Microsoft "Swen" Worm Squiggles Into Sight

greenhide writes "As forecast in this story, a new Microsoft worm has indeed wriggled to the surface. The W32.Swen's claim to fame is its professional looking email advertisement that pretends to be a fake Microsoft patch. Earlier viruses have made the claim, but none of them looked this good. It appears to have infected over 1.5 million machines. "

I hate this virus

[Free Bird]

It's been flooding my mailbox for more than a day now. Grr...

Oh yeah...

[JoeLinux]

At work, they have duped over 5 of my collegues...even AFTER the email went out saying that it was going around. Well, Make an OS that any idiot can use, and only idiots will use it, I guess...

My problem with all these worms is that it doesn't do anything after it propogates, so no one will really care except bandwidth-concious IT people. It should send itself out, then erase all the FAT tables on a hard drive.

Or deltree the c:\winnt or c:\windows directory (or both).

That would REALLY piss people off, who would demand that they do something to make sure that not happen again...like...I dunno...Linux or OSX?

Just a thought...

Weird

[Tidal Flame]

All of the big internet 'epidemics' so to speak (I Love You, WBlast, and so forth) have completly missed my system. I've been a Windows user for a long, long time and I don't think I've ever received an email containing a virus. Maybe my ISP just has really good filtering... or maybe the viruses only go after American domains... Weird.

Worm Load

[m.dillon]

There were over 4500 attempted deliveries of this 150K+ worm through my mail server overnight, and they are still coming. Easy to filter, but this is by far the worst worm load I've seen to date on my little server.

On the bright side, deliveries of unrelated spam seem to have fallen due to the worm's load on the internet :-)

html

[BWJones]

So, I have recieved a number of these (thank goodness I am running OS X) and it appears that the "notification" also contains html. So, examining the html, it appears that it actually references microsoft.com.

If I were microsoft, it appears there is a simple way to defeat this by inserting html in the referenced source that warns recipients of this sort of thing.

Sobig

[dr ttol]

This is from the creators of Sobig. They are trying to get as many venues to send spam as possible. Once the login/password + smtp info is gathered, it is sent to them and they now have a massive list of credentials to bombard the rest of the world with.

Vicious worms don't survive

[IncohereD]

....because they're noticed too quickly. If you destroy your host immediately you're not going to propogate too far, now are you?

Yes, you could make it a little more complex with time-outs or a way to select certain targets as hosts for more sending and others to destroy, but it wouldn't last and last like some of the recent worms, because it's effects would be so noticeable.

The SPAM Connection

[CedgeS]

This worm looks like a clever attempt at developing a new spam system.

It asks for the infected users name and email address. Great information for sending spam to.

It also asks for the users SMTP server, login name, and password. The spammer who developed this worm is looking for a way to used closed relays.

This worm is missing only 3 features, currently unreported, to be perfect. First, it should log this information and forward it in some anonymous manner (such as sending it to a few thousand people, one of whom is the desired recipient), second, second it should develop not only a list of email addresses, but also a map of who opens email sent to them by whom (so you can be sure the spam gets through), and third it should turn the comprimised computer into a distributed SPAM network relay.

Re:Fascinating isn't it?

[ramzak2k]

and say what ?
"Use Mac have no viruses affect you " ?

The users will sue apple to glory when they do come across Mac worms. Lets face it, worms will exist as long as there are worm writers. Unless ofcourse Mac and Linux blocks all incoming attachments (which is what my outlook express coincidentally did after a patch) you can't guarantee anyone against worms and ignorant people that will open them. Now security flaws in windows - thats an entirely different subject.

Re:Fascinating isn't it?

[M. Silver]

When is the last time your car mechanic told you that you couldn't drive your vehicle because you are an idiot? Does your plumber forbid you from using your faucets?

I can't speak to the plumber situation, but if you've ever listened to mechanics behind the scenes, they sound *exactly* like computer techs. Sometimes they really *do* wish they could tell people they shouldn't drive a vehicle because they're idiots. (I'm betting body shop folks do even more of that sort of griping...)

Re:Reject Executable Attachements

[ummit]

It's a very good idea these days to just reject all executable attachments...
If you want to send someone an executable, send it to them in a zip or tar.gz.

All this does is moves the problem around. It's not a very good idea at all (though unfortunately it's a compelling one).

1. Soon enough, executable malware will shroud itself in a .zip wrapper (some of it already does), and at the same time, "for convenience", new idiot-aligned (made by and for) email software will make it easy to open attachments inside zip attachments.

