Yet another new WORM virus has been detected "in the wild" and is spreading via e-mail. Known as the Win32/Swen.A@mm or W32/Gibe.E@MM WORM, the infected message arrives in a user's In-Box disguised as a software patch from Microsoft. The intent is to deceive users with false legitimacy so they will open the message and the attachment. Running the attached .EXE file will install the WORM on the user's computer.

Headers include "Use this patch immediately" and "Network update." Senders include "Microsoft" and "Microsoft technical services."

Needless to say, Microsoft does NOT distribute software or patches via e-mail in this way.


I/C

Yeah, had loads of these today :mad: Worm.Automat.AHB

Once again I have to wonder - why has Microsoft written an email client that can be taken over in this way ? How many of us want, need or use the scripting capabilities of Outlook to send messages to people in the recipient's address book ? Is there any legitimate non-virusy/wormy reason for wanting to do this ?

And why not just allow people to switch it off so you just have a program that sends and receives emails ? Or would that be far too sensible ?

Grainger -

There's an article on the need for selectable email preferences at http://news.bbc.co.uk/2/hi/technology/3153229.stm. Apparently, this is already built into Windows Server 2003.


I/C

This virus can also come disguised as an "Error notice" from a mail system or similar.

I got something like 70 occurences of it from this morning, hopefully, my ISP catches it, and I use Netscape mail.

Here is the information on the symantec website :
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

Ian Corrigible,

I have been seeing the WORM_SWEN.A (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWEN.A) worm in this form:

http://www.trendmicro.com/vinfo/images/worm_swen_a_img1.gif

This looks like a pretty easy one for the ISP Firewalls to filter out and squash. I hope they do it quickly.

Take Care,

Richard

Yes, the little to$$ers who send this cr@p out sent me that as well. Fortunately Norton intercepted and devoured it.

With all his money, why does't Gates get someone to track down these w@nkers. Preferably a someone armed with a baseball bat and a Desert Eagle Point Five Oh!

Am I right in thinking that anything contained in the body of an email cannot harbour a virus, worm etc.? The reason I am asking is that I got this email today.

The odd thing is there was no attachment. After the message urging me to install the attached security patch etc. there were hundreds if not thousands of lines of meaningless letters and numbers.

I would obviously not have opened the attachment had there been one. Just trying to confirm that this email can do no harm.

Many thanks

Nasib

I've had this twice in the last two days, and I think we should all look on the bright side. At least it wasn't actually from Microsoft.

Am I right in thinking that anything contained in the body of an email cannot harbour a virus, worm etc.? The reason I am asking is that I got this email today.


No, that is not a safe assumption. Attachments are all contained within the the body of the message. And even if they are not correctly constructed as attachments, MicroSoft frequently gratuitously attempts to guess what type of content may be in the body, and if it's got something that it think might be executable, will have a go at executing it... :yuk: unless you've got the security patches installed (See http://www.microsoft.com/technet/security/bulletin/MS01-027.asp )

I believe that this sort of "feature" is what maglement refers to at as a "productvity tool".... :uhoh:

nasib sounds like your machine opened it without asking you first! Time to reconfigure your mail programme perhaps?!

When I did a back-track on this email it came up with the return path as:

[email protected] so what does one make of that!? Mr Putin himself perhaps?;)

Nasib,

Run this free, online anti virus program just to make sure your computer is clean:

Trend Micro's HouseCall (http://housecall.trendmicro.com)

Take Care,

Richard

I've had this twice in the last two days, and I think we should all look on the bright side. At least it wasn't actually from Microsoft.


Amen. Their recent Critical Update to fix a DAO vulnerability on XP/2k did an excellent job of killing my XP/Pro box (one of the threads in the System process went in to a tight loop using 100% CPU). Had to rollback XP to the initiall install and repatch - only around 60 critical updates :mad:. Microsoft are "aware" of the issue, which affects a "small number of systems" and "may be fixed in SP2".

Quote Nasib,
Run this free, online anti virus program just to make sure your computer is clean:
Trend Micro's HouseCall
Take Care,
Richard Unquote

Done thanks and all seems OK

Nasib

I too got this notice - twice. Microsoft don't tend to provide patches in this manner which caused me to look closer and I then read the words carefully. Interestingly enough the wording differed slightly on both and in each case the english was quite poor. That helped me to decide to query it with microsoft. The fact that the patch was only about 102kb was another clue - Microsoft's own are much more greedy of my phone time(a great source of annoyance!!)

I hadn't had the pleasure of this email, until last night.

Received it from an address @bigfoot.net, luckily at the same time there was an email from McAfee to say that it contained this worm/virus, and they had quarantined it.

McAfee also asked me to forward the email to the Postmaster at the applicable ISP (Bigfoot in my case), which I did however it only bounced?

Be VERY careful............

McAfee also asked me to forward the email to the Postmaster at the applicable ISP (Bigfoot in my case), which I did however it only bounced?

At the risk of breaching netiquette by quoting myself from another thread (http://www.pprune.org/forums/showthread.php?s=&threadid=101677) ...


Just to followup on the info already given, many viruses these days contain their own mail software, which enables them to self-propagate. They steal email addresses from whereever they can find it on the infected system (the Outlook addressbook is, of course, the favourite) and use them as both the set of recipients for further infection attempts, and as a list of forged send addresses.

Somebody else, who just happened to have your email address, got infected, probably by Sobig-F. That system started emailing losts of other people copies of the worm, some of which will have had your email address forged in them. Hence you get bombarded with messages from any recipient who has got AV software on their mail system (and there's nothing that you can really do about it )

All pretty eveil, huh :mad:


The sender address was probably forged and it's quite likely that the postmaster at the site you sent it to was fed-up with all the reports and bouncing them... not really acceptable, but understandable :rolleyes:

One of the mail systems RTFM runs rejected over 200,000 copies of Sobig-F the weekend it came out. Sending back that many warning messages would itself constitute a Denial-of-Service attack on many smaller mail systems... :ooh:

I only sent it to that postmaster because the email from McAfee asked me too, I thought it may help stop it.

Just had another copy of the phony email pretending to be from Microsoft. :(

In the case of viruses with their own built in mail software, there isn't a great deal of point in emailing anybody (or their postmaster) whose name is mentioned in the message. That's becuase both the sender and recipient addresses have been stolen out of the real victim's addressbook (who is very difficult to identify from the information that is easily available.

The most common culprits in this category are:


Klez
Yaha
Gibe/Swen
Sobig

Just had it again, this time according to McAfee, from an address @freemail.com. :(

However this time I ignored their advice to email the postmaster, and took your advice and didn't, just deleted it. :ok:

I have had two of the dud Ebay emails today, asking to revalidate my account. My ISP filter missed it, but I spotted it.