SWEN WORM

[Ella]

how do i get rid of this worm . it started right after i posted to this site the other night. now i
keep getting all the emails . i haven't opened any and the anti virus doesn't find any virus. i keep
getting the emails though.

 

[Tgleeman2]

Hi Ella,

I'm also getting hit with the worm. Don't open any fake "Microsoft" E-mails. My ISP is handling it.

Tom

"ella" <[email protected]> wrote in message news:[email protected]...
>
>
> how do i get rid of this worm . it started right after i posted to this
site
> the other night. now i keep getting all the emails . i haven't opened any and the anti virus
> doesn't find any virus. i keep getting the emails
though.

 

[Res09c5t]

My Norton anti-virus is catching it. You might want to update your virus definitions. I'm getting
swamped, too. Probably 40 or 50 a day. Lyle

"ella" <[email protected]> wrote in message news:[email protected]...
>
>
> how do i get rid of this worm . it started right after i posted to this
site
> the other night. now i keep getting all the emails . i haven't opened any and the anti virus
> doesn't find any virus. i keep getting the emails
though.

 

[Tom]

Test msg to scramble my reply address to prevent future virus scams, as I've been inundated too.

Tom

to reply remove (nospam)

-----= Posted via Newsfeeds.Com, Uncensored Usenet News =----- http://www.newsfeeds.com - The #1
Newsgroup Service in the World! -----== Over 100,000 Newsgroups - 19 Different Servers! =-----

 

[Tim McNamara]

In article <[email protected]>, "Tom" <[email protected]> wrote:

> Test msg to scramble my reply address to prevent future virus scams, as I've been inundated too.
>
> Tom
>
> to reply remove (nospam)

Unfortunately this won't work. You've munged the Reply-To: address but not the From: address. Most
harvester bots get addresses from the From: header and from the body of the message.

 

[Werehatrack]

On Sat, 20 Sep 2003 19:20:25 -0400, "ella" <[email protected]> may have said:

>
>
>how do i get rid of this worm . it started right after i posted to this site the other night. now i
>keep getting all the emails . i haven't opened any and the anti virus doesn't find any virus. i
>keep getting the emails though.

What's going on is that while *you* may not have the virus, when you posted a message to Usenet with
your own email address present in it unmunged, the worm grabbed your address from the newsgroup
traffic on a machine that's infected. *That* machine is now sending out copies of the worm, both
addressed directly to you and also addressed to others but showing your address as the Reply-to: or
From:, and you're getting some of the bounces from those in addition to the ones addressed to you.

My S.O. is getting over 75 per day. This is easily the nastiest of the address harvester worms I've
seen so far.

--
My email address is antispammed; pull WEEDS if replying via e-mail. Yes, I have a killfile. If I
don't respond to something, it's also possible that I'm busy.

 

[Ed Kirstein]

Everybody on the newsgroup should make sure they are using an invalid email address in their news
account setup, so that automatic email address harvesters won't work. In Outlook Express, click
Tools, Accounts. Then choose the News Tab. Where it says Email Address, modify it in some way to
make it invalid but obvious. I have replaced the "@" sign with "_at". Some people add the word
"Spam" to the email address.

This way, there is a bit less chance you'll get onto the virus mailing lists. Its not a cure-all,
but it is an easy first line of defense.

Ed

"ella" <[email protected]> wrote in message news:[email protected]...
>
>
> how do i get rid of this worm . it started right after i posted to this
site
> the other night. now i keep getting all the emails . i haven't opened any and the anti virus
> doesn't find any virus. i keep getting the emails
though.

 

[Mark Wolfe]

The cure all is to dump windows. Knode works great for nntp.

"Ed Kirstein" <ekirstein_atcatskill.net> wrote:

> Everybody on the newsgroup should make sure they are using an invalid
email
> address in their news account setup, so that automatic email address harvesters won't work. In
> Outlook Express, click Tools, Accounts. Then choose the News Tab. Where it says Email Address,
> modify it in some way
to
> make it invalid but obvious. I have replaced the "@" sign with "_at".
Some
> people add the word "Spam" to the email address.
>
> This way, there is a bit less chance you'll get onto the virus mailing lists. Its not a cure-all,
> but it is an easy first line of defense.
>
> Ed
>
>
>
> "ella" <[email protected]> wrote in message news:[email protected]...
>>
>>
>> how do i get rid of this worm . it started right after i posted to this
> site
>> the other night. now i keep getting all the emails . i haven't opened any and the anti virus
>> doesn't find any virus. i keep getting the emails
> though.
>>
>>

--
Mark Wolfe http://www.wolfenet.org gpg fingerprint = 42B6 EFEB 5414 AA18 01B7 64AC EF46 F7E6 82F6
8C71 Why do programmers get Halloween and Christmas mixed up? Because OCT(31) == DEC(25)

 

[Mark Wolfe]

Heh, 75 is NOTHING. Look at what a friend of mine is seeing.

http://www.ka9q.net/worm/

He unfortunately got his email address in the readme.htm file that is installed on every
windows box.