2. Meanwhile, it becomes harder and harder for the rest of us to use e-mail at all, as the number of proscribed message attributes grows and grows. I'm a Unix user, I want to send a fellow Unix user a script which I've placed in a file which I unthinkingly gave a name ending in ".scr", and though the file is not dangerous to me or my recipient or anyone else, it's filtered out on behalf of people who use an operating system which neither I nor my recipient use. Bleah.

The referenced header checks [securitysage.com] disallow 53 different filename extensions, all of which I now presumably have to remember to avoid using. (The problem is of course exacerbated by Windows' stubborn insistence that extension === file type.)

Re:Fascinating isn't it?

[arkanes]

Well, in at least one of the copies I recieved, the virus exe was a big scary looking demon head in my email client (no, not outlook). You'd think someone who spends the time crafting an email like this wouldn't put a demon head icon in the exe, but whatever.

Special Knoppix Boot CD needed

[Orion Blastar]

Has Linux based Virus scanner that can update itself to scan hard drives for known viruses. That way if Windows goes Wonky, boot to Knoppix and do a virus scan to see if you got infected.

That way you won't risk running an infected machine on the Internet and infect others.

Linux and OS X users get shafted too

[wazzzup]

I'm really hating Microsoft. I've never used Windows and my last and only Intel PC was a 286 runinng some version of MS-DOS 3. I've just always thought there was something better. If the Mac wasn't around, I'd be using Linux.

Anywho, I've always just shook my head and wondered why people put up with MS shiite but it's never directly affected me (indirectly, yes) until now. I am simply sick of seeing virus infected emails, emails from my ISP saying I had an email with a virus, emails from friends warning me about the latest worm even though I don't use Windows and reading stories of Mac and Linux users losing services at universities because the staff is too busy patching f*ing Windows boxes.

As most of us do, at work we use Windows. I had a project that needed to go out this week and we were pulling files over the WAN. The bandwidth was nearly zero. IT eventually found out it was a bunch of desktops in a completely unrelated office that were SMSing the remote server I was accessing to death but they didn't have time to fix it because they were too busy fighting virii on the west coast. Project gets delayed.

I hate them. I want to see Linux kill Microsoft. Their ill-gotten reign must end. The Penguin must draw and quarter Bill & Co. and burn their remains. I am tired of having to be bothered by Windows and their sheep-like user-herds. I want to use my Mac without having it affected by the crap that spews out of Redmond. I want to know why people aren't looking at Macs and Linux more seriously. I want to know why Apple and IBM are siezing the moment and using this time to educate the masses. I want to know why the MCSE monkeys continue to be blind to the failure of thier preferred OS.

BTW, as you know, I really want Linux to annihilate MS, just don't kill Apple in the process, I like them ;o)

Re:Huh?

[westlake]

The article said just viewing the email infects you

You have to open the attachment.

Microsoft never e-mails patches or provides a direct, embedded link to an upgrade or patch. Open Source projects like 7-Zip do, I received one this morning, so don't get too cocky, you could be sucked in real easy.

Re:Huh?

[Theatetus]

MS picked user friendly over security.

True. This can happen in Linux too, though. I seem to recall Lindows gives users root by default, and from my small experience with SuSE, they seem to have something similar with being able to "save" your run-as-root permissions for apps.

Re:Huh?

[Poofat]

Lets be honest here, anyone dumb enough to think updates come in the mail (even on linux) would most likley happily comply when it spits out "you must be root to apply this patch."

I will agree with you that windows takes ease-of-use over security, though XP and 2003 have taken steps to prevent that. One thing that does cheese me off about windows though, is the fact that programs often have more power than the users that run them. Personally, I don't believe anything should have free run of the registry to dump any of its crap in there.

Re:Huh?

[A Naughty Moose]

So what you're saying is that you've never connected a Windows machine to the Internet.

I know that it is hard to believe, but it is possible to have a Windows machine connected to the internet without ever getting a virus. I've never had a virus infect my work PC, which has been connected to the internet since 1997. It's a matter of using common sense: Don't open email from people you don't know (mostly spam). Don't open email in a reader that will automagicly execute whatever it opens (ie: unpatched outlook). Download files from trusted sources, don't run every app that comes your way, keep up to date on the patches, and run your computer behind a firewall. If you do that, you might not even need to have a virus scanner running all the time. (Though I don't recommend this if your running any sort of business, or routinely let unknown computers connect to your network)

At home I don't have a virus scanner installed on any of my computers. Every once in a while, I'll download the latest dats from mcafee and run the command line scanner, but so far its been a waste of time, as it hasn't caught anything yet. At work, I have the corporate mandated Norton, and have yet to receive an infected file, but the risk at work is more then at home, so it makes sense.

