View Full Version : Virus Warning

19-09-2003, 10:29 AM
I very rarely receive viruses via email, but since I received four today purporting to be from Microsoft Internet Security and to install a security patch for IE, O and OE (deleted by IHUG's ISpy) I thought I would warn everyone to be vigilant. I am not sure what the virus was but two of the file names were upgrade465.exe and gdall.exe.

Oxie (Lyn)

19-09-2003, 11:06 AM
Well, now I have received six emails in a matter of hours. The virus doing the rounds is Worm_Swen.a. Read about it here (http://www.symantec.com/avcenter/venc/data/w32.swen.a@mm.html)

19-09-2003, 03:01 PM
As a matter of interest is anyone else receiving these viruses, or is it just me? I have had at least 12 today.

Oxie (Lyn)

19-09-2003, 04:00 PM
Yes, I've had at leasy twenty since 6 am. today. The funny thing is that the first ones did not contain a virus. The last ten or so have. Luckily Norton picked them up.

19-09-2003, 04:22 PM

Yes only half of mine contained the virus and the other dozen didn't. I wonder when they are going to stop coming.

Lyn (Oxie)

19-09-2003, 04:28 PM
Hi Oxie,

Looks like AVG was a little late to catch that I-worm Swen.a,as they only updated at mid-night(our time)

Symantec on the otherhand,as always updated their ref-files a day earlier!

Bad luck eh?


19-09-2003, 04:38 PM
Wow, that is bad luck. I am thankful I updated yesterday and I must say I am impressed that IHUG's ISPY has picked it up all day which means they do keep up-to-date.

Oxie (Lyn)

bk T
19-09-2003, 05:17 PM
I received 3 yesterday and they all picked up by NAV. Surprisingly Xtra did not pick them up!


19-09-2003, 05:35 PM
They are being received in Australia too. Everyone on the news group is complaining

19-09-2003, 09:48 PM
Just turned my computer back on. It's been off since 5 pm.
15 newe virus e-mails.

20-09-2003, 12:13 AM
> Just turned my computer back on. It's been off since
> 5 pm.
> 15 newe virus e-mails.

Wow! I have not had any yet! *Touch wood*

20-09-2003, 05:00 AM
I thank god I don't use either and have no worries.

20-09-2003, 07:31 AM
82 e-mails this am. All contain a virus. Most of them say they are from Microsoft.

20-09-2003, 10:15 AM
Yeah it sux I got about 50 You would of thought @#$%&%$ Xtra would of killed them at their server. Also my "updated" NAV let them through.


20-09-2003, 10:56 AM

Count yourself lucky. This morning when I turned my computer on I had over 70 emails (that had been stripped of the virus by IHUG). Poor Mailwasher could not handle the number and froze on me. So instead of downloading all the emails I was fortunate enough to be able to delete them through Ihug's Mailgateway.

Oxie (Lyn)

20-09-2003, 11:23 AM
Currently 166 e-mails. Would you believe my ISP (iprolink) can't do anything about them until Monday. They operate their help service from home. By Monday I'll have a new ISP

20-09-2003, 11:33 AM
If the emails are coming from the same addresses you can set your email client filter to delete the emails on the server instead of downloading.

Billy T
20-09-2003, 12:04 PM
> Yeah it sux I got about 50 You would of thought
> @#$%&%$ Xtra would of killed them at their server.
> Also my "updated" NAV let them through.
> tedheath

Maybe you need to look a little closer at your system configuration and surfing habits Ted. Xtra has never failed to pre-strip virus payloads form emails for me, and Nortons AV has not once let me down either, though I note that the automatic on-line update service has been pretty active over the last 24 hours with at least three updates received.

However, despite having 9 email addresses, one of which I found to have been previously used by a porn enthusiast (and consequently gets a lot of spam) I have not had an email virus from this current exploit!


Billy 8-{)

20-09-2003, 12:19 PM
I concur with Billy

I am not receiving any virus e-mails.
My email address is posted on several web pages (as it is required to be for work related issues), and yet I get almost no spam.
I have several other addresses, which I use to register any software or for site access. These get a low level of spam, still no viruses.

Xtra is my main ISP, they also host my domain name.

