For a week now I have been receiving an average of 280 messages per day containing malicious messages asking me to install upgrades that are in fact viruses. This makes my use of email annoying at home and impossible on the road.
Faced with this deluge, I tried tracing the messages. The correlation with the adresses of the servers used by regular newsgroup users is amazing. I have clear cut sets of (if I may use the expression) AFW messages, FRBV messages and IHV messages. People I know on IHV that only subscribe to one group receive about a third of the number of messagesI get.
Today I received four messages (they usually come in fours) with the usual SWEN virus from a not so clever sender that decided to put his target list in the "To:" header instead of Bcc. Wow! There we all are, Chris Lake, Ian Hoare, Bill Spohn, Mike Tommasi, Dick Neidich, Nils Lindgren, Mark Lipton and 50 others, the whole club !!!
Folks, I suspect we are being targeted. I wish I had used a dedicated email address instead of my main one...
Any solution to this, or do I have to give up using the internet ?
I also am being bombarded with around 200 instances of swen per day. I am reduced to checking email over telnet in a shell, deleting all bogus, then downloading only the good. It is rendering email virtually unusable. And I don't even us a Windows machine! :)
I have been unable to trace the source of the infection, and my ISP -- who effectively filters other spam -- will not filter these.
I noticed the same header today as you did, and was about to send the equivilent of your mail.
Any ideas anyone? (Besides change email address, of course).
Mike, for about 1-2 weeks I have been getting plenty of emails like this also. I contacted Earthlink and Microsoft and they indicated that the reason I was getting these was that I was in the address book of someones computer that had the virus.
This might explain the source as I could not figure this out.
If this does not end shortly and run its course I will not cease using the internet but have to use a different email address. The regular is getting to many imbound emails.
Thanks for sharing...until now I had no idea of the source.
For years, I posted on Usenet with my vanity site email address. I have become a poster boy for SPAM. I get 300 or so emails a day to fix my personal problems and loan me money. I have only received 1 virus message. Yours are more likely than not coming from people who have you on their MS Outlook mailing list, and are contaminated.
Get a good Anti spam program and set it at 10.
Stop using MS Outlook. Get Forte Agent, and Eudora(both free, and both a superior product)
Go here:
formatting link
and get a cheap mailbox. Set their AntiSpam at 15.
Use and switch aliases when they become contaminated.
Quite a few others have answered this in more or less correct detail.
le/on Wed, 24 Sep 2003 09:49:51 +0200, tu disais/you said:-
My worst was one day where I have >400!!!
Interesting, I subscribe to some other NGs which is probably why I got more, when the flow was a t its worst.
Well, blow me down! That's very odd indeed, as you'll see when I answer your point later.
In a sense, yes we are, but only in a sense.
Several possibilities some of them mentioned here.
OK. Here's what's going on. The worm Swen, like Gibe.C and several of the nastier recent viruses uses the address book of the infected computer to find targets. Therefore imagine that mine was the infected computer. Well, obviously you, Michael P, Chris and so on are all in my address book. If I were to use Outlook Express, (which is the only email client which can be infected by these worms - so far the Eudora address book hasn't been attacked) then the worm would send copies of itself to everyone in my address book. And it would therefore behave as if the list was being targeted, while in fact, they are a subset of the recipients. The From address is spoofed, unfortunately, so you can't just write to the "From" address to say, "clean out your computer".
As for what you can do. I use wanadoo, and my 1st line of defense solution is similar to Emery's. If I've not downloaded emails for a while I use the Wanadoo webmail function, and check through my list of incoming emails. I delete all emails of from 143k to 155k in size and that's got rid of all the viruses. Then, because I'm there, I check though manually (Eudora does it automatically) for nice messages inviting me to enlarge my vital organ, to get rich quick and so on. Then I leave Opera (my browser), fire up Eudora and download the remaining emails.
My second line is similar. If it's only been a few hours since I was online, I fire up Eudora. However I have set it up to reject all emails above 30k in size. This GREATLY speeds up downloading emails and of course rejects any with the virus, as well - of course - as any pictures that Tom S may send me, or other large emails! But my solution to that is easy. I ask them to send it again!
