Virus massive attack

[Haim Guivon]

I've been hit two days ago by an avalanche of emails, about 30 per day,
with subject line of the type:

"user unknown",
"undeliverable mail",
"returned mail",

and so on.

Each has an attachment, containing the virus W32.Swen.A@mm. The attachment
has always a different name, and the extension is an executable (PIF, EXE,
COM).

So far as I have Norton and I"ll never dream of clicking an attachment of
such a suspicious mail, (let alone executing the file), I feel myself quite
protected.

What I want to ask is if:

Somebody has been hit like myself.
This is a global pandemia like the last attack of Sobig.
Somebody (this is scary) has kindnapped my email address.

Can you people help me?

Cordially,
haim

======================================================

 

[Conor Turton]

What I want to ask is if:

Somebody has been hit like myself.
This is a global pandemia like the last attack of Sobig.
Somebody (this is scary) has kindnapped my email address.

Can you people help me?

No, usually most people have been hit 2 to 3 times more than you have.
Your address hasn't been kidnapped.

 

[Anthony Stokes]

"Haim Guivon" wrote in message

I've been hit two days ago by an avalanche of emails, about 30 per day,
with subject line of the type:
"user unknown",
"undeliverable mail",
"returned mail",
and so on.

What I want to ask is if:
Somebody has been hit like myself.
This is a global pandemia like the last attack of Sobig.
Somebody (this is scary) has kindnapped my email address.
Can you people help me?
Cordially,
haim

Yes, this has been a global problem since about 19th September.
I'm continuing to get hundreds of these messages e-mailed to me each day.

I am simply deleting (at the server before download to my PC) all e-mails
having attachments of between 143 and 159 Kb size.
That seems to slay the 'SWEN' virus very effectively, though obviously there
is a huge ongoing waste of resources if millions of these spoof e-mails are
reverberating around the world each day.
My isp just passes everything on without any filtering at all. I was really
surprised that the v21 mail server just kept on working despite the barrage.
I suppose that after each subscriber's uncollected e-mails exceed a set
number of Mb then anything more is just bounced back to the sender.

Ant.

 

[Haim Guivon]

This answer goes for both Conor and Anthony, who cared to answer to my
quest.

Thank you, fellows. I feel much relieved now. About bouncing the message
back, I don't think it is possible, because they use a fake, untraceable
return address. I do what Anthony says: I delete them at the server.

I agree that I can't understand how the ISP deals with this problem. I
supose that when one's inbox becomes full (over quota), they simply delete
any new incoming message, icluding friendlly ones.

Thanks anyway, and now, let's pray
haim

==========================================================

No, usually most people have been hit 2 to 3 times more than you have.
Your address hasn't been kidnapped.

----------------------------------------------------------------------------
-------
Anthony Stokes wrote:

Yes, this has been a global problem since about 19th September.
I'm continuing to get hundreds of these messages e-mailed to me each day.

I am simply deleting (at the server before download to my PC) all e-mails
having attachments of between 143 and 159 Kb size.
That seems to slay the 'SWEN' virus very effectively, though obviously there
is a huge ongoing waste of resources if millions of these spoof e-mails are
reverberating around the world each day.
My isp just passes everything on without any filtering at all. I was really
surprised that the v21 mail server just kept on working despite the barrage.
I suppose that after each subscriber's uncollected e-mails exceed a set
number of Mb then anything more is just bounced back to the sender.

Ant

 

[Zvi Netiv]

I've been hit two days ago by an avalanche of emails, about 30 per day,
with subject line of the type:

"user unknown",
"undeliverable mail",
"returned mail",

and so on.

Welcome to the club. Seems that Netvision let these through to convince their
users to buy e-mail filtering services.

Each has an attachment, containing the virus W32.Swen.A@mm. The attachment
has always a different name, and the extension is an executable (PIF, EXE,
COM).

So far as I have Norton and I"ll never dream of clicking an attachment of
such a suspicious mail, (let alone executing the file), I feel myself quite
protected.

False sense of security.

What I want to ask is if:

Somebody has been hit like myself.

Only those that use e-mail.

This is a global pandemia like the last attack of Sobig.

Swen is currently the most common worm, although it's on the decline.

Somebody (this is scary) has kindnapped my email address.

No need to worry about that, your address was just accidentally picked on an
infected PC that has it in one of its cached files, or address book.

Can you people help me?

