Home |
Search |
Today's Posts |
#1
|
|||
|
|||
Are you still bothered with the W32.Swen.A@mm worm?
Since September 19, I have so far received almost 5,500 e-mail with the
W32.Swen.A@mm worm in the attachment (the fake Microsoft update patch), and I'm still receiving something about 100-150 every day. Some time ago, I started to send abuse messages to the senders ISP. However, I could have saved me the hard work of locating the infected senders ISP, and instead sent an alert message directly to the infected sender. Here is a header sample from one of the latest Swen.A-infected e-mails I have received: From - Sat Oct 25 21:42:16 2003 Return-Path: Received: from vump (ti200720a149-0067.dialup.online.no [130.67.192.195]) by mail41.fg.online.no (8.9.3p2/8.9.3) with SMTP id TAA23439; Sat, 25 Oct 2003 19:12:43 +0200 (CEST) Date: Sat, 25 Oct 2003 19:12:43 +0200 (CEST) Message-Id: From: MS Net Email Delivery Service To: Internet User Subject: failure announcement Both the "From:"-line and the "To:"-line contain fake e-mail addresses (that is quite obvious). However, the "Return-Path:"-line is NOT faked, i.e. the e-mail address found here is the _REAL_ e-mail address of the infected sender! This is somewhat unlike other mass-mailing worms (e.g. Klez.H and Sobig.F) that fake every single e-mail address in the header so it's completly impossible to know the real sender without doing the trouble to send an abuse through the senders ISP (if one is able to find out who the senders ISP is). Stig Arne Bye E-mail ......: Contact .....: AOL IM: VT480TFE / MSN: / ICQ: 403349 Snail-Mail ..: P.O.Box 169, NO-9915 Kirkenes, Norway Homepage ....: http://home.online.no/~stigbye/index.html ------------------------------------------------------------------------ Located just about 70°N 30°E - Almost at the top of the world! |
#2
|
|||
|
|||
Are you still bothered with the W32.Swen.A@mm worm?
Actually; the return-path is also spoofed.
I've seen plenty where the "IP" address of the sending computer is nothing like the return-path's domain... online.no has been so infected, that we blocked all of their IP's from sending to us until this virus thing calms down.... On Sun, 26 Oct 2003 01:55:43 +0100, Stig Arne Bye wrote: Since September 19, I have so far received almost 5,500 e-mail with the W32.Swen.A@mm worm in the attachment (the fake Microsoft update patch), and I'm still receiving something about 100-150 every day. Some time ago, I started to send abuse messages to the senders ISP. However, I could have saved me the hard work of locating the infected senders ISP, and instead sent an alert message directly to the infected sender. Here is a header sample from one of the latest Swen.A-infected e-mails I have received: From - Sat Oct 25 21:42:16 2003 Return-Path: Received: from vump (ti200720a149-0067.dialup.online.no [130.67.192.195]) by mail41.fg.online.no (8.9.3p2/8.9.3) with SMTP id TAA23439; Sat, 25 Oct 2003 19:12:43 +0200 (CEST) Date: Sat, 25 Oct 2003 19:12:43 +0200 (CEST) Message-Id: From: MS Net Email Delivery Service To: Internet User Subject: failure announcement Both the "From:"-line and the "To:"-line contain fake e-mail addresses (that is quite obvious). However, the "Return-Path:"-line is NOT faked, i.e. the e-mail address found here is the _REAL_ e-mail address of the infected sender! This is somewhat unlike other mass-mailing worms (e.g. Klez.H and Sobig.F) that fake every single e-mail address in the header so it's completly impossible to know the real sender without doing the trouble to send an abuse through the senders ISP (if one is able to find out who the senders ISP is). Stig Arne Bye E-mail ......: Contact .....: AOL IM: VT480TFE / MSN: / ICQ: 403349 Snail-Mail ..: P.O.Box 169, NO-9915 Kirkenes, Norway Homepage ....: http://home.online.no/~stigbye/index.html ------------------------------------------------------------------------ Located just about 70°N 30°E - Almost at the top of the world! |
#3
|
|||
|
|||
Are you still bothered with the W32.Swen.A@mm worm?
