W32.Swen...Help Make it STOP!!!

On Thu, 25 Sep 2003 11:29:54 +0000, Linc Madison wrote:

> The simplest thing you can do to reduce the impact on your computer is to
> set your e-mail program not to download large messages. The Swen.A
> messages are quite large, on the order of 140K or more, but depending on
> the speed of your connection you may want to set a lower limit. For most
> people, 40K is a reasonable limit.

The 2nd part of gibe (the fake bounce) is only 14kB
 >> Stay informed about: W32.Swen...Help Make it STOP!!! 

Uncle StoatWarbler wrote:

> On Thu, 25 Sep 2003 11:29:54 +0000, Linc Madison wrote:
>
>
>>The simplest thing you can do to reduce the impact on your computer is to
>>set your e-mail program not to download large messages. The Swen.A
>>messages are quite large, on the order of 140K or more, but depending on
>>the speed of your connection you may want to set a lower limit. For most
>>people, 40K is a reasonable limit.
>
>
> The 2nd part of gibe (the fake bounce) is only 14kB

then the email has probably already been stripped of it's infective
content...

--
"hungry people don't stay hungry for long
they get hope from fire and smoke as the weak grow strong
hungry people don't stay hungry for long
they get hope from fire and smoke as they reach for the dawn"
 >> Stay informed about: W32.Swen...Help Make it STOP!!! 

"Wm James" <wrjames.remove.TakeThisOut@spamreaper.org> wrote in message news:rmg6nvk6cf3i4k6gf6cub9ddeqmv6trcrp@4ax.com...
> On Thu, 25 Sep 2003 11:29:54 GMT, Linc Madison <spamtrap.TakeThisOut@lincmad.com>
> wrote:
>
> >One thing that your ISP could do that would help quite a lot, would be
> >to install antivirus software on their e-mail server. ISPs are
> >reluctant to do that for several reasons: it costs money to buy the
> >software, it costs money to install the software, and it costs money to
> >maintain the software, plus the software will have to balance the risk
> >of killing a legit message against the risk of letting a virus through.
> >There is no such thing as 100% perfect antivirus software.
>
> There's also the risk of blame. It's a lot simpler to let the user
> handle the virus issue than to do it for them and then have to be
> blamed for every one which get's through. Some people sue for less
> than that. So from the ISP's perspective, it's also a legal libility
> to take on a system which puts them into such a situation.

It is a shame people are so lawsuit happy and ready
to blame others for their own misconduct.
 >> Stay informed about: W32.Swen...Help Make it STOP!!! 

On Thu, 25 Sep 2003 20:24:24 -0400, "FromTheRafters"
<!0000@nomad.fake> wrote:

>
>"Wm James" <wrjames.remove.RemoveThis@spamreaper.org> wrote in message news:rmg6nvk6cf3i4k6gf6cub9ddeqmv6trcrp@4ax.com...
>> On Thu, 25 Sep 2003 11:29:54 GMT, Linc Madison <spamtrap.RemoveThis@lincmad.com>
>> wrote:
>>
>> >One thing that your ISP could do that would help quite a lot, would be
>> >to install antivirus software on their e-mail server. ISPs are
>> >reluctant to do that for several reasons: it costs money to buy the
>> >software, it costs money to install the software, and it costs money to
>> >maintain the software, plus the software will have to balance the risk
>> >of killing a legit message against the risk of letting a virus through.
>> >There is no such thing as 100% perfect antivirus software.
>>
>> There's also the risk of blame. It's a lot simpler to let the user
>> handle the virus issue than to do it for them and then have to be
>> blamed for every one which get's through. Some people sue for less
>> than that. So from the ISP's perspective, it's also a legal libility
>> to take on a system which puts them into such a situation.
>
>It is a shame people are so lawsuit happy and ready
>to blame others for their own misconduct.

Agreed. But it's reality in this day and age.

William R. James
 >> Stay informed about: W32.Swen...Help Make it STOP!!! 

"Uncle StoatWarbler" <alanb+google4@digistar.com> writes:
>> people, 40K is a reasonable limit.
>
>The 2nd part of gibe (the fake bounce) is only 14kB

Er, no. The fake bounces carry the full payload. If you're seeing something
smaller, it's either a real bounce from a GWAV, or your host's mailserver
is stripping out the infected part. *
--
* PV something like badgers--something like lizards--and something
like corkscrews.
 >> Stay informed about: W32.Swen...Help Make it STOP!!! 

On Thu, 25 Sep 2003 14:40:16 -0400, kurt wismer wrote:

> then the email has probably already been stripped of it's infective
> content...

Nope., It's some form of dropper. I have a couple hndred of them this size.


--
There are 2 sorts of email opt-in lists:
1: Those which can demonstrate the provenance of every subscription request.
2: Fraud
 >> Stay informed about: W32.Swen...Help Make it STOP!!! 

This message is not archived
 >> Stay informed about: W32.Swen...Help Make it STOP!!! 

Uncle StoatWarbler wrote:
> On Thu, 25 Sep 2003 14:40:16 -0400, kurt wismer wrote:
>
>
>>then the email has probably already been stripped of it's infective
>>content...
>
>
> Nope., It's some form of dropper. I have a couple hndred of them this size.

ummm, no... a dropper would contain the worm and therefore be at least
as big as the worm... 14k just isn't big enough to hold swen...

further, the fake bounces i was getting were considerably larger than
14k... more like ~140k... but that was in the beginning, now i'm
getting a lot of neutered versions where the size is anywhere from 1k
to 20k...

