SWEN worm

[Jim Satterfield]

Since the day the SWEN worm appeared I've been being inundated with it
at the office while having no problem at home. No one else in my company has
been getting it. In analyzing what I do differently from everyone else I've
e-mailed the people I deal with by e-mail to warn them that they might have
it and now I'm posting this message to every newsgroup I use at work (Mostly
VB and VBA groups.) to plead with the users to patch their systems, get or
update antivirus software (there are free ones available) and go to your
favorite security web site to search for a removal tool for this pernicious
worm. It's gotten so bad that my e-mail box fills up over the weekend to the
point of me not receiving legitimate e-mail because my storage limit has
been exceeded because of the size of the attachment that is the SWEN worm.
PLEASE check your systems, folks.

 

[Howard Kaikow]

Ask your ISP if they have filtering software that can be used at the ISP to
catch such critters before they get downloaded to your system.

My ISP recently made available an implementation of Sieve (RFC 3028).
Using Sieve, I've been able to detect almost all the Swen/Automat critters.

If your ISP provides a tool that allows you to inspect the mail on the mail
server, then, in the interim, set your software to not download any messages
over 100KB and then use that tool to manually delete the messages at the
mail server.

 

[JGM]

Hi Jim,

Before asking other to do something to prevent troubles at your end (Don't
get me wrong, I think it is OK to increase general awareness when a problem
like SWEN arises...), Try helping yoursel first. For example, do not use you
real e-mail address when postin-replying to newsgroups, you can inlcude it
as text in the nessage body, but not as the automated address for personal
replies. Also, try using filters at your end to automatically flush Swen
messages (with words lke Patch, security, latest update....)

By the way, I saw your message in other NG, please, do not multi-post,
rather, do a cross-post (simultaneously sending the same message to several
NG by including all the newsgroups address in the To: field). Maybe I am
the third one to reply to your post, thus wasting my time repeating what has
been said, and wasting yours because you may be basically reading the same
message over and over....


HTH
Cheers!

 

[Jim Satterfield]

I am going to contact our company's ISP to ask why they can't filter this if
my home ISP can. I've only received a couple at home but the ISP caught them
and notified me whereas I've received hundreds of them at work with the only
notification from our ISP being a mailbox quota notice. Unfortunately I do
receive legitimate attachments that large or larger for work every so often
so it would be too easy to miss the legitimate ones if I rejected e-mails
with large attachments.

 

[Howard Kaikow]

I was just suggesting that you tell your email software to not download the
large messages.
You can still go to your ISP and see what they are, deleting the crap, and
then allowing the others to get thru.

IMHO, you do NOT want your ISP to filter for you.
You need to have control.

For example, my ISP is providing a prebuilt macro for Sieve that can be used
by all users, but it is rather weak, as the ISP has to be conservative so as
to not cause users to lose email.

However, MY ISP is also allowing us to provide our own Sieve code, a la RFC
3028, and I have a set of more effective filters.
In some cases, such filters may discard legit email, but them's the breaks.
Swen cannot be filtered with 100% certainty because the headers and body
content do change from variant to variant.

Also, filtering software would normally allow you to save a suspect message
in a, say, "Caught Spam" mailbox at your ISP. You could then visually
determine which you wish to recover.

Ultimately, such checking is too costly, so you design your filters along
the following lines:

1. First discard messages that meet known criteria.
2. For example, I do not accept email from particular persons or domains, so
I just kill them up front.
3. Then check for particular virus.
4. Then have a "whitelist", which accepts ALL messages meeting particular
criteria.
5. Then, after doing all of the above, kill others. I used to filter
messages on my PC that had no To:, From: or Subject: header. Those almost
always turn out to be spam. So today, I changed the filters at my ISP to
discard even those. Note that you must do the "whitelist" before this.

 

[Howard Kaikow]

Flushing Swen on the PC is way too expensive. Gotta catch them at the ISP
before downloading.

I was getting 700+ per day, each of which was 140KB+.
Takes forever to download and virus scan, not to mention causing full
mailbox errors at the ISP's mail server.