Werehatrack wrote:

> On Sat, 20 Sep 2003 19:20:25 -0400, "ella" <[email protected]> may have said:
>
>>
>>
>>how do i get rid of this worm . it started right after i posted to this
site
>>the other night. now i keep getting all the emails . i haven't opened any and the anti virus
>>doesn't find any virus. i keep getting the emails
though.
>
> What's going on is that while *you* may not have the virus, when you posted a message to Usenet
> with your own email address present in it unmunged, the worm grabbed your address from the
> newsgroup traffic on a machine that's infected. *That* machine is now sending out copies of the
> worm, both addressed directly to you and also addressed to others but showing your address as the
> Reply-to: or From:, and you're getting some of the bounces from those in addition to the ones
> addressed to you.
>
> My S.O. is getting over 75 per day. This is easily the nastiest of the address harvester worms
> I've seen so far.
>
> --
> My email address is antispammed; pull WEEDS if replying via e-mail. Yes, I have a killfile. If I
> don't respond to something, it's also possible that I'm busy.

--
Mark Wolfe http://www.wolfenet.org gpg fingerprint = 42B6 EFEB 5414 AA18 01B7 64AC EF46 F7E6 82F6
8C71 The man who sees, on New Year's day, Mount Fuji, a hawk, and an eggplant is forever blessed. --
Old Japanese proverb

 

[Werehatrack]

On Sun, 21 Sep 2003 12:08:09 -0700, Mark Wolfe <[email protected]> may have said:

>Heh, 75 is NOTHING. Look at what a friend of mine is seeing.
>
>http://www.ka9q.net/worm/
>
>He unfortunately got his email address in the readme.htm file that is installed on every
>windows box.

It turned out that 75/day was not the rate. After I reconfigured her client to fetch on a 60 minute
cycle, it's more like 30 to 70 per hour. The mailbox had been overflowing, apparently.

This worm is an enthusiastic newsgroup scraper. If anyone didn't already have enough of a reason to
munge their address when posting to Usenet, I think WW.Swen is providing a persuasive argument
after the fact.

--
My email address is antispammed; pull WEEDS if replying via e-mail. Yes, I have a killfile. If I
don't respond to something, it's also possible that I'm busy.

 

[Werehatrack]

On Sun, 21 Sep 2003 12:05:02 -0700, Mark Wolfe <[email protected]> may have said:

>The cure all is to dump windows. Knode works great for nntp.

Nice theory, but some of use have to retain functionalities that *nix does not yet support
affordably. (But there's a Mac across the room for some of them, and a Linux box in another corner
for those times when nothing else is to be trusted...)

--
My email address is antispammed; pull WEEDS if replying via e-mail. Yes, I have a killfile. If I
don't respond to something, it's also possible that I'm busy.

 

[Gocycle]

"Werehatrack" <[email protected]> wrote in message
news:[email protected]...
> On Sun, 21 Sep 2003 12:05:02 -0700, Mark Wolfe <[email protected]> may have said:
>
> >The cure all is to dump windows. Knode works great for nntp.
>
> Nice theory, but some of use have to retain functionalities that *nix does not yet support
> affordably. (But there's a Mac across the room for some of them, and a Linux box in another corner
> for those times when nothing else is to be trusted...)
>
> --
> My email address is antispammed; pull WEEDS if replying via e-mail. Yes, I have a killfile. If I
> don't respond to something, it's also possible that I'm busy.

 

[Werehatrack]

On Sun, 21 Sep 2003 23:09:31 GMT, "GoCycle" <[email protected]> may have said:

>added NO SPAM to my address-I HOPE

Yup.

Of course, this won't keep the worm from scrounging your address from the places where it's still
present in old traffic, but it will help going forward.

(Some users say that it's more effective, and places less load on your provider, if you do something
that makes every part of the address invalid, rather than just the username; as it's posted above,
your address will now produces bounce messages from attempts to deliver email to optonline.net using
the bogus user name. That's a consideration, but the main thing in my opinion is to keep the spam
and virus **** from being deliverable, which your trick will do as long as there's no user named
gocycleNOSPAM at your ISP.)

