Another SWEN coming in every hour

[Bart Bailey]

In Message-ID:<[email protected]> posted on Thu, 2 Oct

It can, and you can, but it requires downloading the message to do so.
I think that you have to apply all of the "delete from server" rules, each
with an accompanying "stop processing more rules" rule, to speed things
up a little. After that it does little good to try to avoid downloading mail
by rules which require the downloading action in order to work.

...and of course, some people *like* HTML e-mail as long as it isn't
malicious.

Mailwasher allows for a partial DL with the first 20 lines as minimum.
This is enough to spot a format tag for HTML, then the message is
flagged no matter how big it really is.
Downloading only the first twenty lines makes no perceptible difference
in speed over just the headers alone.

 

[Jan Il]

Hi Rafter,

The way I see it, if the filter rules were working before, and
they aren't working now, then one of the following is true:

1) The filters have somehow changed
2) The worm has somehow changed
3) I am misunderstanding something

You checked the filters ~ no change.

You would notice if the worm e-mail that evaded the filter met
the criteria of one of the filter rules, but not necessarily whether
or not that particular rule had always been ineffective and that
it was another rule that had always worked in the past.

I usually apply rules with actions to highlight with color and
test their effectiveness that way, but with Swen (if I were to
be getting them) I would probably not bother, as there would
be far too many of them to look at.

That being said, if what you describe had been happening to me,
I would reluctantly settle on item three. I would then take steps
to remedy the situation by changing the rules to highlight with
color to determine which rules never seem to be effective and
attempt to discern why that is.

The "stop processing more rules" rule is an important consideration.
If the filter program sees a whitelist criteria to "send to folder" and
then a "delete from server" criteria it may very well download first
and then delete, which is what it would have done if no rules had
existed. It may not matter in what order the filters were set up if
the algorithm is "check all criteria" and then "take all actions"
rather than "check first criteria" and then "take first action". The
program may see the illogic of deleting before downloading to
check a whitelist rule. If the whitelist criteria is followed by the
"send to folder" and then a "stop processing more rules" then the
appropriate actions can be taken on the whitelist rule without any
concern for other rules. It is like having "end" statements in a
program ~ even if you believe that there is no chance that program
flow would ever reach that statement

I understand this, Rafter, and totally agree with everything you say, and
this does work for most all messages as it should. I do not question this at
all.

I have seen Swen headers with random letters as the <username>
portion of the "From" e-mail address even though I haven't seen
this mentioned in the write-ups, so I suppose it is possible that
random changes could be made to the domain portions as well
to make the filtering harder, but if you are seeing @microsoft.com
when you know damned well that you have a rule to filter out
all @microsoft.com's, then I would investigate that rule and the
ones not separated from it by "stop processing" actions further
to see if it is thwarted by another rule.

The "stop processing" thing is to avoid making inadvertent
compound rules.

Again, you are correct, believe me, I have tested and tested all the various
Rules, one by one, using all the various associated settings independently,
and collectively, to see how they react and the result of how they control
the messages.

Another test I ran was to set the Rule for From independently, and entered
the criteria, M, MS, Microsoft, as the keyword respectively, and each with
the setting of delete from server. Which does not involve the stop
processing. They still came through. ??

I truly have tried all sorts of variations, and I have listened and tried
all the suggestions and such that have been offered here, not only in this
thread, but others as well. My mind is open, and I am very interested and
anxious to learn and try anything that might shed some light on what is
happening. I'm not being one sided and stubborn, I am listening, and
applying, and then documenting the results of each step, one at a time. Not
only from this ng, but several others, and MS web support. What I am
stating back is the results of all that I have done.

I have tried each Rule one at a time, and monitored the results of each.
Which type of messages are being downloaded, the wording, the file size, the
attachment, the headers, the details. I really do know how to do all these
things and assess them.

I understand the importance of the stop processing more rules, but, that
only applies to the files that are allowed to be downloaded, not for those
to be deleted on the server.

I have been researching this from many angles, and circumstances. I won't
continue to bore anyone here with the details, but, let's just say that,
when you have one Rule, set to any message with an attachment, and then set
to delete from server, period, which does not involve the stop processing,
and the same 'specific' messages are still being downloaded to the Inbox,
but not ALL the messages with attachments, which I knew existed because I
sent myself several, then I can't help but question that something is
different about the specific messages that are not being deleted from the
server, and still being downloaded to the Inbox. It would seem obvious that
the Rule is working for the other messages with attachments and deleting
them in the server, but, not for these particular messages, which do, for
all intense and purposes, meet the Rule criteria. They are messages, and
they have attachments. But, are not being deleted from the server.