Quite easy. Get yourself Magic Mail Monitor 3, install, and add to it the plug
in filter found in http://invircible.com/download/xswen4mmm.zip

Regards, Zvi

 

[D McAuliffe]

I've been hit two days ago by an avalanche of emails, about 30 per day,
with subject line of the type:

"user unknown",
"undeliverable mail",
"returned mail",

and so on.

Each has an attachment, containing the virus W32.Swen.A@mm. The attachment
has always a different name, and the extension is an executable (PIF, EXE,
COM).

So far as I have Norton and I"ll never dream of clicking an attachment of
such a suspicious mail, (let alone executing the file), I feel myself quite
protected.

What I want to ask is if:

Somebody has been hit like myself.
This is a global pandemia like the last attack of Sobig.
Somebody (this is scary) has kindnapped my email address.

Can you people help me?

Cordially,
haim

======================================================

Someone got infected with Swen and your email address was on their machine
(or if "loner@.." is a correct address for you, then it could have come from
a NewsGroup posting you've made) which the virus used as the From address
for its propagating emails. Since Swen looks at addresses in NGs, in
addition to looking in .dbx files amongst others, and those addresses may
have been munged in such a way as to create a bounced mail if used, these
are the bounces you are getting. You may be receiving two mail versions for
each bad recipient, in which case the 30 emails are "To" 15 separate
addresses.

I am interested in seeing examples of the "To" address, but don't expect you
to change your filters. If anyone can post examples, thanks. And if there
is anything looking like: (e-mail address removed) in
addition, thanks.
--

~~~~~~~~~~~~~~~~~~
Dave McAuliffe
<Central Mass> USA
To contact-
Replace: mailinator.com
with: email.com
~~~~~~~~~~~~~~~~~~

 

[Rick Simon]

I am interested in seeing examples of the "To" address, but don't
expect you to change your filters. If anyone can post examples,
thanks. And if there is anything looking like:
(e-mail address removed) in addition, thanks.

That particular address or any email address formulated in a similar
manner?

 

[D McAuliffe]

That particular address or any email address formulated in a similar
manner?

Any address, including one (and only one) formulated in a similar manner.
I'm trying to determine if Swen keys off the @ sign when reading .dbx files;
I believe it only looks at the To and From when getting them from NNTP.
Another thing I'd like to determine, but not asked in such a way previously,
how many Swens are addressed to you vs. how many are bounces (and examples
of the bounced To addresses - that part is above).
--

~~~~~~~~~~~~~~~~~~
Dave McAuliffe
<Central Mass> USA
To contact-
Replace: mailinator.com
with: email.com
~~~~~~~~~~~~~~~~~~

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on

Quite easy. Get yourself Magic Mail Monitor 3, install, and add to it the plug
in filter found in http://invircible.com/download/xswen4mmm.zip

Hi Zvi;

Now that you're recommending MMM, I wonder if you are aware of any
precautions surrounding such use, in light of its addition to the Spybot
S&D "tracks" list?
http://www.safer-networking.org/
A recent poster's answer to my similar query was that it keeps what
might be considered potentially dangerous logs, from a security point of
view.

 

[James Egan]

Now that you're recommending MMM, I wonder if you are aware of any
precautions surrounding such use, in light of its addition to the Spybot
S&D "tracks" list?
http://www.safer-networking.org/
A recent poster's answer to my similar query was that it keeps what
might be considered potentially dangerous logs, from a security point of
view.

You appear to have a bee in your bonnet over this one. I'm not sure
why. The answer you got last time was a quote from the same site as
the url you posted.

The tracking you are referring to is a recent (configuration) file
list in case you want easy access to load different sets of filters at
different times.

It's not a big deal.


Jim.

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on

You appear to have a bee in your bonnet over this one. I'm not sure
why.

Nope, just a basic curiosity.
Why would you take umbrage at my queries?

The answer you got last time was a quote from the same site as
the url you posted.

I guess, since this program is recommended by several people as a
screening tool in a newsgroup ostensibly oriented toward security,
I'm curious when a company, likewise oriented, selects said application
for scrutiny.

The tracking you are referring to is a recent (configuration) file
list in case you want easy access to load different sets of filters at
different times.

It's not a big deal.


Jim.

Your explanation sounds innocuous enough,
but then why is it listed at Spybot?
There are filter list options in Mailwasher too,
but it wasn't selected to be placed on a watch list.

 

[James Egan]

Nope, just a basic curiosity.
Why would you take umbrage at my queries?

I'm not taking umbrage at all. I have no problem with your queries.

I guess, since this program is recommended by several people as a
screening tool in a newsgroup ostensibly oriented toward security,
I'm curious when a company, likewise oriented, selects said application
for scrutiny.