--
My email address is antispammed; pull WEEDS if replying via e-mail. Yes, I have a killfile. If I
don't respond to something, it's also possible that I'm busy.

 

[Marcus Coles]

Werehatrack wrote:
> On Sun, 21 Sep 2003 23:09:31 GMT, "GoCycle" <[email protected]> may have said:
>
>
>>added NO SPAM to my address-I HOPE
>
>
> Yup.
>
> Of course, this won't keep the worm from scrounging your address from the places where it's still
> present in old traffic, but it will help going forward.
>
> (Some users say that it's more effective, and places less load on your provider, if you do
> something that makes every part of the address invalid, rather than just the username; as it's
> posted above, your address will now produces bounce messages from attempts to deliver email to
> optonline.net using the bogus user name. That's a consideration, but the main thing in my opinion
> is to keep the spam and virus **** from being deliverable, which your trick will do as long as
> there's no user named gocycleNOSPAM at your ISP.)
>
> --
>

IMO the worm is just doing the usual harvesting of addresses from the M$ Address Book and their are
a lot of unpatched machines out there.

What makes this worm so much more effective is that ISP's, who previously filtered out this **** to
save their client the trouble, cannot check for invalid email domains due to the monkey business
from Verisign. Invalid addresses are resolving to Verisign's search page and therefore the junk
appears valid. http://www.theinquirer.net/?article=11569

I could be wrong, but I cannot see this thing dynamically harvesting from Google or other
NG archives.

-Marcus

 

[David Damerell]

ella <[email protected]> wrote:
>how do i get rid of this worm .

Get a real mail client and newsreader.
--
David Damerell <[email protected]> Distortion Field!

 

[Ken Bessler]

"GoCycle" <[email protected]> wrote in message
news:[email protected]...

Some of the better harvesting programs look for the word "NOSPAM" and remove it from the email
address, restoring it's validity.......D'oh!

 

[Rick Onanian]

On Mon, 22 Sep 2003 06:40:47 -0600, Ken Bessler <[email protected]> wrote:
> Some of the better harvesting programs look for the word "NOSPAM" and remove it from the email
> address, restoring it's validity.......D'oh!

So change "NOSPAM" to "SPAMAWAY" or some such.

Or get an email address with the word "SPAM" in it, and let the programs remove the "SPAM", thereby
invalidating the resulting address (see my address).

--
Rick Onanian

 

[Werehatrack]

On Sun, 21 Sep 2003 21:04:31 -0400, Marcus Coles <[email protected]> may have said:

>What makes this worm so much more effective is that ISP's, who previously filtered out this **** to
>save their client the trouble, cannot check for invalid email domains due to the monkey business
>from Verisign. Invalid addresses are resolving to Verisign's search page and therefore the junk
>appears valid. http://www.theinquirer.net/?article=11569

Not effective in any event; Swen uses a forged From: in a valid domain, typically hotmail.com or one
of a short list of others that are impractical to exclude.

>I could be wrong, but I cannot see this thing dynamically harvesting from Google or other NG
>archives.

It doesn't. It harvests from newsreader files on the infected client's system. Once the articles
bearing a given address have aged out and been purged from the nntp spools, the amount of Swen
traffic to that address should decline. The only Windows newsreader of my experience which does not
maintain a harvestable datafile is WinVN, which has perhaps a few thousand users altogether. If a
Swen worm infests a machine that has an extensive unpurged newsreader, the addresses it finds *will*
be pounded.

--
My email address is antispammed; pull WEEDS if replying via e-mail. Yes, I have a killfile. If I
don't respond to something, it's also possible that I'm busy.

 

[Kenny Lee]

Werehatrack wrote:

If a Swen worm
> infests a machine that has an extensive unpurged newsreader, the addresses it finds *will* be
> pounded.
>
Boy, have I been getting a pounding. Swollowed my pride and changed my original address. As you can
see the new one is munged.

Kenny Lee

--
Delete "nomospam" from the return address in your reply.

 

[Tim McNamara]

In article <[email protected]>, Werehatrack
<[email protected]> wrote:

> If a Swen worm infests a machine that has an extensive unpurged newsreader, the addresses it finds
> *will* be pounded.

I'll vouch for that, being up to about 5,000 such e-mails in the past not-quite-4 days. The rate
appeared to be dropping over the weekend, but has showed a sharp uptick today.