They appear the be different, and they are not reacting in the same way as
the others. That is all that I am saying.

Well..'nuf said.

Thanks Rafter.

Jan

 

[Knack]

Knack pounced upon this pigeonhole and pronounced:

It doesn't matter who your ISP is. You're shooting yourself in the foot by
posting your email address in the clear in Usenet. Swen harvests addresses
from Usenet. See this public information from google groups:

From: Knack ([email protected])
Subject: Re: Antibiotics for upper respiratory illness
Newsgroups: rec.pets.cats.health+behav
Date: 2003-08-29 13:36:30 PST

Do you use your earthlink address in Usenet as well? Or have this hotmail
address forwarded to earthlink?

One of my ISPs - AT&T Worldnet - has dozens of posts worded almost exactly
like yours. "What's wrong with my ISP?"

Using Netscape Communicator 4.79. I set up 2 user profiles; one for e-mail and
another for newsgroups. The former has my full name and Earthlink mail
servers, and for a while it had the Earthlink news server in it. The latter
has Knack as my name and with Hotmail as my address, and with no incoming
mailserver entered, but with the Earthlink SMTP and news servers entered.

One day last week or the week before I forgot which profile I was using and I
inadvertantly made a couple Usenet posts using the profile which has my full
name and Earthlink address. I've since deleted the news server from that
profile to make it impossible for me to blunder like that again.

No, there is no forwarding of Hotmail mail to Earthlink.

 

[Veronica Loell]

See my posting about filter below. The program that I am using and have
implemented the filterrules for is for windows only unfortunately.
There are instructions for using with Hotmail and POP3-mailservers.

- Veronica Loell

Knack wrote / skrev:

 

[Knack]

There is no Swen coming into the Hotmail account, and Hotmail mail is not
forwarded to Earthlink. OK, I blundered with 2 or 3 posts a week or 2 ago and
posted to Usenet with a Netscape Communicator user profile that has my full
name and Earthlink address.

But I've since been posting with Knack and the Hotmail address. My old posts
are still available to Swen though. I wonder how many more weeks or months it
will keep retrieving my Earthlink address from those posts.

How long does it take for a particular worm to die out, and what causes it to
stop?

 

[Chopper]

If you have the same type acct w/ EL as I do, you can have a number of email
addresses. Make one your main acct and don't use it for anything other than
that - no email or usenet etc purposes. Then create a few more as possible
throwaways and use those for email and maybe a munged usenet posted
address.. When posting on usenet either munge or use a totally bogus address
in the header.

When a particular email addy gets on a virus or spam list, you can jetison
it.

When will it die out? The overall problem is getting worse, not better, so
it's not a question of when swen goes away, other worse stuff will
eventually show up.

C

There is no Swen coming into the Hotmail account, and Hotmail mail is not
forwarded to Earthlink. OK, I blundered with 2 or 3 posts a week or 2 ago and
posted to Usenet with a Netscape Communicator user profile that has my full
name and Earthlink address.

But I've since been posting with Knack and the Hotmail address. My old posts
are still available to Swen though. I wonder how many more weeks or months it
will keep retrieving my Earthlink address from those posts.

How long does it take for a particular worm to die out, and what causes it to

 

[Gabriele Neukam]

On that special day, Knack, ([email protected]) said...

My old posts
are still available to Swen though. I wonder how many more weeks or months it
will keep retrieving my Earthlink address from those posts.

A German reported that (she?) received a mail to an address that was
last used in an usenet posting at the end of the year 2001. I think
there are two sources from which Swen does get its usenet user address
targets.

a) from the most recent news, downloaded from a random group, by using
its SMTP engine
b) by fetching everything from the IE cache and browsing for anything
with an (at) inside. The cache might contain addresses of usenet users,
if the owner of the infected machine has done a Google search, including
groups.

Google has adopted Deja News, and is hosting the history of the usenet.
The probability that Swen will eventually get addresses from within the
Deja history, isn't that low IMHO.


Gabriele Neukam

(e-mail address removed)

 

[Veronica Loell]

Gabriele Neukam wrote / skrev:

A German reported that (she?) received a mail to an address that was
last used in an usenet posting at the end of the year 2001. I think
there are two sources from which Swen does get its usenet user address
targets.

a) from the most recent news, downloaded from a random group, by using
its SMTP engine

Don't you mean NNTP-engine? You can't possibly fetch anything out of an
NNTP-server by the Send Mail Transfer Protocol. You can however post by
using SMTP which SWEN does. Apperantly some sources report that swen
connects directly to newsgroups to get adresses. The sources I have seen
only say that it harvests every possible and unpossible address from the
infected machine. But I am certainly no virus-expert.

