W32.Swen

[john]

I got the Swen internet e-mail virus.

I have a few questions about this #@$%&? thing.
I reformatted my hd and reinstalled a clean copy of win2000 and before even
logging onto the internet I installed Mcafee with all it's update DAT files.
But still it comes. Who is sending this to me and how does it work. If it's
being sent through internet providers couldn't it be cleaned and stopped?

If anyone has some of these answers I would surely appreciate it.

John

 

[sulevani]

I have the same problem (W32.Swen.A@mm) and sorry to say it seems that no
one here can help you avoid it

 

[D McAuliffe]

I got the Swen internet e-mail virus.

I assume you became infected rather than just receiving a copy of the email.

I have a few questions about this #@$%&? thing.
I reformatted my hd and reinstalled a clean copy of win2000 and before even
logging onto the internet I installed Mcafee with all it's update DAT files.
But still it comes. Who is sending this to me and how does it work.

http://www.f-secure.com/v-descs/swen.shtml
If you are receiving bounced emails, that would indicate that another user
is infected and their infection has put your name in the From address being
sent from that machine. If you're only getting copies addressed to you,
someone infected has your address on their machine, or from a NG if you have
recently posted using your correct address. Once infected, the code gets
addresses from several sources including address book, mail files, and NGs.

If it's being sent through internet providers couldn't it be cleaned and

stopped?

My thoughtful ISP, ATT, has blocked exe and other executables from being
sent out as attachments - but not inbounds. I have read that some people
are using a program like http://www.mailwasher.net/ to filter the mails at
the server level. I suggest taking the time to send complaints to
abuse@____, even if it is only for a sampling when the first header (bottom
to top) appears to be from the same source.

If anyone has some of these answers I would surely appreciate it.

John

--

~~~~~~~~~~~~~~~~~~
Dave McAuliffe
<Central Mass> USA
To Email-
Replace: mailinator.com
with: email.com
~~~~~~~~~~~~~~~~~~

 

[Zvi Netiv]

I assume you became infected rather than just receiving a copy of the email.


stopped?

My thoughtful ISP, ATT, has blocked exe and other executables from being
sent out as attachments - but not inbounds. I have read that some people
are using a program like http://www.mailwasher.net/ to filter the mails at
the server level.

MailWasher, or Magic Mail Monitor 3 (MMM3). The latter has a filter feature
that can run automatically, but is limited to POP3 mail accounts, only
(MailWasher handles hotmail types as well).

I suggest taking the time to send complaints to
abuse@____, even if it is only for a sampling when the first header (bottom
to top) appears to be from the same source.

IMO, it's a waste of time.

Regards, Zvi

 

[John Coutts]

If you are receiving bounced emails, that would indicate that another user
is infected and their infection has put your name in the From address being
sent from that machine. If you're only getting copies addressed to you,
someone infected has your address on their machine, or from a NG if you have
recently posted using your correct address. Once infected, the code gets
addresses from several sources including address book, mail files, and NGs.

*********************
Quite possible, but I have not encountered it yet!
*********************

My thoughtful ISP, ATT, has blocked exe and other executables from being
sent out as attachments - but not inbounds. I have read that some people
are using a program like http://www.mailwasher.net/ to filter the mails at
the server level. I suggest taking the time to send complaints to
abuse@____, even if it is only for a sampling when the first header (bottom
to top) appears to be from the same source.

**********************
The Swen virus always seems to be sent through legitimate mail servers in
pairs. When the virus first appeared on the scene, I was getting about 500/day.
Now it is down to around 100/day. If you examine the source header, you will
likely find that every pair originates from a different IP address, and
possibly routed through different mail servers.

Of the 120 that I received on the 20th, all were sent through legitimate mail
servers, and each one was used no more than twice (some only once). Blocking
that many different servers is out of the question, so the only alternative is
to block it based upon content. From day one, our filtering service has blocked
every one of these, and every day there are about half a dozen messages from
mail servers where it was blocked at source.

J.A. Coutts
Systems Engineer
MantaNet/TravPro

 

[Beauregard T. Shagnasty]

john pounced upon this pigeonhole and pronounced:

I got the Swen internet e-mail virus.

There is some question about what you mean by the above. Do you mean
A) your anti-virus program screamed "SWEN!" or
B) do you mean you received an email with the deadly attachment?

I have a few questions about this #@$%&? thing.
I reformatted my hd and reinstalled a clean copy of win2000 and before even
logging onto the internet I installed Mcafee with all it's update DAT files.

If "A", now that you've reinstalled your OS, do be sure to go to Windows
Update and fully patch your system.

But still it comes. Who is sending this to me and how does it work. If it's
being sent through internet providers couldn't it be cleaned and stopped?

So you're receiving virus-laden emails. Just delete them. Most ISPs are
not interested in finding new and intriguing ways to block email (other
than spam).

If anyone has some of these answers I would surely appreciate it.

Read this group for the many threads about Swen and filtering.

 

[D McAuliffe]

says... NGs.


*********************
Quite possible, but I have not encountered it yet!
*********************

Hi John,
Encountered what yet? There were multiple points.
--

~~~~~~~~~~~~~~~~~~
Dave McAuliffe
<Central Mass> USA
To Email-
Replace: mailinator.com
with: email.com
~~~~~~~~~~~~~~~~~~