| Home |
| Search |
| Today's Posts |
|
#7
|
|||
|
|||
Are you still bothered with the W32.Swen.A@mm worm?
On Sun, 26 Oct 2003 01:55:43 +0100, Stig Arne Bye
wrote: Since September 19, I have so far received almost 5,500 e-mail with the W32.Swen.A@mm worm in the attachment (the fake Microsoft update patch), and I'm still receiving something about 100-150 every day. Some time ago, I started to send abuse messages to the senders ISP. However, I could have saved me the hard work of locating the infected senders ISP, and instead sent an alert message directly to the infected sender. Here is a header sample from one of the latest Swen.A-infected e-mails I have received: From - Sat Oct 25 21:42:16 2003 Return-Path: Received: from vump (ti200720a149-0067.dialup.online.no [130.67.192.195]) by mail41.fg.online.no (8.9.3p2/8.9.3) with SMTP id TAA23439; Sat, 25 Oct 2003 19:12:43 +0200 (CEST) Date: Sat, 25 Oct 2003 19:12:43 +0200 (CEST) Message-Id: From: MS Net Email Delivery Service To: Internet User Subject: failure announcement Both the "From:"-line and the "To:"-line contain fake e-mail addresses (that is quite obvious). However, the "Return-Path:"-line is NOT faked, i.e. the e-mail address found here is the _REAL_ e-mail address of the infected sender! This is somewhat unlike other mass-mailing worms (e.g. Klez.H and Sobig.F) that fake every single e-mail address in the header so it's completly impossible to know the real sender without doing the trouble to send an abuse through the senders ISP (if one is able to find out who the senders ISP is). Stig Arne Bye E-mail ......: Contact .....: AOL IM: VT480TFE / MSN: / ICQ: 403349 Snail-Mail ..: P.O.Box 169, NO-9915 Kirkenes, Norway Homepage ....: http://home.online.no/~stigbye/index.html ------------------------------------------------------------------------ Located just about 70°N 30°E - Almost at the top of the world! Stig, I still get a few (about 5 or so) daily, but it has been reduced since I "munged" my email address. I noticed that you still post with an "open" address. It is certainly your choice whether or not to "munge", but it is important to remember that every infected computer that visits this newsgroup, and any other newsgroup that you post in, will re-harvest your email address, and send you viro-mail. I do not like the idea of "munging", but this infestation has been a serious problem. I have even considered killing my email address, and starting a new one. Thank you for your efforts to track this virus. Maybe it is time to just "side step" it. Munging will work. ....carry on. noah To email me, please remove the "FISH" from the net. |
Threaded Mode