My third (and most important) line of defense is to keep a permanently updating Virus checker always active, checking anything that comes into the system.
So, no you don't need to abandon using email, but we all need to be careful.
OK, now for some more general advice.
Folks, Take note. Microsoft NEVER, EVER under any circumstances sends out emails with patches to be applied. So if you ever get one, delete it immediately as it will always, without exception be a virus.
Secondly, if by some mischance you did click on a message purporting to be a security patch from Microsoft, and if you're running windows, assume that you're infected. As Michael has correctly inferred, at least one of us has become infected, which is why we're all getting these bloody messages.
If that's the case, get "Stinger", which will disinfect your computer. Here is the appropriate advice from an expert on the anti-virus NG. His advice is partly aimed at someone on a network, but you should be able to extract useful info from it. ===============>I'd start by downloading McAfee's Stinger removal tool, which hits a fairly
============= It's vital that you bring the critical update up to date. A recent virus attacked a security breach that had a patch available 6 months ago.
It's vital that you run antivirus software, and keep it up to date.
Above all, NEVER, click on an attachment from ANYone even if you know them. And remember that Microsoft NEVER sends out emailed updates.
Lastly. Be aware that because 90% of windows machine users use Outlook Express, virus writers target it. It is safer to use other clients. Forte Agent will handle newsgroups brilliantly (as long as you only use one server), and email adequately. Eudora is an excellent email client. Both come in cost free versions, with enhanced capabilities if you buy them (not too costly).
Sorry folks if you don't use Windows, but there's no doubt that someone is infected. I suggest that if anyone reading this has clicked on any email purporting to contain an update or security patch, then you might like to take steps to get rid of this blessed bug!.
Mike Tommasi wrote in news: snipped-for-privacy@4ax.com:
Hi Mike and everyone else, one of the ways that Swen propagates is by harvesting newsgroup email addresses. Here is some info from the F- Secure website:
Spreading in e-mails and to newsgroups
The worm periodically scans HTML and ASP files on a hard drive and stores found e-mail addresses in the GERMS0.DBV file located in Windows folder. The worm also reads .EML, .DBX, .WAB, and .MBX files and fetches e-mail addresses from there. The worm does not fetch addresses containing 'delete' and 'spam' strings.
The worm also can search for e-mail addresses in various newsgroups. It connects to NNTP servers listed in the SWEN1.DAT file, gets a list of all newsgroups on that server and searches recent messages in these newsgroups for 'nfrom:' and 'nreply-to:' tags. When such tags are found, the worm gets e-mail addressed after them and writes them to the GERMS0.DBV file. This way the worm can harvest a lot of e-mail addresses to send itself to.
The worm can post its e-mails to newsgroups, the names of which it finds during searching process. The worm sends the same kind of messages as it sends via e-mail.
Unfortunately, there doesn't seem to be much one can do about it, except set your email filters to delete incoming mail with, oh, subjects and/or senders containing Microsoft or MS. I know there are ways of addressing this on the server level, there is a program called Mailwasher, but I've never investigated it as I don't have the ability to block on that level. Sorry not to have a better solution, and although it's lessened somewhat, my Yahoo addresses are still getting hammered. dei
I have been getting about 130 a day. The only help I can offer is to assist in setting up a filtering rule in Outlook Express for those that use it. Outlook may be the same, I don't know. Having set up such a rule, I now get about 10 a day. It is not perfect but it is livable, at least.
In OE, go to Tools, Message Rules, Mail. Click New. In box #1, check off Where the From line, Where the To line and Where the Subject line. In box #2, check off Delete it from Server. In box#3, click on Contains People and add the following words, one at a time. Be sure to click Add each time......add any or all of the following that you are comfortable with...MS, Microsoft, Inet, Patch, Administrator, Upgrade, Failure. Lastly, you can rename the Rule in the last box to something more telling of its use.... like SWEN Filter. If you get occassional emails that legitimately contain some of those words (like upgrade or patch) then don't include that. Microsoft never sends emails but I notice that the virus headers keep changing, too.