23-09-2003, 02:20 PM
Having my own domain and therefore no ISP filtering, I must have been hit by over 1000 since Friday (I gave up counting!).
I know several other people who have been hit with this sort of frequency, too.
I'm just killing them all on the server every 15 minutes using mailwasher, but this level of e-mail traffic has to be putting things under stress - I'd guess that the traffic from the worm must be around the order of magnitude of legitimate traffic at the moment. I was surprised not to see fresh stories about it today.

23-09-2003, 03:17 PM

I guess we are the unlucky ones then. I am receiving over 100 emails with the virus (which has been stripped by IHUG) per day. Luckily I can delete, like you, in Mailwasher too before downloading. However, I hate to think what is going to happen when I go away for a few weeks soon and won't be able to clear out the emails frequently. I have spam filtering, but this is not deleting the messages as they are not from spammers. Unfortunately, this worm does not do any damage - except mass emailing of itself. So no doubt those that are infected do not even know that they are infected.

Oxie (Lyn)

Billy T
23-09-2003, 03:27 PM
Time for some serious thinking :|

So what is the difference between my and Godfather's situations that keeps us relatively spam and virus free? My business email is also posted on the net for all to see, I surf extensively every week, not always wisely, I have five computers currently hooked up to the web via a full time online Jetstream connection yet I don't get troubled by viruses.

I do keep my AV up to date with auto-update, I have ZoneAlarm on all computers (but with only basic protections enabled) and Xtra has been pre-cleaning in recent times.

Since 1993 I have had no infections, but have found "Stoned" on a 5" floppy, picked up one hoax virus, had ZA quarantine two possible viruses that I dumped without further ado, and Xtra killed the Bugbear. That is 5 virus exploits in 10 years!

I don't believe in divine protection, so there has to be a fundamental flaw in the computer set up or surfing habits of those who do. I mean, 88 virus packages in one day? Is there any common thread that victims of such overkill can follow up to protect themselves in future?

Is omething fundamentally out of whack here. ?:|


Billy 8-{)

23-09-2003, 03:39 PM
Like Oxie I am still collecting Spam. I changed ISP's on Saturday. I too am now with Ihug. On Saturday I sent a cc. e-mail to all in my address book. Four hours later a steady stream of spam began arriving. With Ihug the viruses are being removed. And they are all spam-filtered. As of now the filter has removed exactly one e-mail. At present spam is averaging 5-6 pieces per hour. Day and night.
It would seem that someone in my address book has a virus that is sending contacts.
I have tried tracking it and it seems to be comming from or passing through Qwest.net. An ISP in the USA. I looked their web site up. To e-mail them you need a user name and password.

23-09-2003, 03:44 PM
I got a phone call from my old ISP last night. He said there was 64 Mbs. in my old e-mail box. What do I want to do with them? I told him !!!!!!

23-09-2003, 03:47 PM
Billy T
I too wonder why I am affected and not you. Since 1996 I have never ever been infected by a virus. I do not visit unsavoury sites. I have only ever subscribed to about five places - usually to do with travel. I do have my email address on my personal homepage (but hey it has been there 7 years). Until a year ago I was lucky to receive 1 spam every 6 weeks. I also have my business email address at my domain name business website. And guess what? I have never received one piece of spam to that address. Freeparking hosts my buiness site, but IHUG is my provider and hosts my personal homepage.

So tell me what am I doing wrong?

Oxie (Lyn)

23-09-2003, 03:52 PM

You have just confirmed to me that there is even little point in me changing email addresses, as like you say as soon as I email everyone in my address book I am bound to start receiving the virus emails again as they obviously have my email address in theirs.

Lyn (Oxie)

23-09-2003, 03:56 PM
> On Saturday I sent a cc. e-mail to all in my address book.

What you have done in this case is put a list of all of your contact e-mail addresses in many places you have no control over.
It only needs 1 of these recipients to have a harvesting trojan running unknown to the PC user, and you have neatly given all the addresses to a spammer.

Never, ever use CC for a list of e-mails.
Use BCC, then each recipient only sees their e-mail address.

Jim B
23-09-2003, 04:01 PM
Don't get too smug Billy T the reason you are not getting these emails is just luck and nothing to do with your pure surfing habits.

These are not spam emails, they are sent by virus infected computers which are picking up email addresses located on that computer.

