WARNING !!!

[Will]

I just got an Email It looked identical to an Email from microsoft it ciams
to be about a network security patch there is no need to click on anything
it infects your computer as soon as you recieve it below are the details

Win32:Swen
is a worm, spreading through e-mail, shared folders, Kazaa P2P network and
IRC. It switches off antiviral and personal firewall software on the
infected computers.
It fakes the "From:" field in the infected e-mails. The worm length is
106496 bytes. Being runned, the worm copies oneself to the %WINDIR% folder
(%WINDIR% is a system variable containing the name of the Windows folder.
Usually C:\Windows or C:\WinNT.) as a randomly named file. It creates files
named germs0.dbv, swen1.dat and %COMPUTERNAME%.bat (%COMPUTERNAME% is a
system variable containing the computer name.) in the %WINDIR% folder. It
searches for a number of antiviral and personal firewall programs on the
infected computer and tries to stop the found programs. It does changes to
the registry database:

It creates randomly named item in the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, with a
value referring to the worm file in the % WINDIR %. This item ensures the
worm is started with the Windows.

It sets the value of the DisableRegistryTools item in the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
key to the "1". Thus, Windows registry database editing is disabled.
The "default" item in the HKEY_LOCAL_MACHINE\Software\CLASSES\ key subkeys
batfile\shell\open\command
comfile\shell\open\command
exefile\shell\open\command
piffile\shell\open\command
regfile\shell\open\command
scrfile\shell\open\command
is modified so, that before running any file with bat, com, exe, pif, reg or
scr extension the worm is always runned.
It creates randomly named subkey in the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\. In
the subkey these items are always created:
CacheBox Outfit="yes"
Installed="...by Begbie"
Install Item=the item from the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key
Unfile=randomly generated name of a file, containing the reference to the
%ComputerName%.bat file
These items might exist:
Email Address=the user e-mail address, obtained from the registry database
Mirc Install Folder=the folder where the MIRC system resides
Server=the SMTP server IP address obtained from the registry database
ZipName
It the Kazaa P2P system is installed, the worm adds items

Dir99= 012345:"the Kazaa shared folder name"
DisableSharing="0"

to the key HKEY_CURRENT_USER\Software\Kazaa\LocalContent.

The running worm checks, if a registry database editor is runned. If so, the
worm displays an error message and disables the editor. Periodically,
"MAPI32 Exception Error" window is displayed. The window demands input of
the mail account parameters - SMTP and POP3 server address, account name and
password, user's nickname. This is the MAPI32 Exception Error window:

 

[Frank]

More information

<----------------snip-------------->

Microsoft never sends security alerts with emails.
Never.
Frank

 

[Alexander Suhovey]

<----------------snip-------------->

Microsoft never sends security alerts with emails.
Never.
Frank

Well, the important missing part is "uncolicited". Because MS has all kinds
of notification options including MSN/Live Alerts (including e-mail option),
e-mail notifications and RSS feeds. You just have to subscribe to get them.

 

[Jupiter Jones [MVP]]

The Swen attachment on a Microsoft Email is a very old fraud, several years.
Microsoft NEVER sends Emails with attachments unsolicited.

 

[Mark Gillespie]

I just got an Email It looked identical to an Email from microsoft it
ciams to be about a network security patch there is no need to click on
anything it infects your computer as soon as you recieve it below are
the details

Win32:Swen

If you managed to get SWEN by simply viewing the message, then your system
is SERIOUSLY out of date, as this was patched well over a year back, if
not longer, pre-SP2 infact...

Once you get this thing off your system, get SP2 on it ASAP, along with
the latest updates from Windows Update...

Additionally, you might want to pick an inherriently secure
browser/email/newsgroup reader: http://www.opera.com

 

[Chad Harris]

Let's clear this up. MSFT does not send attachments as Jones says and MSFT
does not send patches/hotfixesthat you directly click, never has and never
will ***unless you have contacted them for niche hot fixes. There are
hundreds of MSKBS for this practice* and after screening your need for the
niche hotfix mentioned in the MSKB at http://support.microsoft.com , (those
say say "contact us") they will send you a niche hotfix for a particular
problem, always phrased in the KB with the caveat that they are
non-regression tested and they have a standard speil they usually read on
the phone to warn you of this once again. They may or may not fix the
problem. It's software and they haven't been through the full panoply of
usual testing. These are then sent to your inbox as self extracting zip
files with passwords.

