Since September 19, I have so far received almost 5,500 e-mail with the
W32.Swen.A@mm worm in the attachment (the fake Microsoft update patch),
and I'm still receiving something about 100-150 every day.

Some time ago, I started to send abuse messages to the senders ISP.
However, I could have saved me the hard work of locating the infected
senders ISP, and instead sent an alert message directly to the infected
sender.

Here is a header sample from one of the latest Swen.A-infected e-mails I
have received:

From - Sat Oct 25 21:42:16 2003
Return-Path:
Received: from vump (ti200720a149-0067.dialup.online.no [130.67.192.195])
by mail41.fg.online.no (8.9.3p2/8.9.3) with SMTP id TAA23439; Sat, 25 Oct 2003 19:12:43 +0200 (CEST)
Date: Sat, 25 Oct 2003 19:12:43 +0200 (CEST)
Message-Id:
From: MS Net Email Delivery Service
To: Internet User
Subject: failure announcement

Both the "From:"-line and the "To:"-line contain fake e-mail addresses
(that is quite obvious).

However, the "Return-Path:"-line is NOT faked, i.e. the e-mail address
found here is the _REAL_ e-mail address of the infected sender!

This is somewhat unlike other mass-mailing worms (e.g. Klez.H and
Sobig.F) that fake every single e-mail address in the header so it's
completly impossible to know the real sender without doing the trouble
to send an abuse through the senders ISP (if one is able to find out who
the senders ISP is).



Stig Arne Bye

E-mail ......:
Contact .....: AOL IM: VT480TFE / MSN: / ICQ: 403349
Snail-Mail ..: P.O.Box 169, NO-9915 Kirkenes, Norway
Homepage ....: http://home.online.no/~stigbye/index.html
------------------------------------------------------------------------
Located just about 70°N 30°E - Almost at the top of the world!

Actually; the return-path is also spoofed.
I've seen plenty where the "IP" address of the sending computer is nothing like
the return-path's domain...

online.no has been so infected, that we blocked all of their IP's from sending
to us until this virus thing calms down....

On Sun, 26 Oct 2003 01:55:43 +0100, Stig Arne Bye wrote:

Since September 19, I have so far received almost 5,500 e-mail with the
W32.Swen.A@mm worm in the attachment (the fake Microsoft update patch),
and I'm still receiving something about 100-150 every day.

Some time ago, I started to send abuse messages to the senders ISP.
However, I could have saved me the hard work of locating the infected
senders ISP, and instead sent an alert message directly to the infected
sender.

Here is a header sample from one of the latest Swen.A-infected e-mails I
have received:

From - Sat Oct 25 21:42:16 2003
Return-Path:
Received: from vump (ti200720a149-0067.dialup.online.no [130.67.192.195])
by mail41.fg.online.no (8.9.3p2/8.9.3) with SMTP id TAA23439; Sat, 25 Oct 2003 19:12:43 +0200 (CEST)
Date: Sat, 25 Oct 2003 19:12:43 +0200 (CEST)
Message-Id:
From: MS Net Email Delivery Service
To: Internet User
Subject: failure announcement

Both the "From:"-line and the "To:"-line contain fake e-mail addresses
(that is quite obvious).

However, the "Return-Path:"-line is NOT faked, i.e. the e-mail address
found here is the _REAL_ e-mail address of the infected sender!

This is somewhat unlike other mass-mailing worms (e.g. Klez.H and
Sobig.F) that fake every single e-mail address in the header so it's
completly impossible to know the real sender without doing the trouble
to send an abuse through the senders ISP (if one is able to find out who
the senders ISP is).



Stig Arne Bye

E-mail ......:
Contact .....: AOL IM: VT480TFE / MSN: / ICQ: 403349
Snail-Mail ..: P.O.Box 169, NO-9915 Kirkenes, Norway
Homepage ....: http://home.online.no/~stigbye/index.html
------------------------------------------------------------------------
Located just about 70°N 30°E - Almost at the top of the world!

Josh Assing wrote:

Actually; the return-path is also spoofed.
I've seen plenty where the "IP" address of the sending computer is nothing like
the return-path's domain...

I don't deny that the "Return-Path"-line could be faked in some cases,
but there are still some facts he

1. I have stored all headers from the about 5,500 infected e-mail I
have received (after Norton AntiVirus(TM) has removed the infected
attachment of course).
When examining and sorting _all_ headers (I even wrote a small
program for that), I have noticed that whenever an infected e-mail
appear to come from the same sender, i.e. when the originating
IP-address and other informations are identical, then the
e-mail address in the "Return-Path"-line is always identical
between these, even if these has been sent on different times
and/or dates.

