I too have been receiving 100 swen emails per hour. How so many people have
my email address I do not know. I have been replying to them with an email
saying that they need to check their PCs vor viruses. You have to look up
the mime header for the true return address though. I have also posted
information on some newsgroups.
THIS IS NOT A SPAM EMAIL/NEWSGROUP POST. You may be unaware but there is a
new malicious virus going around that causes you to send out emails with
viruses. These emails will already have been sent to everyone on your
contact list/address book if you have it. Please urgently forward this
email to everyone on your contacts/address book so that they may check their
own PC. Do not worry about sending them the virus, you will have already
done so if you do have the virus! This is microsoft's report on this virus.
http://www.microsoft.com/security/antivirus/authenticate_mail.asp
The fact that you are sending out these virus infected emails indicates that
you probably have a virus on your PC that is automatically sending out
emails with viruses without your knowledge. You can verify below whether or
not you may have the virus. After reading this you should virus check your
PC with the latest anti virus definitions. If you do not have anti virus
software you should connect to the internet and click here Scan your PC for
viruses now!
http://click.linksynergy.com/fs-bin/click?id=jGkJDpd6dW0&offerid=50252.6&type=1&subid=0
Only email me if you wish more info and want to opt in to a mailing list.
----------------------------------------------------------------------------
----
Extract from Anti Virus companies regarding "W32.Swen.A@mm" worm.
NOTE: This threat was previously detected as Worm.Automat.AHB
Due to an increase in submissions, this has been upgraded W32.Swen.A@mm to
Category 3, as of 6:30pm Thursday, September 18, 2003. It is also rapidly
heading towards being a high risk.
W32.Swen.A@mm is a mass-mailing worm that uses its own SMTP engine to spread
itself.
The worm can arrive as an email attachment. The subject, body, and from
address of the email may vary. Some examples claim to be patches for
Microsoft Internet Explorer, or delivery failure notices from qmail.
This worm exploits a vulnerability in Microsoft Outlook and Outlook Express
in an attempt to execute itself when you open or even preview the email. If
you do not have anti virus software you should connect to the internet and
click here Scan your PC for viruses now!
Information and a patch for the vulnerability IF YOU DO NOT ALREADY HAVE THE
VIRUS can be found at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
however this will only protect you IF YOU DO NOT ALREADY HAVE THE VIRUS.
Install this patch after you confirm that you are clear of the virus.
Here is some information on what the virus does:
1. This virus attempts to trick you into installing it by pretending to be
a security vulnerability patch from Microsoft.
2. Upon executing it asks if you want to install the latest security
patch.
3. If you say no, it still installs itself but without your knowledge. If
you say yes then it displays messages that appear that it is installing an
update to windows.
4. Modifies the value:
"DisableRegistryTools" = "1"
in the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
TO PREVENT THE USER RUNNING REGEDIT ON THE COMPUTER (see below*)
5. Puts a copy of itself to %Windir% with a randomly generated filename.
6. Searches .html, .asp, .eml, .dbx, .wab, .mbx files on the computer for
email addresses.
7. Creates the file, %Windir%\Germs0.dbv, where it stores the email
addresses it has found.
8. Creates the file, %Windir%\Swen1.dat, where it stores a list of remote
news and mail servers.
9. Adds the following values to the registry:
"Server"="<The IP address of the SMTP server that the worm retrieves from
the registry>"
"Mirc Install Folder"="<location of mirc client on system>"
"Installed"="...by Begbie"
"Install Item"="<random>"
"Unfile"="<random>"
"CacheBox Outfit"="yes"
"ZipName"="<random>"
"Email Address"="<The current users email address that the worm retrieves
from the registry>"
to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\<rando
m set of letters>
10. So that it can run itself it adds a randomly named value to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
11. Modifies the registry keys:
HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command
12. Checks the computer to find messages sent by itself and deletes them
so there is no trace that the PC has sent any virus infected emails.
How do you know if you've been infected?
Display of a series of dialog boxes
Unexpected termination of various security and anti-virus products.
Inability to run RegEdit on the victim's machine
*IF YOU CANNOT RUN REGEDIT ON YOUR PC YOU ARE PROBABLY INFECTED or this has
been turned off by your computer system administrator. If you are on a
network check with your system administrator.
Click <start>, Click <run>, type regedit and click <OK>. Registry editor
should run, it looks similar to windows explorer but has a name of Registry
Editor in the name bar at the top. If it has run ok then close it with the
X in top right. If the program ran ok this does not confirm that you are
not infected. It could mean that your registry may be corrupted and the
virus was unable to stop the program from running.
For further information visit Anti Virus now!
http://click.linksynergy.com/fs-bin/click?id=jGkJDpd6dW0&offerid=50252.6&type=1&subid=0