- Veronica Loell

 

[Peter]

Snip
Bart, I appreciate your concern. But, I would not have come here and
made this statement unless I had made sure I was certain of my facts.

I ran an AVG scan, Spybot, Adware, House Call, as many and all that I could
to make sure nothing was lurking and there was no "HAL" on board. I reset
all of my Rules, and even added some, I checked and rechecked all the
settings. I could not believe myself that this thing had somehow found a way
to over ride the Rules. But, all I can say is, if you want to believe it or
not, it has, and it does, and the game plan is not the same. The playing
field has changed. I do have Mailwasher in place, and I will monitor it to
see what happens there.

You're right, Swen is not going to go quietly into that good night. Heck,
I'm no virus guru, but, even I can see the changes that are taking place on
a daily basis. But, it is another story when it can detect and over ride
settings like this. That is why I wanted to post this here, so that someone
else might pick up on it too. It may be that the strain that I got has not
hit everyone yet, so you folks may not have seen this yet, or maybe not even
noticed it, but, it is happening. It is over riding, bypassing,
circumventing, whatever you want to call it. I guess it is because I had not
had any Swen related messages in over 3 days, then suddenly started seeing
the same ones that I had used to set the rules for showing up out of
nowhere, with attachments, and all the nomenclature, and yet, the rules had
been stopping them or putting them in the delete box before. Now, they were
showing up in my Inbox again. I did check each and every word in the From,
To, Subject Line, body, anything that could signify that they were all
somehow new and not the same as before. But, not so.

Well, what you folks choose to do with the info is up to you. It just
bothered me that this thing seems to be sort of "thinking" if you will. Or,
the person(s) behind it are trying to stay one step ahead to keep it going.
If they are smart enough to write something like this crap, they are surely
smart enough to be able to over ride or circumvent some simple OE rules. I
am not new to in-depth research of various computer problems, and there are
many MVP's in several other newsgroups that can attest to that. So I make
sure all my ducks are in a row before I post my findings. I would not have
come here and made this statement if I was not sure.

Jan

Although I'm sure your OE mail rules are being violated, that being the
case, then this must be the first "mail" to actually accomplish this. Are
your OE rules working ok on other Spam? I'm wondering whether you've
possibly been infected by SWEN without realising it. Can you open Regedit?
Is opening Web pages taking forever? Is the file swen.dat in your system? I
had these problems before the penny finally dropped. I'm pretty well a
novice with viruses and SWEN was the first one to infect my PC. I don't
bother with AV software. Although I've sorted it now, I've also closed down
the one e-mail account that was responsible for passing on all the SWEN
crap, and opened up a new one with a different ISP. So far, so good. I still
receive the odd SWEN, but the OE rules are holding up and chuck them
straight into the Delete folder.

CC

 

[FromTheRafters]

In Message-ID:<[email protected]> posted on Thu, 2 Oct

Mailwasher allows for a partial DL with the first 20 lines as minimum.

Yes, and I hardly use the OE ruleset anymore except for color
coding. Mailwasher works very well for me, and it is easier to
use than OE imo.

This is enough to spot a format tag for HTML, then the message is
flagged no matter how big it really is.
Downloading only the first twenty lines makes no perceptible difference
in speed over just the headers alone.

I get HTML mails from friends of the family, so I accept HTML.
My sister even has some friends that send "Incredimail" crap.
Oh well, there's no accounting for taste I guess.

 

[Jan Il]

Hi Peter -

Although I'm sure your OE mail rules are being violated, that being the
case, then this must be the first "mail" to actually accomplish this. Are
your OE rules working ok on other Spam? I'm wondering whether you've
possibly been infected by SWEN without realising it. Can you open Regedit?
Is opening Web pages taking forever? Is the file swen.dat in your system? I
had these problems before the penny finally dropped. I'm pretty well a
novice with viruses and SWEN was the first one to infect my PC. I don't
bother with AV software. Although I've sorted it now, I've also closed down
the one e-mail account that was responsible for passing on all the SWEN
crap, and opened up a new one with a different ISP. So far, so good. I still
receive the odd SWEN, but the OE rules are holding up and chuck them
straight into the Delete folder.

CC

I have run both AVG with the updated files, Trend Micro, Spybot, Adware, and
House Call, nothing. My system is clean.
I have done search of my system for the swen.dat, nothing. I can open
Regedit. My Internet works fine. What I was trying to say was that, even if
the Rules are working as intended, which I don't dispute, these specific
messages are ignoring them and downloading anyway.