MSFT will often send security alerts days to two weeks before their monthly
notifications in these bulletins delivered by a variety of means as Technet
says.

http://www.microsoft.com/technet/security/bulletin/notify.mspx

Security Bulletin Search Webpage:
http://www.microsoft.com/technet/security/current.aspx

MSFT sends every one of these alerts using MRSC PGP digital signatures as
outlined here:

https://www.microsoft.com/technet/security/bulletin/pgp.mspx

A quote on PGP Signatures Used from MSFT:

"Verifying Our Digital Signature
Pretty Good Privacy (PGP) is an Internet standard for digitally signing and
encrypting e-mail and other documents. The Microsoft Security Response
Center (MSRC) uses PGP to digitally sign all security notifications.
However, it is not required to read security notifications, read security
bulletins, or install security updates. You can obtain the MSRC public PGP
key at the MSRC PGP Web page. Numerous third-party vendors produce
PGP-compatible applications for a variety of platforms, but Microsoft cannot
recommend the right solution for your environment."

Microsoft Technical Security Notifications
October 11, 2005

http://www.microsoft.com/technet/security/bulletin/notify.mspx?pf=true

Better protect your computing environment by keeping up to date on Microsoft
technical security notifications. Notifications are available in RSS,
instant message, mobile device, or e-mail format, and are always available
online at TechNet on the Security Bulletin Search Web page.

For Home and Consumers
Learn about newly released and re-released security bulletins. Select from
the following alerts:

E-mail: Security Newsletter for Home Users
Really Simple Syndication: Security At Home
Instant Messenger Alert: Security Update Summary Alerts
Web Site: New Security Information

Most viruses, trojans, and blended threats disguised as MSFT do not infect
you on just opening the email, but I'm sure some could. MSFT is usually
quick to publish them and while the particular virus has been used before in
a hoax, Will should post the entire header and send it to MSFT.

The information could be screen shot and copy pasted and sent to MSFT via
this link:
http://go.microsoft.com/?linkid=2028460

Very wrongly phrased. For years and years MSFT has always sent alerts again
alerts again alerts RR Welcome to Technet and MSFT for years. They have if
anything beefed up the number of ways to get them.

Security Bulletins are here:
http://www.microsoft.com/technet/security/current.aspx

CH

 

[Chad Harris]

Let's clear this up. MSFT does not send attachments as Jones says and MSFT
does not send patches/hotfixesthat you directly click, never has and never
will ***unless you have contacted them for niche hot fixes. There are
hundreds of MSKBS for this practice* and after screening your need for the
niche hotfix mentioned in the MSKB at http://support.microsoft.com , (those
say say "contact us") they will send you a niche hotfix for a particular
problem, always phrased in the KB with the caveat that they are
non-regression tested and they have a standard speil they usually read on
the phone to warn you of this once again. They may or may not fix the
problem. It's software and they haven't been through the full panoply of
usual testing. These are then sent to your inbox as self extracting zip
files with passwords.

MSFT will often send security alerts days to two weeks before their monthly
notifications in these bulletins delivered by a variety of means as Technet
says.

http://www.microsoft.com/technet/security/bulletin/notify.mspx

Security Bulletin Search Webpage:
http://www.microsoft.com/technet/security/current.aspx

MSFT sends every one of these alerts using MRSC PGP digital signatures as
outlined here:

https://www.microsoft.com/technet/security/bulletin/pgp.mspx

A quote on PGP Signatures Used from MSFT:

"Verifying Our Digital Signature
Pretty Good Privacy (PGP) is an Internet standard for digitally signing and
encrypting e-mail and other documents. The Microsoft Security Response
Center (MSRC) uses PGP to digitally sign all security notifications.
However, it is not required to read security notifications, read security
bulletins, or install security updates. You can obtain the MSRC public PGP
key at the MSRC PGP Web page. Numerous third-party vendors produce
PGP-compatible applications for a variety of platforms, but Microsoft cannot
recommend the right solution for your environment."

