SWEN WORM

Discussion in 'Cycling Equipment' started by Ella, Sep 20, 2003.

Thread Status:
Not open for further replies.
  1. Ella

    Ella Guest

    how do i get rid of this worm . it started right after i posted to this site the other night. now i
    keep getting all the emails . i haven't opened any and the anti virus doesn't find any virus. i keep
    getting the emails though.
     
    Tags:


  2. Tgleeman2

    Tgleeman2 Guest

    Hi Ella,

    I'm also getting hit with the worm. Don't open any fake "Microsoft" E-mails. My ISP is handling it.

    Tom

    "ella" <[email protected]> wrote in message news:[email protected]...
    >
    >
    > how do i get rid of this worm . it started right after i posted to this
    site
    > the other night. now i keep getting all the emails . i haven't opened any and the anti virus
    > doesn't find any virus. i keep getting the emails
    though.
     
  3. Res09c5t

    Res09c5t Guest

    My Norton anti-virus is catching it. You might want to update your virus definitions. I'm getting
    swamped, too. Probably 40 or 50 a day. Lyle

    "ella" <[email protected]> wrote in message news:[email protected]...
    >
    >
    > how do i get rid of this worm . it started right after i posted to this
    site
    > the other night. now i keep getting all the emails . i haven't opened any and the anti virus
    > doesn't find any virus. i keep getting the emails
    though.
     
  4. Tom

    Tom Guest

    Test msg to scramble my reply address to prevent future virus scams, as I've been inundated too.

    Tom

    to reply remove (nospam)

    -----= Posted via Newsfeeds.Com, Uncensored Usenet News =----- http://www.newsfeeds.com - The #1
    Newsgroup Service in the World! -----== Over 100,000 Newsgroups - 19 Different Servers! =-----
     
  5. Tim McNamara

    Tim McNamara Guest

    In article <[email protected]>, "Tom" <[email protected]> wrote:

    > Test msg to scramble my reply address to prevent future virus scams, as I've been inundated too.
    >
    > Tom
    >
    > to reply remove (nospam)

    Unfortunately this won't work. You've munged the Reply-To: address but not the From: address. Most
    harvester bots get addresses from the From: header and from the body of the message.
     
  6. Werehatrack

    Werehatrack Guest

    On Sat, 20 Sep 2003 19:20:25 -0400, "ella" <[email protected]> may have said:

    >
    >
    >how do i get rid of this worm . it started right after i posted to this site the other night. now i
    >keep getting all the emails . i haven't opened any and the anti virus doesn't find any virus. i
    >keep getting the emails though.

    What's going on is that while *you* may not have the virus, when you posted a message to Usenet with
    your own email address present in it unmunged, the worm grabbed your address from the newsgroup
    traffic on a machine that's infected. *That* machine is now sending out copies of the worm, both
    addressed directly to you and also addressed to others but showing your address as the Reply-to: or
    From:, and you're getting some of the bounces from those in addition to the ones addressed to you.

    My S.O. is getting over 75 per day. This is easily the nastiest of the address harvester worms I've
    seen so far.

    --
    My email address is antispammed; pull WEEDS if replying via e-mail. Yes, I have a killfile. If I
    don't respond to something, it's also possible that I'm busy.
     
  7. Ed Kirstein

    Ed Kirstein Guest

    Everybody on the newsgroup should make sure they are using an invalid email address in their news
    account setup, so that automatic email address harvesters won't work. In Outlook Express, click
    Tools, Accounts. Then choose the News Tab. Where it says Email Address, modify it in some way to
    make it invalid but obvious. I have replaced the "@" sign with "_at". Some people add the word
    "Spam" to the email address.

    This way, there is a bit less chance you'll get onto the virus mailing lists. Its not a cure-all,
    but it is an easy first line of defense.

    Ed

    "ella" <[email protected]> wrote in message news:[email protected]...
    >
    >
    > how do i get rid of this worm . it started right after i posted to this
    site
    > the other night. now i keep getting all the emails . i haven't opened any and the anti virus
    > doesn't find any virus. i keep getting the emails
    though.
     
  8. Mark Wolfe

    Mark Wolfe Guest

    The cure all is to dump windows. :) Knode works great for nntp.

