Swen being posted around newsgroups

[Keanu Reeves]

Just to let people no then p**sin fake microsoft emails with swen have
started to appear in everal newsgrouups
alt.binaries.videos.tv.shaggable-babes an a few others.Some people should
get a life and stop posting this kinda shit about grrrrrrr.Wish theyd catch
the bastards doing it to.Anyway for people member of the group above looked
out for the security update in this and other groups as its infected with
swen. Kind Regards Mat

 

[David H. Lipman]

Mat:

Some people should take the time to READ the description of the Swen !
http://vil.nai.com/vil/content/v_100662.htm

"Propagation via Newsgroups

The worm carries a compressed list of newsgroup servers. At run time, the list is
decompressed and written to a temp file. The worm uses the default newsgroup server from
the machine or one from the list to post messages to a randomly selected group. The message
is the same from the email propagation."

So an infected PC will post the Swen in a EXE file that is 106KB. This is NOT done by a
person, it's done by the worm !

It can also post a non-infectious version in a 1 byte ZIP file.

Dave

| Just to let people no then p**sin fake microsoft emails with swen have
| started to appear in everal newsgrouups
| alt.binaries.videos.tv.shaggable-babes an a few others.Some people should
| get a life and stop posting this kinda shit about grrrrrrr.Wish theyd catch
| the bastards doing it to.Anyway for people member of the group above looked
| out for the security update in this and other groups as its infected with
| swen. Kind Regards Mat
|
|

 

[Keanu Reeves]

Yeah i read all about that im just sayin although im getting em in me
email.I noticed the exact same emails appearin in some newsgroups with the
swen virus attached thats all. Regards mat

 

[Bart Bailey]

The worm carries a compressed list of newsgroup servers. At run time, the list is
decompressed and written to a temp file. The worm uses the default newsgroup server from
the machine or one from the list to post messages to a randomly selected group. The message
is the same from the email propagation."

So an infected PC will post the Swen in a EXE file that is 106KB. This is NOT done by a
person, it's done by the worm !

The Berlin Uni server doesn't pass binaries,
so I never see any of those infected postings.

 

[David H. Lipman]

The Microsoft News Groups have been inundated.

The forum microsoft.public.upnp has had almost nothing but Swen posts since 9/23.

Some are the 106KB EXE attachments (infectious) many are the 0byte ZIP file type
(non-infectious) but there have been *many* !

Dave

| In Message-ID:<[email protected]> posted on
| Thu, 02 Oct 2003 10:46:26 GMT, David H. Lipman wrote:
|
| >
| >The worm carries a compressed list of newsgroup servers. At run time, the list is
| >decompressed and written to a temp file. The worm uses the default newsgroup server from
| >the machine or one from the list to post messages to a randomly selected group. The
message
| >is the same from the email propagation."
| >
| >So an infected PC will post the Swen in a EXE file that is 106KB. This is NOT done by a
| >person, it's done by the worm !
|
| The Berlin Uni server doesn't pass binaries,
| so I never see any of those infected postings.
|
| --
|
| Bart

 

[scoopdamedia]

I could be wrong, but it seems to me that these newsgroup swen posts are
human engineered specifically for said newsgroup that the swen is posted to,
meaning that "human hands" are involved and also the new infusions of swen
are occurring, perhaps with some tweaking now or forthcoming for more danger
and damage.

 

[David H. Lipman]

And you are -- wrong.

Dave

| I could be wrong, but it seems to me that these newsgroup swen posts are
| human engineered specifically for said newsgroup that the swen is posted to,
| meaning that "human hands" are involved and also the new infusions of swen
| are occurring, perhaps with some tweaking now or forthcoming for more danger
| and damage.
| | > Mat:
| >
| > Some people should take the time to READ the description of the Swen !
| > http://vil.nai.com/vil/content/v_100662.htm
| >
| > "Propagation via Newsgroups
| >
| > The worm carries a compressed list of newsgroup servers. At run time, the
| list is
| > decompressed and written to a temp file. The worm uses the default
| newsgroup server from
| > the machine or one from the list to post messages to a randomly selected
| group. The message
| > is the same from the email propagation."
| >
| > So an infected PC will post the Swen in a EXE file that is 106KB. This is
| NOT done by a
| > person, it's done by the worm !
| >
| > It can also post a non-infectious version in a 1 byte ZIP file.
| >
| > Dave
| >
| > | > | Just to let people no then p**sin fake microsoft emails with swen have
| > | started to appear in everal newsgrouups
| > | alt.binaries.videos.tv.shaggable-babes an a few others.Some people
| should
| > | get a life and stop posting this kinda shit about grrrrrrr.Wish theyd
| catch
| > | the bastards doing it to.Anyway for people member of the group above
| looked
| > | out for the security update in this and other groups as its infected
| with
| > | swen. Kind Regards Mat
| > |
| > |
| >
| >
|
|

 

[FromTheRafters]

I could be wrong, but it seems to me that these newsgroup swen posts are
human engineered specifically for said newsgroup that the swen is posted to,

It evidently harvests subject lines.

meaning that "human hands" are involved and also the new infusions of swen
are occurring, perhaps with some tweaking now or forthcoming for more danger
and damage.

I don't think so myself. But you are probably correct that
this is not the last of the series.