2. The "Received:"-line(s) is the header (that contain IP-addresses
and other server information) are usually impossible to fake as
these are appended by the relaying server(s) through the network,
i.e. after the infected mail already has left the infected senders
computer and therefore no longer under control of the virus/worm.

3. When I was sending abuse directly to the originating ISP by
forwarding the entire headers, then at least two ISP's returned a
report message saying that when they parsed the server and
connection logs, they also noticed a match between the
ISP-username and the e-mail address in the "Return-Path"-line.

4. It's a true fact that many Internet users don't have any kind of
antivirus-program installed on their computer.
When sending a notification to the user (e-mail address) found in
the "Return-Path"-line (including links to free scanning tools on
the net), I have in several cases received a mail in return saying
that they actually found the Swen.A worm (or other viruses/worms)
on the computer without their knowledge, and that they now will
install antivirus-program.


online.no has been so infected, that we blocked all of their IP's from sending
to us until this virus thing calms down....

Online (a division of the national phone company) is on of the oldest
and largest ISP in Norway with almost 400,000 customers (that equal
approx. 10% of the total population in Norway).

However, of all the Swen.A infected e-mail I so far have received,
infections from online.no customers constitutes only about 1-2% of
these.
The majority of Swen.A infected e-mail is from other countries, with
France, Germany and Italy amongst the worst countries.



Stig Arne Bye

E-mail ......:
Contact .....: AOL IM: VT480TFE / MSN: / ICQ: 403349
Snail-Mail ..: P.O.Box 169, NO-9915 Kirkenes, Norway
Homepage ....: http://home.online.no/~stigbye/index.html
------------------------------------------------------------------------
Located just about 70°N 30°E - Almost at the top of the world!

Egad! that was the most annoying worm to deal with. I finally found the
cure though. NORTON to the rescue!

Capt. Frank

Stig Arne Bye wrote:
Since September 19, I have so far received almost 5,500 e-mail with the
W32.Swen.A@mm worm in the attachment (the fake Microsoft update patch),
and I'm still receiving something about 100-150 every day.

Some time ago, I started to send abuse messages to the senders ISP.
However, I could have saved me the hard work of locating the infected
senders ISP, and instead sent an alert message directly to the infected
sender.

Here is a header sample from one of the latest Swen.A-infected e-mails I
have received:

From - Sat Oct 25 21:42:16 2003
Return-Path:
Received: from vump (ti200720a149-0067.dialup.online.no [130.67.192.195])
by mail41.fg.online.no (8.9.3p2/8.9.3) with SMTP id TAA23439; Sat, 25 Oct 2003 19:12:43 +0200 (CEST)
Date: Sat, 25 Oct 2003 19:12:43 +0200 (CEST)
Message-Id:
From: MS Net Email Delivery Service
To: Internet User
Subject: failure announcement

Both the "From:"-line and the "To:"-line contain fake e-mail addresses
(that is quite obvious).

However, the "Return-Path:"-line is NOT faked, i.e. the e-mail address
found here is the _REAL_ e-mail address of the infected sender!

This is somewhat unlike other mass-mailing worms (e.g. Klez.H and
Sobig.F) that fake every single e-mail address in the header so it's
completly impossible to know the real sender without doing the trouble
to send an abuse through the senders ISP (if one is able to find out who
the senders ISP is).



Stig Arne Bye

E-mail ......:
Contact .....: AOL IM: VT480TFE / MSN: / ICQ: 403349
Snail-Mail ..: P.O.Box 169, NO-9915 Kirkenes, Norway
Homepage ....: http://home.online.no/~stigbye/index.html
------------------------------------------------------------------------
Located just about 70°N 30°E - Almost at the top of the world!

On Sun, 26 Oct 2003 13:46:28 +0100, Stig Arne Bye wrote:

Josh Assing wrote:

Actually; the return-path is also spoofed.
I've seen plenty where the "IP" address of the sending computer is nothing like
the return-path's domain...

I don't deny that the "Return-Path"-line could be faked in some cases,
but there are still some facts he

1. I have stored all headers from the about 5,500 infected e-mail I
have received (after Norton AntiVirus(TM) has removed the infected
attachment of course).
When examining and sorting _all_ headers (I even wrote a small
program for that), I have noticed that whenever an infected e-mail
appear to come from the same sender, i.e. when the originating
IP-address and other informations are identical, then the
e-mail address in the "Return-Path"-line is always identical
between these, even if these has been sent on different times
and/or dates.

2. The "Received:"-line(s) is the header (that contain IP-addresses
and other server information) are usually impossible to fake as
these are appended by the relaying server(s) through the network,
i.e. after the infected mail already has left the infected senders
computer and therefore no longer under control of the virus/worm.