--
"hungry people don't stay hungry for long
they get hope from fire and smoke as the weak grow strong
hungry people don't stay hungry for long
they get hope from fire and smoke as they reach for the dawn"
 >> Stay informed about: W32.Swen...Help Make it STOP!!! 

"Chris Cowley" <ccowley DeleteThis @swenA-fodder.grok.co.uk> wrote in message news:5q47nvk023ecd0egutiaiqfrlj28p1dkar@4ax.com...
> On Fri, 26 Sep 2003 02:59:12 +0200, "Uncle StoatWarbler"
> <alanb+google4@digistar.com> wrote:
>
> >On Thu, 25 Sep 2003 14:40:16 -0400, kurt wismer wrote:
> >
> >> then the email has probably already been stripped of it's infective
> >> content...
> >
> >Nope., It's some form of dropper. I have a couple hndred of them this size.
>
> What's a "dropper"? Just curious as I'm trying to work out what purpose
> those small fake bounces serve. I'd previously assumed the worm's code
> was buggy and it was neglecting to attach the payload to the bounces.

I haven't seen or read about any of those, but some other
worms have had alternate distrubution methods (not actually
coded within the worm, thus not replicative) that used an SE
and a "trojan downloader" which is often called a "dropper"
although I'm not sure if that term is entirely adequate.
 >> Stay informed about: W32.Swen...Help Make it STOP!!! 

On Thu, 25 Sep 2003 14:40:16 -0400, in <news.admin.net-abuse.email>, kurt
wismer <kurtw RemoveThis @sympatico.ca> wrote:
>
> Uncle StoatWarbler wrote:
>
[snip]
> >
> > The 2nd part of gibe (the fake bounce) is only 14kB
>
> then the email has probably already been stripped of it's infective
> content...

I have reason to believe you are correct, in at least some cases.

HOWEVER, in order for that to happen, the message must already be identified
(typically by the outgoing mail server operated sender's ISP) as having been
infected -- at which point, there is absolutely NO excuse for inflicting any
part of the message on the target or the target's mail provider. The ONLY
correct destination for that "sanitized" version is the original sender,
accompanied by the service-suspension notice.

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net


"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 >> Stay informed about: W32.Swen...Help Make it STOP!!! 

On Fri, 26 Sep 2003 14:15:35 +0100, in <news.admin.net-abuse.email>, Chris
Cowley <ccowley.RemoveThis@swenA-fodder.grok.co.uk> wrote:
>
[snip]
>
> Thanks. In that case, my thoery about the bug in the worm stands, as
> almost none of these fake bounces contain an attachment of any kind,
[snip]

Look again. Unless you're getting something very different than what I've
been seeing, the "duds" (as I've dubbed them, for lack of a better name)
consist of the message body and *three* attachments: two .GIFs (of 3,639
bytes and 359 bytes, respectively, after decoding) and a variously-named
..EXE file of ZERO bytes.

> while the "September 2003, Cumulative Patch" message almost always
> contain the worm. I therefore don't think it is upstream filtering at
> work.

I do.

More specifically, I think some ISPs have implemented some *really*
brain-dead virus-filtering, which attempts to "de-fang" virus-laden messages
by truncating the infected .EXEs to 0 bytes, but still lets the worm
messages pass on to their (bogus) destinations.

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net


"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 >> Stay informed about: W32.Swen...Help Make it STOP!!! 

On 25 Sep 2003 14:37:08 -0500, in <news.admin.net-abuse.email>, Wm James
<wrjames.remove RemoveThis @spamreaper.org> wrote:
>
[snip]
>
> There's also the risk of blame. It's a lot simpler to let the user
> handle the virus issue than to do it for them and then have to be
> blamed for every one which get's through.
[snip]

Simpler, yes. Flat-out not doing one's job is nearly always "simpler", if
you can get away with it. But it's not ethical or responsible -- especially
when this lame argument is applied to an ISP knowingly and willingly letting
virus/worm traffic emanate from their servers to other networks.

> Some people sue for less
> than that. So from the ISP's perspective, it's also a legal libility
> to take on a system which puts them into such a situation.
>
[snip]

I don't buy that. Deliberately letting ANY virus/worm traffic pass on to
somebody else's network is by definition "reckless disregard" and "gross
negligence". I just went "three rounds" with a Bozo from <demon.net>'s
so-called "Internet Management Centre" over this very issue; I'll post the
details (probably with the [C&C] flag such lunacy deserves) if/when time
permits.

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net


"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 >> Stay informed about: W32.Swen...Help Make it STOP!!! 

Jay T. Blocksom wrote:
> On Thu, 25 Sep 2003 14:40:16 -0400, in <news.admin.net-abuse.email>, kurt
> wismer <kurtw RemoveThis @sympatico.ca> wrote:
[snip]
> > then the email has probably already been stripped of it's infective
> > content...
>
> I have reason to believe you are correct, in at least some cases.
>
> HOWEVER, in order for that to happen, the message must already be identified
> (typically by the outgoing mail server operated sender's ISP) as having been
> infected -- at which point, there is absolutely NO excuse for inflicting any
> part of the message on the target or the target's mail provider. The ONLY
> correct destination for that "sanitized" version is the original sender,
> accompanied by the service-suspension notice.

assuming that entity can actually be identified, you'll get no argument
here...

--
"hungry people don't stay hungry for long
they get hope from fire and smoke as the weak grow strong
hungry people don't stay hungry for long
they get hope from fire and smoke as they reach for the dawn"
 >> Stay informed about: W32.Swen...Help Make it STOP!!!