Josh Assing wrote:
Actually; the return-path is also spoofed. I've seen plenty where the "IP" address of the sending computer is nothing like the return-path's domain... I don't deny that the "Return-Path"-line could be faked in some cases, but there are still some facts he 1. I have stored all headers from the about 5,500 infected e-mail I have received (after Norton AntiVirus(TM) has removed the infected attachment of course). When examining and sorting _all_ headers (I even wrote a small program for that), I have noticed that whenever an infected e-mail appear to come from the same sender, i.e. when the originating IP-address and other informations are identical, then the e-mail address in the "Return-Path"-line is always identical between these, even if these has been sent on different times and/or dates. 2. The "Received:"-line(s) is the header (that contain IP-addresses and other server information) are usually impossible to fake as these are appended by the relaying server(s) through the network, i.e. after the infected mail already has left the infected senders computer and therefore no longer under control of the virus/worm. 3. When I was sending abuse directly to the originating ISP by forwarding the entire headers, then at least two ISP's returned a report message saying that when they parsed the server and connection logs, they also noticed a match between the ISP-username and the e-mail address in the "Return-Path"-line. 4. It's a true fact that many Internet users don't have any kind of antivirus-program installed on their computer. When sending a notification to the user (e-mail address) found in the "Return-Path"-line (including links to free scanning tools on the net), I have in several cases received a mail in return saying that they actually found the Swen.A worm (or other viruses/worms) on the computer without their knowledge, and that they now will install antivirus-program. online.no has been so infected, that we blocked all of their IP's from sending to us until this virus thing calms down.... Online (a division of the national phone company) is on of the oldest and largest ISP in Norway with almost 400,000 customers (that equal approx. 10% of the total population in Norway). However, of all the Swen.A infected e-mail I so far have received, infections from online.no customers constitutes only about 1-2% of these. The majority of Swen.A infected e-mail is from other countries, with France, Germany and Italy amongst the worst countries. Stig Arne Bye E-mail ......: Contact .....: AOL IM: VT480TFE / MSN: / ICQ: 403349 Snail-Mail ..: P.O.Box 169, NO-9915 Kirkenes, Norway Homepage ....: http://home.online.no/~stigbye/index.html ------------------------------------------------------------------------ Located just about 70°N 30°E - Almost at the top of the world! |
#4
|
|||
|
|||
Are you still bothered with the W32.Swen.A@mm worm?
Egad! that was the most annoying worm to deal with. I finally found the
cure though. NORTON to the rescue! Capt. Frank Stig Arne Bye wrote: Since September 19, I have so far received almost 5,500 e-mail with the W32.Swen.A@mm worm in the attachment (the fake Microsoft update patch), and I'm still receiving something about 100-150 every day. Some time ago, I started to send abuse messages to the senders ISP. However, I could have saved me the hard work of locating the infected senders ISP, and instead sent an alert message directly to the infected sender. Here is a header sample from one of the latest Swen.A-infected e-mails I have received: From - Sat Oct 25 21:42:16 2003 Return-Path: Received: from vump (ti200720a149-0067.dialup.online.no [130.67.192.195]) by mail41.fg.online.no (8.9.3p2/8.9.3) with SMTP id TAA23439; Sat, 25 Oct 2003 19:12:43 +0200 (CEST) Date: Sat, 25 Oct 2003 19:12:43 +0200 (CEST) Message-Id: From: MS Net Email Delivery Service To: Internet User Subject: failure announcement Both the "From:"-line and the "To:"-line contain fake e-mail addresses (that is quite obvious). However, the "Return-Path:"-line is NOT faked, i.e. the e-mail address found here is the _REAL_ e-mail address of the infected sender! This is somewhat unlike other mass-mailing worms (e.g. Klez.H and Sobig.F) that fake every single e-mail address in the header so it's completly impossible to know the real sender without doing the trouble to send an abuse through the senders ISP (if one is able to find out who the senders ISP is). Stig Arne Bye E-mail ......: Contact .....: AOL IM: VT480TFE / MSN: / ICQ: 403349 Snail-Mail ..: P.O.Box 169, NO-9915 Kirkenes, Norway Homepage ....: http://home.online.no/~stigbye/index.html ------------------------------------------------------------------------ Located just about 70°N 30°E - Almost at the top of the world! |
#5
|
|||
|
|||
Are you still bothered with the W32.Swen.A@mm worm?