    "Ed Kirstein" <ekirstein_atcatskill.net> wrote:

    > Everybody on the newsgroup should make sure they are using an invalid
    email
    > address in their news account setup, so that automatic email address harvesters won't work. In
    > Outlook Express, click Tools, Accounts. Then choose the News Tab. Where it says Email Address,
    > modify it in some way
    to
    > make it invalid but obvious. I have replaced the "@" sign with "_at".
    Some
    > people add the word "Spam" to the email address.
    >
    > This way, there is a bit less chance you'll get onto the virus mailing lists. Its not a cure-all,
    > but it is an easy first line of defense.
    >
    > Ed
    >
    >
    >
    > "ella" <[email protected]> wrote in message news:[email protected]...
    >>
    >>
    >> how do i get rid of this worm . it started right after i posted to this
    > site
    >> the other night. now i keep getting all the emails . i haven't opened any and the anti virus
    >> doesn't find any virus. i keep getting the emails
    > though.
    >>
    >>

    --
    Mark Wolfe http://www.wolfenet.org gpg fingerprint = 42B6 EFEB 5414 AA18 01B7 64AC EF46 F7E6 82F6
    8C71 Why do programmers get Halloween and Christmas mixed up? Because OCT(31) == DEC(25)
     
  9. Mark Wolfe

    Mark Wolfe Guest

    Heh, 75 is NOTHING. Look at what a friend of mine is seeing.

    http://www.ka9q.net/worm/

    He unfortunately got his email address in the readme.htm file that is installed on every
    windows box.

    Werehatrack wrote:

    > On Sat, 20 Sep 2003 19:20:25 -0400, "ella" <[email protected]> may have said:
    >
    >>
    >>
    >>how do i get rid of this worm . it started right after i posted to this
    site
    >>the other night. now i keep getting all the emails . i haven't opened any and the anti virus
    >>doesn't find any virus. i keep getting the emails
    though.
    >
    > What's going on is that while *you* may not have the virus, when you posted a message to Usenet
    > with your own email address present in it unmunged, the worm grabbed your address from the
    > newsgroup traffic on a machine that's infected. *That* machine is now sending out copies of the
    > worm, both addressed directly to you and also addressed to others but showing your address as the
    > Reply-to: or From:, and you're getting some of the bounces from those in addition to the ones
    > addressed to you.
    >
    > My S.O. is getting over 75 per day. This is easily the nastiest of the address harvester worms
    > I've seen so far.
    >
    > --
    > My email address is antispammed; pull WEEDS if replying via e-mail. Yes, I have a killfile. If I
    > don't respond to something, it's also possible that I'm busy.

    --
    Mark Wolfe http://www.wolfenet.org gpg fingerprint = 42B6 EFEB 5414 AA18 01B7 64AC EF46 F7E6 82F6
    8C71 The man who sees, on New Year's day, Mount Fuji, a hawk, and an eggplant is forever blessed. --
    Old Japanese proverb
     
  10. Werehatrack

    Werehatrack Guest

    On Sun, 21 Sep 2003 12:08:09 -0700, Mark Wolfe <[email protected]> may have said:

    >Heh, 75 is NOTHING. Look at what a friend of mine is seeing.
    >
    >http://www.ka9q.net/worm/
    >
    >He unfortunately got his email address in the readme.htm file that is installed on every
    >windows box.

    It turned out that 75/day was not the rate. After I reconfigured her client to fetch on a 60 minute
    cycle, it's more like 30 to 70 per hour. The mailbox had been overflowing, apparently.

    This worm is an enthusiastic newsgroup scraper. If anyone didn't already have enough of a reason to
    munge their address when posting to Usenet, I think WW.Swen is providing a persuasive argument
    after the fact.

    --
    My email address is antispammed; pull WEEDS if replying via e-mail. Yes, I have a killfile. If I
    don't respond to something, it's also possible that I'm busy.
     
  11. Werehatrack

    Werehatrack Guest

    On Sun, 21 Sep 2003 12:05:02 -0700, Mark Wolfe <[email protected]> may have said:

    >The cure all is to dump windows. :) Knode works great for nntp.

    Nice theory, but some of use have to retain functionalities that *nix does not yet support
    affordably. (But there's a Mac across the room for some of them, and a Linux box in another corner
    for those times when nothing else is to be trusted...)

    --
    My email address is antispammed; pull WEEDS if replying via e-mail. Yes, I have a killfile. If I
    don't respond to something, it's also possible that I'm busy.
     
  12. Gocycle

    Gocycle Guest

    "Werehatrack" <[email protected]> wrote in message
    news:[email protected]...
    > On Sun, 21 Sep 2003 12:05:02 -0700, Mark Wolfe <[email protected]> may have said:
    >
    > >The cure all is to dump windows. :) Knode works great for nntp.
    >
    > Nice theory, but some of use have to retain functionalities that *nix does not yet support
    > affordably. (But there's a Mac across the room for some of them, and a Linux box in another corner
    > for those times when nothing else is to be trusted...)
    >
    > --
    > My email address is antispammed; pull WEEDS if replying via e-mail. Yes, I have a killfile. If I
    > don't respond to something, it's also possible that I'm busy.
     
  13. Werehatrack

    Werehatrack Guest

    On Sun, 21 Sep 2003 23:09:31 GMT, "GoCycle" <[email protected]> may have said:

    >added NO SPAM to my address-I HOPE

    Yup.

    Of course, this won't keep the worm from scrounging your address from the places where it's still
    present in old traffic, but it will help going forward.

