Swen Worm

[Netuser 58]

Hello Newsreaders,
I made an important discovery about the Swen worm.As
everyone knows, it comes through a false Microsoft email pretending to
be an update patch or something similar. On the face of the message,
the attachment is listed as an exe or pif extension. I wanted a sample
of Swen, so I right clicked on the attachment, but was not given the
option to save it as a file. So I left clicked it (only to access it)
and I got the option to open the file or save it to disk. I chose save
to disk. When I made that choice I got the window that gives you the
choice where to save it AND in the file name box, the file was named
with the extension att - NOT exe or pif!! I have downloaded five
samples of Swen and they all had the att extension. Each one I
downloaded, I accessed it through windows explorer AND NO DETECTION!!

Then I added the extension att to my extension list and accessed it
again - this time my AV program gave me the virus prompt immediately,
identifying the file as Win32/Swen.

So, be sure to add the extension att to your extension list in your
"on access" scanner.

Netuser 58

 

[Snowsquall]

"Netuser 58" wrote

Hello Newsreaders,
I made an important discovery about the Swen worm.As
everyone knows, it comes through a false Microsoft email pretending to
be an update patch or something similar. On the face of the message,
the attachment is listed as an exe or pif extension. I wanted a sample
of Swen, so I right clicked on the attachment, but was not given the
option to save it as a file. So I left clicked it (only to access it)
and I got the option to open the file or save it to disk. I chose save
to disk. When I made that choice I got the window that gives you the
choice where to save it AND in the file name box, the file was named
with the extension att - NOT exe or pif!! I have downloaded five
samples of Swen and they all had the att extension. Each one I
downloaded, I accessed it through windows explorer AND NO DETECTION!!

When the scanner is set to autoprotect *all* extensions then it will alert
whether *.att is there or not.
I do not know of a program that will execute *.att anyway; either that
particular extension was put there for safety or some new process has been
developed to need that extension to execute. I think *.att is short for
attachment and was put there by some ISP along the way to keep the file from
executing...

 

[Richard Kellerman]

This W32.Swen.A@mm worm as you call it is ID'ed by NAV, Avast!, and CA's EZ
Armor software. The kiddie that launched has hijacked OPEN SMTP servers
OCN.AD.JP, DION.AD.JP in Japan and TELE2.NO/SWIP.NET in Norway and Sweden
respectively. Fortunately RoadRunner caught it, so it didn't affect me too
much. I've e-mail RR sysadmins and hopefully I can get these servers
blocked for OPEN SMTP.

 

[Netuser 58]

When the scanner is set to autoprotect *all* extensions then it will alert
whether *.att is there or not.

True, if that is the choice you make. Some like it that way.
All AV programs geneally give you the option to scan all files or just
program files and documents. I generally will scan all files only when I
do a complete system scan.
Scanning all files all the time most likely slows your system speed
considerably as I have found out in past experiences.

I do not know of a program that will execute *.att anyway;

There are two programs that have files of this extension, as I have
two .att files - one for each program. It appears that there would be
some connection between them and the .exe main program file. They are in
the same folder for each program.

either that

 

[Netuser 58]

True, if you have already opened the file.
Do remember, I downloaded the file in an unopened state, so the only
way I could detect it was by the att extension.
If you detect it with the att extension you will catch it before it
is opened.

 

[Guest]

Didn't you get hit by this bozo? In the last 10 days, I've gotten about 20
some e-mails where this twerp sent an attachment (most were *.EXE files).
This idiot has tried to infect my POP3, but because it's intercepted by
Symantec, the attachment is dropped. The problem is the mime64 encrypted
file embedded within the message. Avast! is catching the HTML.Mime.Exploit
virus and cleaning it. However, if I send a SPAM report to
abuse@<originating ISP>, I get a bounce back from the abuse desk saying that
the SPAM report is infected, when it's not. It's a hassle to delete the
mime64 encryption each and everytime. I'm now employing SPAMCOP now. Is
there any other way to get this bozo to stop. My ISP said that it's
impossible to block open relays. I've been using EZArmor's "block" feature,
but the next day he hijack another RIPE or APNIC open relay. He started off
by relaying off of a JP site and now seems content with various European
RIPE relays. I believe that I may have gotten one RBL'ed, but he's got
several more to harass me with.

 

[Don Taylor]

news:[email protected]...

Didn't you get hit by this bozo? In the last 10 days, I've gotten about 20
some e-mails where this twerp sent an attachment (most were *.EXE files).
This idiot has tried to infect my POP3, but because it's intercepted by
Symantec, the attachment is dropped. The problem is the mime64 encrypted
file embedded within the message. Avast! is catching the HTML.Mime.Exploit
virus and cleaning it. However, if I send a SPAM report to
abuse@<originating ISP>, I get a bounce back from the abuse desk saying that
the SPAM report is infected, when it's not. It's a hassle to delete the
mime64 encryption each and everytime. I'm now employing SPAMCOP now. Is
there any other way to get this bozo to stop.