But, I have already explained, and here it is like talking to someone who
hears you, but, is not listening due to lack of interest. It is much easier
to just chalk it up to lack of viable brain activity in the user, or their
inept skills and level of intelligence. I have also tested by switching back
and forth between Mailwasher and OE, and I can say this for the time being,
Mailwasher keeps these rogue messages at bay. But, as soon as I switch back
to OE, they start downloading past the Rule again. Maybe because Mailwasher
is not related to MS. ??

I have listened to, applied and followed-up with, all the suggestions,
recommendations, and contributions I have been provided with here on this
issue, as I have with yours, and regard all as a very viable part of my
research and documentation, to cover and assess as much information as I
can. That is why I came to this ng, to learn, to pick as many experienced
minds, and glean as many ideas as I can from those who are far more
knowledgeable and experienced than I. But, so far...well, most are too busy
cutting each other down or leg pulling. It's a cross between the Cheyenne
Social Club, Blazing Saddles and Star Wars. However, there are many here
whose minds are keen and their experience invaluable so I won't be deterred.

Then again...some Trolls can be fun, too...<vbg>

Thank you very much for your additional information, Peter, I am anxious to
learn as many troubleshooting and fact finding methods as I can. I truly
appreciate your time to help.

Best regards,
Jan

 

[Bart Bailey]

In Message-ID:<1apfb.40153$gv5.7744@fed1read05> posted on Fri, 3 Oct

I have also tested by switching back
and forth between Mailwasher and OE, and I can say this for the time being,
Mailwasher keeps these rogue messages at bay.

I have set and tested some filter rules in my email proggy (Agent) and
they work, but it's so much easier to have MW just query all accounts
and do the deed as needed.
Glad something's working for you.
I can provide MW specific filter rules if you like,
but if you've got it working, there's no need to confuse things.

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on Fri, 3 Oct

I get HTML mails from friends of the family, so I accept HTML.
My sister even has some friends that send "Incredimail" crap.
Oh well, there's no accounting for taste I guess.

Shhh....
Don't let my AOL sister hear you, she hasn't heard of that yet.
Incredimail is just HTML taken to the extreme of tackiness.
Like having painted tire flower beds in the front yard.

 

[FromTheRafters]

Another test I ran was to set the Rule for From independently, and entered
the criteria, M, MS, Microsoft, as the keyword respectively, and each with
the setting of delete from server. Which does not involve the stop
processing. They still came through. ??

I wasn't intending to imply that you were unaware of how the
filters work, only that there are ways to isolate the problem
rule if there indeed was one.

Above you have reduced the problem to its simplest form. If
indeed the delete from server rule needs no stop processing
action (which all of the documentation I have read seems to
support), then the only conclusion I can come to is that the
filter is broken in some way. Either the filter logic itself, or the
mechanism by which it achieves a deletion from the server, is
not functional anymore.

Hmmm...have you tried a "do not download" action?
Is it just as ineffectual as the "delete from server" action?
This could show that the rule logic is working but that the
action isn't if one is effectual while the other isn't.

There is nothing that the worm can do to achieve this as the
filters are matching criteria to textual data only at that point.

 

[Jan Il]

Hi Bart -

In Message-ID:<1apfb.40153$gv5.7744@fed1read05> posted on Fri, 3 Oct


I have set and tested some filter rules in my email proggy (Agent) and
they work, but it's so much easier to have MW just query all accounts
and do the deed as needed.
Glad something's working for you.
I can provide MW specific filter rules if you like,
but if you've got it working, there's no need to confuse things.

I'm still experimenting, so yes, I would indeed be interested in having a go
at your filer rules for MW. You may have something I have not had a chance
to try yet.

Thank you very much.

Jan

 

[Bart Bailey]

In Message-ID:<dyqfb.40162$gv5.20015@fed1read05> posted on Fri, 3 Oct

I'm still experimenting, so yes, I would indeed be interested in having a go
at your filer rules for MW. You may have something I have not had a chance
to try yet.

Thank you very much.

Jan

emailed to what I hope is a valid addy <g>

 

[Jan Il]

Hi Rafter -

I wasn't intending to imply that you were unaware of how the
filters work, only that there are ways to isolate the problem
rule if there indeed was one.

No, I know you didn't, and that is not how I looked at it, I was just trying
to explain some of the tests that I have tried to determine how/where/why
this is happening. And only with just these certain messages, none of the
others are getting through. I am trying to determine what is different about
them the Rule to delete them from the server does not work on just them and
that they can still download.