3. When I was sending abuse directly to the originating ISP by
forwarding the entire headers, then at least two ISP's returned a
report message saying that when they parsed the server and
connection logs, they also noticed a match between the
ISP-username and the e-mail address in the "Return-Path"-line.

4. It's a true fact that many Internet users don't have any kind of
antivirus-program installed on their computer.
When sending a notification to the user (e-mail address) found in
the "Return-Path"-line (including links to free scanning tools on
the net), I have in several cases received a mail in return saying
that they actually found the Swen.A worm (or other viruses/worms)
on the computer without their knowledge, and that they now will
install antivirus-program.


online.no has been so infected, that we blocked all of their IP's from sending
to us until this virus thing calms down....

Online (a division of the national phone company) is on of the oldest
and largest ISP in Norway with almost 400,000 customers (that equal
approx. 10% of the total population in Norway).

However, of all the Swen.A infected e-mail I so far have received,
infections from online.no customers constitutes only about 1-2% of
these.
The majority of Swen.A infected e-mail is from other countries, with
France, Germany and Italy amongst the worst countries.



Stig Arne Bye

E-mail ......:
Contact .....: AOL IM: VT480TFE / MSN: / ICQ: 403349
Snail-Mail ..: P.O.Box 169, NO-9915 Kirkenes, Norway
Homepage ....: http://home.online.no/~stigbye/index.html
------------------------------------------------------------------------
Located just about 70°N 30°E - Almost at the top of the world!

Stig,

I've had the same problem, but, like Josh, have found most of the return
path addys forged as well. In the beginning, I wrote all kinds of ISP's
asking
for help tracing the infected sender, but got exactly 0 replies. I gave up
and
added a filter to Mailwasher to just delete them on the mailserver. I'm
finally
down now to less than 50 a day.
--

Larry
email is rapp at lmr dot com

added a filter to Mailwasher to just delete them on the mailserver. I'm

You know not to "bounce" anything with MailWasher, right? it's just useless, and
adds to the wasted bandwidth.....

On Sun, 26 Oct 2003 01:55:43 +0100, Stig Arne Bye
wrote:

Since September 19, I have so far received almost 5,500 e-mail with the
W32.Swen.A@mm worm in the attachment (the fake Microsoft update patch),
and I'm still receiving something about 100-150 every day.

Some time ago, I started to send abuse messages to the senders ISP.
However, I could have saved me the hard work of locating the infected
senders ISP, and instead sent an alert message directly to the infected
sender.

Here is a header sample from one of the latest Swen.A-infected e-mails I
have received:

From - Sat Oct 25 21:42:16 2003
Return-Path:
Received: from vump (ti200720a149-0067.dialup.online.no [130.67.192.195])
by mail41.fg.online.no (8.9.3p2/8.9.3) with SMTP id TAA23439; Sat, 25 Oct 2003 19:12:43 +0200 (CEST)
Date: Sat, 25 Oct 2003 19:12:43 +0200 (CEST)
Message-Id:
From: MS Net Email Delivery Service
To: Internet User
Subject: failure announcement

Both the "From:"-line and the "To:"-line contain fake e-mail addresses
(that is quite obvious).

However, the "Return-Path:"-line is NOT faked, i.e. the e-mail address
found here is the _REAL_ e-mail address of the infected sender!

This is somewhat unlike other mass-mailing worms (e.g. Klez.H and
Sobig.F) that fake every single e-mail address in the header so it's
completly impossible to know the real sender without doing the trouble
to send an abuse through the senders ISP (if one is able to find out who
the senders ISP is).



Stig Arne Bye

E-mail ......:
Contact .....: AOL IM: VT480TFE / MSN: / ICQ: 403349
Snail-Mail ..: P.O.Box 169, NO-9915 Kirkenes, Norway
Homepage ....: http://home.online.no/~stigbye/index.html
------------------------------------------------------------------------
Located just about 70°N 30°E - Almost at the top of the world!

Stig,

I still get a few (about 5 or so) daily, but it has been reduced since
I "munged" my email address. I noticed that you still post with an
"open" address.

It is certainly your choice whether or not to "munge", but it is
important to remember that every infected computer that visits this
newsgroup, and any other newsgroup that you post in, will re-harvest
your email address, and send you viro-mail.

I do not like the idea of "munging", but this infestation has been a
serious problem. I have even considered killing my email address, and
starting a new one.

Thank you for your efforts to track this virus. Maybe it is time to
just "side step" it. Munging will work.


....carry on.
noah

To email me, please remove the "FISH" from the net.