Yes. They (spybot) must have decided to include everything which keeps
a recent history irrespective of how innocuous it is or what it is
for.

Your explanation sounds innocuous enough,
but then why is it listed at Spybot?
There are filter list options in Mailwasher too,
but it wasn't selected to be placed on a watch list.

It's a simple feature so that the configuration files appear on the
windows file menu. If Mailwasher Pro did that it would probably be on
spybot's hit list too.


Jim.

 

[Gabriele Neukam]

On that special day, Haim Guivon, ([email protected]) said...

Somebody has been hit like myself.

Many, but not many enough to cause alarm in the open public, becuase

This is a global pandemia like the last attack of Sobig.

this is a usenet endemia. Swen collects addresses from random usenet
groups and swamps them with double copies of itself, first a "cumulative
(insert current month) Microsoft patch" and the a fake bounce, which
makes use of the wrong mime header vulnerability (so better don't use an
Outlook (Express) of the generation 5.x before SP2).

I got them nearly in the beginning of the outbreak, by the hundreds, on
an analog modem line. And if you look at my signature, you can see the
only thing that will help against the mail flooding done by Swen. It
leaves all addresses alone that contain the strings "spam" or "delete".


Gabriele Neukam

(e-mail address removed)

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on

It's a simple feature so that the configuration files appear on the
windows file menu. If Mailwasher Pro did that it would probably be on
spybot's hit list too.

So MMM creates a data directory apart from the program folder?
(If I'm understanding you correctly)
I don't see where that would be any more of a liability than the data
that MW keeps within its program folder and in the registry of accounts
and login passwords.

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on Mon, 20 Oct

I got them nearly in the beginning of the outbreak, by the hundreds, on
an analog modem line. And if you look at my signature, you can see the
only thing that will help against the mail flooding done by Swen. It
leaves all addresses alone that contain the strings "spam" or "delete".

I have munged my posting addy twice, this last time to conform to
DFN-CIS's (uni-berlin.de) preferences, yet still get swen sent to the
nethere addy that I used to use. Don't you still get it as residue from
before your munging?

 

[James Egan]

In Message-ID:<[email protected]> posted on


So MMM creates a data directory apart from the program folder?
(If I'm understanding you correctly)

It doesn't create a separate directory but I suppose you could create
one elsewhere if you wanted to and the config files would still appear
on the file menu.


Jim.

 

[sulevani]

I am simply deleting (at the server before download to my PC) all e-mails
having attachments of between 143 and 159 Kb size.

Can you explaine it how?

Thank you!

 

[Frans Meijer]

Someone got infected with Swen and your email address was on their machine
(or if "loner@.." is a correct address for you, then it could have come from
a NewsGroup posting you've made) which the virus used as the From address
for its propagating emails. Since Swen looks at addresses in NGs, in
addition to looking in .dbx files amongst others, and those addresses may
have been munged in such a way as to create a bounced mail if used, these
are the bounces you are getting. You may be receiving two mail versions for
each bad recipient, in which case the 30 emails are "To" 15 separate
addresses.

The 'undeliverable message' bounces are guises of the virus itself, at
least those that I see. The message format is similar to Klez, I think
(or was it Yaha?), an <iframe pointing to an attached executable with a
bad Content-Type mimeheader

The return-path (smtp mail-from) appears to be correct on most swens,
that is, the address' domain matches the domain of the sending mail
server (most come through isp mail relays)

I am interested in seeing examples of the "To" address, but don't expect you
to change your filters. If anyone can post examples, thanks. And if there
is anything looking like: (e-mail address removed) in
addition, thanks.

I've kept the results of the one day that I disabled the no-execs-here
filter, almost 600 swens. The string 'claranews' does not appear in this
collection.

Oh, if anyone replies by mail, use the reply-to, mainly because of swen
I have begun to automagically 'blacklist' any host that sends mail to
the from on my usenet posts. Mhh, looks like today was a busy day.

 

[Bob Davis]

I am simply deleting (at the server before download to my PC) all e-mails
having attachments of between 143 and 159 Kb size.

Is there a way of doing this in OE6? The only size-related option is "Where
the message size is more than size."

 

[Nick FitzGerald]

Is there a way of doing this in OE6? The only size-related option is "Where
the message size is more than size."

Sorry -- responding to Anthony Stokes' comments as I've not seen his post
on my news server yet...

Deleting those messages between 143KB and 159KB will miss all the Swenb.B
and Swen.C variants where the .EXE has a size of 52,224 but otherwise is
essentially identical to the original Swen.A...