Please note that you need to install Norton Anti Virus 2003 or 2004, because you are certainly infected. Don't open any of this emails. Just Delete all.
After installing Norton, you will run the Live Update and Scan Virus, the Norton will detect and delete tham.
If you continue to receive this virus, please don't reply and open any.
Search one of Spam Filters to Block it address, you can find the sender on propreties of message. Last chance, inform your friends and co-workers, and change your email.
have a nice day.
Mr Azevedo "Administrator Winescenter.com"
"Mike Tommasi" escreveu na mensagem news: snipped-for-privacy@4ax.com...
1) If it's from Microsoft, delete it from server;
2) If it's to you explicitly (for me, that's ACE1242 at concentric dot net), stop processing more rules;
3) If it's from , stop processing more rules;
4) For all messages, delete it from server.
Rule #1 is obvious, but probably not even necessary, because ...
Rule #2 might look counterintuitive, but the SWEN spam is never addressed explicitly to your email address. It's sent to an alias.
Rule #3 is necessary, because sometimes your friends (not to mention listserv's, Yahoo! groups, and the like) send mail to aliases and undisclosed-recipients lists. You have to add everybody one by one, but you don't have to type their names out. Just click on them from the Address Book ... dialog.
Rule #4 catches everything else.
With these four rules in place I have reduced my daily SWEN download count from over a thousand to *zero*. You still have to deal with mailbox size limits, but that's a separate matter between you and your ISP.
Mike, As others have ably explained, this SWEN worm propagates in part by harvesting addresses from Usenet using free news servers. I just looked in on alt.free.newsservers and see that the people running them are scrambling to evade SWEN's attentions, as it constitutes an effective distributed Denial of Service attack on their servers. Hopefully, as this happens the e-mails will begin to subside. In the mean time, as others have noted, you can install filters to remove all traffic with "Microsoft" and related terms in the subject. At least, you can unless you expect real correspondence from Microsoft...
Mark Lipton
p.s. I'm still getting some sobig viruses as well, conveniently flagged for me with "Highest" priority.
: For a week now I have been receiving an average of 280 messages per : day containing malicious messages asking me to install upgrades that : are in fact viruses. This makes my use of email annoying at home and : impossible on the road.
: Faced with this deluge, I tried tracing the messages. The correlation : with the adresses of the servers used by regular newsgroup users is : amazing. I have clear cut sets of (if I may use the expression) AFW : messages, FRBV messages and IHV messages. People I know on IHV that : only subscribe to one group receive about a third of the number of : messagesI get.
: Today I received four messages (they usually come in fours) with the : usual SWEN virus from a not so clever sender that decided to put his : target list in the "To:" header instead of Bcc. Wow! There we all are, : Chris Lake, Ian Hoare, Bill Spohn, Mike Tommasi, Dick Neidich, Nils : Lindgren, Mark Lipton and 50 others, the whole club !!!
: Folks, I suspect we are being targeted. I wish I had used a dedicated : email address instead of my main one...
Mike --
you're not alone, and I don;t think we (afw) are either. Since our email addresses are public and searchable/obtainable thru Google now, I suspect it's pretty easy for someone to target those emails. I've noticed an uptick in SPAM recently too, to something on the order of between
250-300 mails a day. If we have a consolation, there is the afterlife, where these propagators will surely rot in hell :)
We contacted our ISP and told them about the problem. We were getting all our mail returned (not virus related but full mailbox because of all the block sender emails going into the Spam filter). They showed us how to have the spam folder contents go staight to DELETE. We are still getting a half dozen or so. Maybe your ISP can help some of you.
The comment about our group being targeted might have some truth OR maybe someone in our group has had their computer infected(an doesn't know it) and these messages are being sent to everyone each time they send a post. ?????????? maybe??????
My wife is on several other NG and none of them are reporting this problem. Coincidence?????
DrinksForum website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.