Subject: Re: Please scan your computers for viruses
From: AthlonRob
Date: 24/09/2003, 19:36
Newsgroups: alt.sci.seti

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

On Wed, 24 Sep 2003 10:13:36 -0700, Dave Trapnell <dtresearch@earthlink.net> wrote:

I have so far received more than a thousand Worm.Automat.AHB
viruses (viri?) in my inbox, They are sometimes coming in at
about eight or more per hour, and as they are more than 1/8
megabytes each, they are becoming difficult to manage, as my
inbox fills up and my legitimate email starts to bounce. 


Fun stuff, huh?

The worm you're getting blasted by is better known as 'Swen.'

It's a nasty buggar, I've never seen one spread so much before, just 
from my local experience.  The virus, unfortunately, randomly scans 
newsgroups from a user's NNTP server.  That is, after it infects your 
system, it figures out what NNTP server you use, and scans random 
newsgroups on that server for email addresses (all accounts seem to 
point to it just checking the FROM header, FWIW).  It also scans many 
other places, but those aren't as important just now.

The virus then emails itself out to the addresses it harvests.  It 
actually has two methods to execute itself on systems:  The first is a 
two-year-old lookOut/lookOut Express security hole which allowed the 
automatic execution of these things.  If your system gets infected that 
way, I think they should take your keyboard away for good.  The second 
method is tricking people into running it.  You see what looks like a 
legitimate email from Microsoft with a patch attached... so you execute 
the attached file, and bam, you're infected.  Microsoft *never* emails 
files out like that.

Anyway... you aren't using a munged FROM header, so the virus (and 
spammers, too, BTW) are easily able to pick up your email address.
If you include your email address in the body of your posts, *not*
in the headers, you'll find you notice fewer junk emails coming in
as well as fewer of these viruses.  Most news servers won't hold a
single one of your posts for very long (a few weeks, max)... so as
soon as all of your old posts have expired, you'll not get as many
of these kinds of worms... I'm sure this one's idea of scouring as
many usenet posts as possible for email addresses will catch on as
time goes by.

Read up on the worm at:  
http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html 


-- 
Rob                                |  If not safe,
Email and Jabber:                  |    one can never be free.
     athlonrob at axpr dot net     |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/ceQShm6KEoOOAe0RArNjAKDq7mQJh370VBBFftt8TSFv1XlsugCgw4WB
FFAWwetRfkTY6VftdZx8+Uo=
=EPMU
-----END PGP SIGNATURE-----