Above you have reduced the problem to its simplest form. If
indeed the delete from server rule needs no stop processing
action (which all of the documentation I have read seems to
support), then the only conclusion I can come to is that the
filter is broken in some way. Either the filter logic itself, or the
mechanism by which it achieves a deletion from the server, is
not functional anymore.

I can understand this, that it why I reduced the Rule to the most basic
information I could, one Rule, any message with an attachment; one action,
Delete from server; and one keyword, M, to make sure there was no confusion.
It would seem logical that if the Rule is working with other Swen messages
starting with M and have attachments, and does delete them from the server,
it should these others too, but, that is not happening. That is what I am
trying to find out, why. What is different about them, where, how do they
seem to avoid being deleted along with all the rest that the Rule does
delete. If none were being deleted, I would agree that the Rule function had
been broken or corrupted perhaps somehow, but, it is only failing with
certain messages.

Hmmm...have you tried a "do not download" action?
Is it just as ineffectual as the "delete from server" action?
This could show that the rule logic is working but that the
action isn't if one is effectual while the other isn't.

Yes, I deleted the first rule to make sure there would be no conflicts, then
used the same basic information as the first Rule. I selected the any
message with an attachment Rule; do not download action; and the same
keywords. This to make sure all the test information remained the same
expect for the variation in action. Again, this rule worked on all messages
with attachments, except the certain messages, and they downloaded.

Another test; Deleted the second Rule, created a new one, again using the
same keyword, selected any message with attachment, but, this time selected
the Delete it action. This time, 'all' messages with attachments were sent
to the delete box.
I have webmail, and I can access my account through webmail and see what is
there before I open my OE. Plus, I sent myself messages with attachments
and specific wording in both the From and Subject lines to test, so I can
monitor what is and isn't being downloaded when I open my OE.

There is nothing that the worm can do to achieve this as the
filters are matching criteria to textual data only at that point.

True, and I don't argue any of your points. But, I just know what is
happening. I'm not a worm or virus scientist, and all I'm doing is trying to
troubleshoot and research the situation as best I can to find out why it's
happening.

I'll continue to monitor and see what happens. There is an answer, and if it
does turn out to be user ignorance, then I'll come back and post what the
mistake was so some other user doesn't make the same one. <g>

Thanks for you input and additional information, I really appreciate it.

Jan

 

[Jan Il]

In Message-ID:<dyqfb.40162$gv5.20015@fed1read05> posted on Fri, 3 Oct


emailed to what I hope is a valid addy <g>

Bart

Just got it, thank you Bart

Jan

 

[Jan Il]

Hi scoopdamedia -

You should Update your Outlook Express so that it always asks permission
before downloading anything from Email or whatever.

Well..frankly, if I wanted to have to ask permission for every move I make
I'd have stayed married.

But, actually, with all the swarm of garbage going around, this would drive
me bonkers, although some may feel I've surpassed even that. However, I can
see that this would be a good idea should things return to some level or
normal. Although, I do get a lot of e-mails due to my personal business at
home in addition to my regular job. So, this might prove to be very
burdensome and time consuming.

Thank you for your suggestion, and I will givre it a try when/if that worm
with the wonderlust finally finds a hole to it's liking and settles down a
bit.

Jan

 

[Gabriele Neukam]

On that special day, Jan Il, ([email protected]) said...

Delete from server; and one keyword, M, to make sure there was no confusion.
It would seem logical that if the Rule is working with other Swen messages
starting with M and have attachments, and does delete them from the server,
it should these others too, but, that is not happening.

Aha. Does the header of the slipped-through message look like
this:

Return-Path: <[email protected]>
Received: from imsm033.netvigator.com ([219.76.116.130]) by
mailin04.sul.t-online.de
with smtp id 1A0Gj4-1MZ5W40; Fri, 19 Sep 2003 10:34:50 +0200
Received: (qmail 16398 invoked from network); 19 Sep 2003 08:33:26 -0000
Received: from pcd395148.netvigator.com (HELO marnrt) (203.218.185.148)
by imsm033.netvigator.com with SMTP; 19 Sep 2003 08:33:26 -0000
FROM: "Customer Assistance" <[email protected]>
TO: "Customer" <[email protected]>
SUBJECT: Newest Network Upgrade
Mime-Version: 1.0
X-Seen: false
X-Mailer: T-Online eMail 4.111
Date: 19 Sep 2003 14:04 GMT
Content-Type: multipart/mixed; boundary="ngbfqxohnpdwed"

This is a very rare specimen that I received on September 19th, which
doesn't contain the M-word in the "From:" line. This does happen,
although only once per one hundred mails, or so. Maybe *that's* the
problem.


Gabriele Neukam

(e-mail address removed)