owner of
privacy.net has given his permission to use that address for
SPAM protection purposes.
From <http://www.f-secure.com/v-descs/swen.shtml>:
The worm also can search for e-mail addresses in various
newsgroups. It connects to NNTP servers listed in the SWEN1.DAT
file, gets a list of all newsgroups on that server and searches
recent messages in these newsgroups for 'nfrom:' and 'nreply-to:'
tags. When such tags are found, the worm gets e-mail addressed
after them and writes them to the GERMS0.DBV file. This way the
worm can harvers a lot of e-mail addresses to send itself to.
Me neither. Your speculation that one copy of the worm will send to
an addy each time it finds an instance of it may well be right. We're
both guessing about that.
Well, I wasn't about to LART you for it.
Somebody could though, since that e-mail address does not
belong to you.
F
FromTheRafters
D McAuliffe said:
From:
http://www.f-secure.com/v-descs/swen.shtml
The worm also can search for e-mail addresses in various newsgroups.
It connects to NNTP servers listed in the SWEN1.DAT file, gets a list
of all newsgroups on that server and searches recent messages in these
newsgroups for 'nfrom:' and 'nreply-to:' tags. When such tags are found,
the worm gets e-mail addressed after them and writes them to the
GERMS0.DBV file. This way the worm can harvers a lot of e-mail
addresses to send itself to.
The worm can post its e-mails to newsgroups, the names of which it
finds during searching process. The worm sends the same kind of
messages as it sends via e-mail.
G
Gabriele Neukam
On that special day, »Q«, ([email protected]) said...
News Uni Berlin does still exist, but now is restricted to university
members, while everyone else is asked to join the Individual department.
Gabriele Neukam
(e-mail address removed)
News Uni Berlin does still exist, but now is restricted to university
members, while everyone else is asked to join the Individual department.
Gabriele Neukam
(e-mail address removed)
B
Bart Bailey
In Message-ID:<[email protected]> posted on Mon, 29 Sep
Wonder if the University of Calgary is going to start offering a news
service, anonymous accounts, of course. <g>
Wonder if the University of Calgary is going to start offering a news
service, anonymous accounts, of course. <g>
D
D McAuliffe
Thanks »Q«, FromTheRafters and Gabriele Neukam, for the heads up. Looks as
though I've got to read most, if not all, of the AV sites' write-ups to
determine what's factually happining. As for the mail address - I'm slowly
skullking out of this thread - <g>.
--
~~~~~~~~~~~~~~~~~~
Dave McAuliffe
<Central Mass> USA
Remove X from address
~~~~~~~~~~~~~~~~~~
though I've got to read most, if not all, of the AV sites' write-ups to
determine what's factually happining. As for the mail address - I'm slowly
skullking out of this thread - <g>.
--
~~~~~~~~~~~~~~~~~~
Dave McAuliffe
<Central Mass> USA
Remove X from address
~~~~~~~~~~~~~~~~~~