    (Some users say that it's more effective, and places less load on your provider, if you do something
    that makes every part of the address invalid, rather than just the username; as it's posted above,
    your address will now produces bounce messages from attempts to deliver email to optonline.net using
    the bogus user name. That's a consideration, but the main thing in my opinion is to keep the spam
    and virus crap from being deliverable, which your trick will do as long as there's no user named
    gocycleNOSPAM at your ISP.)

    --
    My email address is antispammed; pull WEEDS if replying via e-mail. Yes, I have a killfile. If I
    don't respond to something, it's also possible that I'm busy.
     
  14. Marcus Coles

    Marcus Coles Guest

    Werehatrack wrote:
    > On Sun, 21 Sep 2003 23:09:31 GMT, "GoCycle" <[email protected]> may have said:
    >
    >
    >>added NO SPAM to my address-I HOPE
    >
    >
    > Yup.
    >
    > Of course, this won't keep the worm from scrounging your address from the places where it's still
    > present in old traffic, but it will help going forward.
    >
    > (Some users say that it's more effective, and places less load on your provider, if you do
    > something that makes every part of the address invalid, rather than just the username; as it's
    > posted above, your address will now produces bounce messages from attempts to deliver email to
    > optonline.net using the bogus user name. That's a consideration, but the main thing in my opinion
    > is to keep the spam and virus crap from being deliverable, which your trick will do as long as
    > there's no user named gocycleNOSPAM at your ISP.)
    >
    > --
    >

    IMO the worm is just doing the usual harvesting of addresses from the M$ Address Book and their are
    a lot of unpatched machines out there.

    What makes this worm so much more effective is that ISP's, who previously filtered out this crap to
    save their client the trouble, cannot check for invalid email domains due to the monkey business
    from Verisign. Invalid addresses are resolving to Verisign's search page and therefore the junk
    appears valid. http://www.theinquirer.net/?article=11569

    I could be wrong, but I cannot see this thing dynamically harvesting from Google or other
    NG archives.

    -Marcus
     
  15. Ken Bessler

    Ken Bessler Guest

    "GoCycle" <[email protected]> wrote in message
    news:[email protected]...

    Some of the better harvesting programs look for the word "NOSPAM" and remove it from the email
    address, restoring it's validity.......D'oh!
     
  16. Rick Onanian

    Rick Onanian Guest

    On Mon, 22 Sep 2003 06:40:47 -0600, Ken Bessler <[email protected]> wrote:
    > Some of the better harvesting programs look for the word "NOSPAM" and remove it from the email
    > address, restoring it's validity.......D'oh!

    So change "NOSPAM" to "SPAMAWAY" or some such.

    Or get an email address with the word "SPAM" in it, and let the programs remove the "SPAM", thereby
    invalidating the resulting address (see my address).

    --
    Rick Onanian
     
  17. Werehatrack

    Werehatrack Guest

    On Sun, 21 Sep 2003 21:04:31 -0400, Marcus Coles <[email protected]> may have said:

    >What makes this worm so much more effective is that ISP's, who previously filtered out this crap to
    >save their client the trouble, cannot check for invalid email domains due to the monkey business
    >from Verisign. Invalid addresses are resolving to Verisign's search page and therefore the junk
    >appears valid. http://www.theinquirer.net/?article=11569

    Not effective in any event; Swen uses a forged From: in a valid domain, typically hotmail.com or one
    of a short list of others that are impractical to exclude.

    >I could be wrong, but I cannot see this thing dynamically harvesting from Google or other NG
    >archives.

    It doesn't. It harvests from newsreader files on the infected client's system. Once the articles
    bearing a given address have aged out and been purged from the nntp spools, the amount of Swen
    traffic to that address should decline. The only Windows newsreader of my experience which does not
    maintain a harvestable datafile is WinVN, which has perhaps a few thousand users altogether. If a
    Swen worm infests a machine that has an extensive unpurged newsreader, the addresses it finds *will*
    be pounded.

    --
    My email address is antispammed; pull WEEDS if replying via e-mail. Yes, I have a killfile. If I
    don't respond to something, it's also possible that I'm busy.
     
  18. Kenny Lee

    Kenny Lee Guest

    Werehatrack wrote:

    If a Swen worm
    > infests a machine that has an extensive unpurged newsreader, the addresses it finds *will* be
    > pounded.
    >
    Boy, have I been getting a pounding. Swollowed my pride and changed my original address. As you can
    see the new one is munged.

    Kenny Lee

    --
    Delete "nomospam" from the return address in your reply.
     
  19. Tim McNamara

    Tim McNamara Guest

    In article <[email protected]>, Werehatrack
    <[email protected]> wrote:

    > If a Swen worm infests a machine that has an extensive unpurged newsreader, the addresses it finds
    > *will* be pounded.

    I'll vouch for that, being up to about 5,000 such e-mails in the past not-quite-4 days. The rate
    appeared to be dropping over the weekend, but has showed a sharp uptick today.
     
Thread Status:
Not open for further replies.
Loading...