On Sun, 26 Oct 2003 13:46:28 +0100, Stig Arne Bye wrote:
Josh Assing wrote: Actually; the return-path is also spoofed. I've seen plenty where the "IP" address of the sending computer is nothing like the return-path's domain... I don't deny that the "Return-Path"-line could be faked in some cases, but there are still some facts he 1. I have stored all headers from the about 5,500 infected e-mail I have received (after Norton AntiVirus(TM) has removed the infected attachment of course). When examining and sorting _all_ headers (I even wrote a small program for that), I have noticed that whenever an infected e-mail appear to come from the same sender, i.e. when the originating IP-address and other informations are identical, then the e-mail address in the "Return-Path"-line is always identical between these, even if these has been sent on different times and/or dates. 2. The "Received:"-line(s) is the header (that contain IP-addresses and other server information) are usually impossible to fake as these are appended by the relaying server(s) through the network, i.e. after the infected mail already has left the infected senders computer and therefore no longer under control of the virus/worm. 3. When I was sending abuse directly to the originating ISP by forwarding the entire headers, then at least two ISP's returned a report message saying that when they parsed the server and connection logs, they also noticed a match between the ISP-username and the e-mail address in the "Return-Path"-line. 4. It's a true fact that many Internet users don't have any kind of antivirus-program installed on their computer. When sending a notification to the user (e-mail address) found in the "Return-Path"-line (including links to free scanning tools on the net), I have in several cases received a mail in return saying that they actually found the Swen.A worm (or other viruses/worms) on the computer without their knowledge, and that they now will install antivirus-program. online.no has been so infected, that we blocked all of their IP's from sending to us until this virus thing calms down.... Online (a division of the national phone company) is on of the oldest and largest ISP in Norway with almost 400,000 customers (that equal approx. 10% of the total population in Norway). However, of all the Swen.A infected e-mail I so far have received, infections from online.no customers constitutes only about 1-2% of these. The majority of Swen.A infected e-mail is from other countries, with France, Germany and Italy amongst the worst countries. Stig Arne Bye E-mail ......: Contact .....: AOL IM: VT480TFE / MSN: / ICQ: 403349 Snail-Mail ..: P.O.Box 169, NO-9915 Kirkenes, Norway Homepage ....: http://home.online.no/~stigbye/index.html ------------------------------------------------------------------------ Located just about 70°N 30°E - Almost at the top of the world! Stig, I've had the same problem, but, like Josh, have found most of the return path addys forged as well. In the beginning, I wrote all kinds of ISP's asking for help tracing the infected sender, but got exactly 0 replies. I gave up and added a filter to Mailwasher to just delete them on the mailserver. I'm finally down now to less than 50 a day. -- Larry email is rapp at lmr dot com |
#6
|
|||
|
|||
Are you still bothered with the W32.Swen.A@mm worm?
added a filter to Mailwasher to just delete them on the mailserver. I'm
You know not to "bounce" anything with MailWasher, right? it's just useless, and adds to the wasted bandwidth..... |
#7
|
|||
|
|||
Are you still bothered with the W32.Swen.A@mm worm?
On Sun, 26 Oct 2003 01:55:43 +0100, Stig Arne Bye
wrote: Since September 19, I have so far received almost 5,500 e-mail with the W32.Swen.A@mm worm in the attachment (the fake Microsoft update patch), and I'm still receiving something about 100-150 every day. Some time ago, I started to send abuse messages to the senders ISP. However, I could have saved me the hard work of locating the infected senders ISP, and instead sent an alert message directly to the infected sender. Here is a header sample from one of the latest Swen.A-infected e-mails I have received: From - Sat Oct 25 21:42:16 2003 Return-Path: Received: from vump (ti200720a149-0067.dialup.online.no [130.67.192.195]) by mail41.fg.online.no (8.9.3p2/8.9.3) with SMTP id TAA23439; Sat, 25 Oct 2003 19:12:43 +0200 (CEST) Date: Sat, 25 Oct 2003 19:12:43 +0200 (CEST) Message-Id: From: MS Net Email Delivery Service To: Internet User Subject: failure announcement Both the "From:"-line and the "To:"-line contain fake e-mail addresses (that is quite obvious). However, the "Return-Path:"-line is NOT faked, i.e. the e-mail address found here is the _REAL_ e-mail address of the infected sender! This is somewhat unlike other mass-mailing worms (e.g. Klez.H and Sobig.F) that fake every single e-mail address in the header so it's completly impossible to know the real sender without doing the trouble to send an abuse through the senders ISP (if one is able to find out who the senders ISP is). Stig Arne Bye E-mail ......: Contact .....: AOL IM: VT480TFE / MSN: / ICQ: 403349 Snail-Mail ..: P.O.Box 169, NO-9915 Kirkenes, Norway Homepage ....: http://home.online.no/~stigbye/index.html ------------------------------------------------------------------------ Located just about 70°N 30°E - Almost at the top of the world! Stig, I still get a few (about 5 or so) daily, but it has been reduced since I "munged" my email address. I noticed that you still post with an "open" address. It is certainly your choice whether or not to "munge", but it is important to remember that every infected computer that visits this newsgroup, and any other newsgroup that you post in, will re-harvest your email address, and send you viro-mail. I do not like the idea of "munging", but this infestation has been a serious problem. I have even considered killing my email address, and starting a new one. Thank you for your efforts to track this virus. Maybe it is time to just "side step" it. Munging will work. ....carry on. noah To email me, please remove the "FISH" from the net. |
Reply |
Thread Tools | Search this Thread |
Display Modes | |
|
|