Microsoft Technical Security Notifications
October 11, 2005

http://www.microsoft.com/technet/security/bulletin/notify.mspx?pf=true

Better protect your computing environment by keeping up to date on Microsoft
technical security notifications. Notifications are available in RSS,
instant message, mobile device, or e-mail format, and are always available
online at TechNet on the Security Bulletin Search Web page.

For Home and Consumers
Learn about newly released and re-released security bulletins. Select from
the following alerts:

E-mail: Security Newsletter for Home Users
Really Simple Syndication: Security At Home
Instant Messenger Alert: Security Update Summary Alerts
Web Site: New Security Information

Most viruses, trojans, and blended threats disguised as MSFT do not infect
you on just opening the email, but I'm sure some could. MSFT is usually
quick to publish them and while the particular virus has been used before in
a hoax, Will should post the entire header and send it to MSFT.

The information could be screen shot and copy pasted and sent to MSFT via
this link:
http://go.microsoft.com/?linkid=2028460

Very wrongly phrased. For years and years MSFT has always sent alerts again
alerts again alerts RR Welcome to Technet and MSFT for years. They have if
anything beefed up the number of ways to get them.

Security Bulletins are here:
http://www.microsoft.com/technet/security/current.aspx

CH

 

[Chad Harris]

Get it Straight! MSFT Has Sent "Alerts"/Multiple Ways With Emails for
Years

Let's clear this up. MSFT does not send attachments as Jones says and MSFT
does not send patches/hotfixesthat you directly click, never has and never
will ***unless you have contacted them for niche hot fixes. There are
hundreds of MSKBS for this practice* and after screening your need for the
niche hotfix mentioned in the MSKB at http://support.microsoft.com , (those
say say "contact us") they will send you a niche hotfix for a particular
problem, always phrased in the KB with the caveat that they are
non-regression tested and they have a standard speil they usually read on
the phone to warn you of this once again. They may or may not fix the
problem. It's software and they haven't been through the full panoply of
usual testing. These are then sent to your inbox as self extracting zip
files with passwords.

MSFT will often send security alerts days to two weeks before their monthly
notifications in these bulletins delivered by a variety of means as Technet
says.

http://www.microsoft.com/technet/security/bulletin/notify.mspx

Security Bulletin Search Webpage:
http://www.microsoft.com/technet/security/current.aspx

MSFT sends every one of these alerts using MRSC PGP digital signatures as
outlined here:

https://www.microsoft.com/technet/security/bulletin/pgp.mspx

A quote on PGP Signatures Used from MSFT:

"Verifying Our Digital Signature
Pretty Good Privacy (PGP) is an Internet standard for digitally signing and
encrypting e-mail and other documents. The Microsoft Security Response
Center (MSRC) uses PGP to digitally sign all security notifications.
However, it is not required to read security notifications, read security
bulletins, or install security updates. You can obtain the MSRC public PGP
key at the MSRC PGP Web page. Numerous third-party vendors produce
PGP-compatible applications for a variety of platforms, but Microsoft cannot
recommend the right solution for your environment."

Microsoft Technical Security Notifications
October 11, 2005

http://www.microsoft.com/technet/security/bulletin/notify.mspx?pf=true

Better protect your computing environment by keeping up to date on Microsoft
technical security notifications. Notifications are available in RSS,
instant message, mobile device, or e-mail format, and are always available
online at TechNet on the Security Bulletin Search Web page.

For Home and Consumers
Learn about newly released and re-released security bulletins. Select from
the following alerts:

E-mail: Security Newsletter for Home Users
Really Simple Syndication: Security At Home
Instant Messenger Alert: Security Update Summary Alerts
Web Site: New Security Information

Most viruses, trojans, and blended threats disguised as MSFT do not infect
you on just opening the email, but I'm sure some could. MSFT is usually
quick to publish them and while the particular virus has been used before in
a hoax, Will should post the entire header and send it to MSFT.

The information could be screen shot and copy pasted and sent to MSFT via
this link:
http://go.microsoft.com/?linkid=2028460

Very wrongly phrased. For years and years MSFT has always sent alerts again
alerts again alerts RR Welcome to Technet and MSFT for years. They have if
anything beefed up the number of ways to get them.

Security Bulletins are here:
http://www.microsoft.com/technet/security/current.aspx

CH