IF you and I can agree up front
BEFORE you start sending me them to me, please don't just start
blasting them at me, I might mistakenly think you were the source of
the Swen mail and turn the cannon against you, on the details of this
AND you can send me the complete headers, so I can correctly report
them and have a fair chance of getting the abuse admin of the host
to sterilize his customer, with even a little bit of the file to show
that it was the old Swen again,
THEN I've agreed in the past to accept virus mail from some folks,
drop it into my automated Swen cannon, and I have had some folks
who were pretty happy with the reduction in the number of virus
mail they got after a period of time.

I don't care about whether there is mime structure in the mail,
in fact the fewer changes you make to the file the better, my
Swen cannon automatically strips the binaries and then inserts
a space between every two characters starting with "Content-T"
so that abuse admins who refuse all attachments, and who have
dumb filters that mistake any Content-T as a sign of an attachment
don't bounce what I throw at them, and they can still read it
to see what they spewed. It isn't limited strictly to Swen but
that's what I've spent the most work building the tools for.

I can't promise magic but I've had some success with the 53598
Swen virus mail that I've dealt with here.

No obligation, other than what we agree on up front.
I hesitate to claim credit but it looks like some of the biggest
toilets on the internet stopped spewing Swen after enough reports.

email address is valid, I BAIT Swen with it.

 

[Guest]

IF you and I can agree up front
BEFORE you start sending me them to me, please don't just start
blasting them at me, I might mistakenly think you were the source of
the Swen mail and turn the cannon against you, on the details of this
AND you can send me the complete headers, so I can correctly report
them and have a fair chance of getting the abuse admin of the host
to sterilize his customer, with even a little bit of the file to show
that it was the old Swen again,
THEN I've agreed in the past to accept virus mail from some folks,
drop it into my automated Swen cannon, and I have had some folks
who were pretty happy with the reduction in the number of virus
mail they got after a period of time.

I would like to submit them to you, if you can assist me in getting this
idiot to stop. If you can help, I would appreciate it. Instructions how to
e-mail will be at the end of this post. I must, for obvious reasons keep my
address munged. I'll let you initiate the contact. Tell me how you wish to
accept them. I can archive them in WinZip 9.0 format, in a standard
unencrypted file. Since some don't use 32-bit systems, although I do (XP
Home). For me WinZip 9.0 is the standard. If you wish I could also use
SnagIt to "capture" each in JPG format and ZIP them. Or try conventional
methods, forward a copy of each in one or more e-mails. I don't wish to
trip any filters or AV prog, so a JPG capture might be safest (avoids any
possible infection). I will inform you now that AFAIK, I'm harboring no
virii on my OS or any malware. I frequently scan my OS.

I don't care about whether there is mime structure in the mail,
in fact the fewer changes you make to the file the better, my
Swen cannon automatically strips the binaries and then inserts
a space between every two characters starting with "Content-T"
so that abuse admins who refuse all attachments, and who have
dumb filters that mistake any Content-T as a sign of an attachment
don't bounce what I throw at them, and they can still read it
to see what they spewed. It isn't limited strictly to Swen but
that's what I've spent the most work building the tools for.

I can't promise magic but I've had some success with the 53598
Swen virus mail that I've dealt with here.

No obligation, other than what we agree on up front.
I hesitate to claim credit but it looks like some of the biggest
toilets on the internet stopped spewing Swen after enough reports.

email address is valid, I BAIT Swen with it.

I was instructed that the best way to seek help is not to initiate contact,
since some posters do use bait addresses, such as yourself. I was told it
would save a flame. If you examine my headers in these incoming POP3
emails, you'll notice 2 things. 1) X-Virus-Scanned: Symantec AntiVirus Scan
Engine (a header put in at the POP3 server after the POP3 scans my incoming
mail). and 2) X-Antivirus: avast! (VPS 0433-1, 08/09/2004), Inbound message
X-Antivirus-Status: Clean (another header put in by my user side Avast
MailShield program, prior to the POP3 server delivery). These two headers
should be in almost all the e-mails, I re-installed Avast! when I saw that
the POP3 wasn't stopping the HTML.Exploit virus. All the latest e-mails I
got will have both headers in them. There should be no explanation there.
I also set up OE6 for text only, for both NGs (obviously) and for e-mails.
I run another identity for my HOTMAIL account that remains HTML for e-mail.
So if you wish to send me instructions by e-mail, my address is below.

Thanks,
Rich

[email protected]
(strip away both numerical sequences)