W32.Swen.A@mm is a mass-mailing worm that uses its own SMTP engine to spread itself. It attempts to spread through file-sharing networks, such as KaZaA and IRC, and attempts to kill antivirus and personal firewall programs running on a computer.
It is worth reading the Symantec information as the Microsoft update that it refers to is very cleverly done and no doubt is tricking many people to open the attachment.
Info here (http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html)

Searches the .html, .asp, .eml, .dbx, .wab, and .mbx files on the hard disk for email addresses.

Creates the file, %Windir%\Germs0.dbv, where it stores the email addresses it has found.

. Creates the file, %Windir%\Swen1.dat, where it stores a list of remote news and mail servers.

Drops a %ComputerName%.bat file, which executes the worm and a randomly named configuration file to store the local, machine-specific data.

23-09-2003, 04:01 PM

I quite agree with you there. One should always use BBC or if I were emailing everyone in my address book I would use a distribution list which is a lot more efficient.


23-09-2003, 04:18 PM
Don't get too smug Billy T the reason you are not getting these emails is just luck and nothing to do with your pure surfing habits

I agree he is just lucky, but walking around like a peacock saying I aint getting any spam. Just remember what happened to the noisy peacocks in Isel Park in Nelson lol.
I must have deleted a thousand of these emails in my yahoo,hotmail and extra accounts.
Its big news on CNN and BBC websites


23-09-2003, 04:50 PM
> Is there any common thread that
> victims of such overkill can follow up to protect
> themselves in future?
> Is something fundamentally out of whack here. ?:|
> Cheers
> Billy 8-{)

Billy, I think you'll find that the lower levels of viruses you receive is based on the level of intelligence of the people that you use email to converse with. If they're protected it also increases your protection.

I also don't get any viruses or spams to my main email accounts. The only recent viruses I've received have been when someone has said via instant messaging to me "I got another virus today in the mail" or something to that affect and I request that they send it to me. I can then disable NAV and still not get infected by it.

I get spam and viruses by the bucket load to hotmail accounts though. Everything else is spam free apart from one of my other addresses which is solely used for posting news on a website which is rather high up in some google searh results so is expected that the bots will be crawling the site periodically.

23-09-2003, 04:56 PM
Yes godfather I know that, but sometimes I act without thinking.
In fact while I was sending them I was thinking, "That's fixed that **** and his viruses.

Billy T
23-09-2003, 08:13 PM
> Don't get too smug Billy T the reason you are not
> getting these emails is just luck and nothing to do
> with your pure surfing habits.

I'm not smug Jim, and no, my surfing habits are not pure. I have a huge email address book, and I am guilty of forwarding jokes and other time-wasting trivia from time to time. My comments were aimed at prompting debate that might help identify some rationale behind the wide disparity in spam and virus experience among PF1'ers.

It may be just a matter of chance, but somehow I don't really think that is likely. There must be some points of difference that could allow us all to minimise our risk. There must be something different about the way we operate our systems that allows such a wide variation in experience, even if it finally comes down to the good or bad habits of the people we correspond with.

For example, I have one email address similar to [jack at free dot net dot nz] for my son, I have had it for 3 years now and prior to us it was used by a young guy whose tastes ranged from game sites and self-help career advisors, through to an eclectic range of porn providers. He subscribed widely but not wisely and it took months to get them all unsubscribed, though the exercise was helped immensely by the generally poor security protocols which gave me access to his logon names and passwords with relative ease. One site even gave me his full personal details including CV, phone number and address!

We eventually cleaned it up and now we are down to 2-3 spams a day on that address. My point is that even used and abused email addresses do not invite floods of spam, and no virus emails have turned up yet.

And so, the search for enlightenment goes on. :|


Billy 8-{) :|

23-09-2003, 11:47 PM
Any ISP you only need to add abuse in front and they are usually very quick to answer. I have done it frquently requesting the removal of the spammer and I would say I was about 85% successful. If everyone was to do the same it would certainly destroy most spammers. What gets me is you can filter spam but by doing that you are doing nothing to get rid of it and unless you are deleting it at the server it is still costing you.

23-09-2003, 11:51 PM
If Nav let them through can you really blame Xtra.

24-09-2003, 07:54 AM
Qwest IP Abuse abuse@qwest.net +1-877-886-6515

Qwest IP Admin ipadmin@qwest.com +1-877-886-6515

Qwest IP NOC support@qwestip.net +1-877-886-6515

Above is some of the contact details for qwest.net

24-09-2003, 08:49 AM
abuse-nonverbose@qwest.net. is even better. You don't get a machine reply