I do fully realize that I am running a risk at home, and with the latest round of viruses, I am tempted to get a virus checker going on the old home PCs, just to be on the safe side. Like most people I'm a firm believer in it can't happen to me ;)

Sigh. Alright, where are the Feds?

[Jack Auf]

Saw this coming this morning. I don't even have to read CERT, or SANS, or /. anymore to know when the 'Microsoft Worm-O-The-Month' has hit the Windows boxen near me. My net connection slows to a crawl, I can no longer get to most of the sites I frequent, and I can't get to my IMAP server.

To add insult to injury I haven't run an MS OS since about 1998 - only Linux, OBSD, & OSX.

I've had to deal with the effects of *others* carelessness and ignorance for *years* now. Lost productivity (I telecommute), the inconvenience, all my extra time having to tweak my firewall, and all the bandwidth that was rightfully mine that was stolen, the load on my mail server. That times the 100M (or whatever it is) people on the net.

If Ford made a car that was this poorly made consumers could sue them. At the very least the Feds would step in and force a recall.

So why haven't the Feds forced a Microsoft recall? Why have there been no class action suits for repeatedly defective products?

If Windows really does have 92-95% of the desktop market then it's a critical resource and should be treated as such. The Feds would never allow a phone system to continue if it crashed every month, or a rail system that had a major accident every month. It goes against national security.

If MS has that much market-share then they should be treated as a critical system just like phones or rail and held to the same standards.

Re:Linux and OS X users get shafted too

[Anonymous Coward]

I completely agree. I run a small business, with one Linux workstation, one Mac OS X workstation, one FreeBSD intranet server, and one FreeBSD 'proper' server. We serve a few dozen clients with the 'proper' server. In the last 36 hours, we've recieved about ten thousand copies of this virus. I'm not kidding. Half of this happened overnight, and so some of our users have had their mail bouncing due to lack of disk space. We will have to pay for the bandwidth. We have had to put the resources into filtering it out in an efficient manner. We will be the ones crafting the... how shall I put it? Diplomatic email to all of our clients telling them that clicking on attachments and not running Windows Update is FUCKING MORONIC .

Remind me - what does Microsoft lose out of all of this?

Lucky windows users??? Re:Huh?

[Anguo]

I have been receiving dozens of copies of this virus in my inbox over the last two days. They look pretty in my kmail spam folder. I usually delete spam from the folder, but they are so pretty I have decided to archive a few of them...

I read many comments by windows users who say they have used it for so many years and never had a virus, because they are sensible users who patch their OS and never open attachments...

It may be they are lucky too...

My brother wrote me yesterday to tell me that his XP box got infected and that of my father too. With both computers, he tried to reinstall XP and go straight to download the patch but, so he tells me, with both computers he got re-infected within 3 minutes of reinstalling the OS. He never got a chance nor the time to download the patch...

I am sure that my brother didn't open any attachment with any fucking v***us (oops, I meant f***ing virus) within three minutes of installing XP.

There must be something right that virus writers are doing... and MS must be doing something wrong.

Meanwhile, POPFile carries on marking those nice looking emails as viruses which Kmail then happily filters out of my way...

Re:And all 1.5 million

[Merk]

I know how you feel. I was getting them at a rate of 1 or 2 every 10 minutes. Ugh. If you happen to be running SpamAssassin, I've got rules that seem to take care of it. Luckily for you, but unluckily for me, I was hit starting on Thursday, so I've had days to tweak the rules.

Check them out at my web site [infofiend.com]. Feel free to add comments and tweaks there. Oh, and in case you're using maildrop, you can apparently choose not to deliver the message by using if ($MAIL_IS_SPAM) { exit }

So now my own server is spam free, but unfortunately even though I use Linux at work, the mail server is an Exchange server so... *sigh*

My e-mail server

[Nonillion]

My e-mail server has been getting hit by this thing for the past couple of days now. Last count I had hundreds of these e-mails associated with e-mail rejection errors, all in reference to mail I didn't send. Depending on what time of the day it was they were either are comming .mx .pl .ro .nl ox.com and so on.

The e-mail is very deceptive and looks like real e-mail sent from Microsoft. Other than being a pain in the ass it's almost as fun as being /.ed

Re:Special Knoppix Boot CD needed

[jonadab]

> NTFS, which has readonly support

Indeed. IMO, read/write support for NTFS is one of the top three most
overdue features the Linux kernel needs. A versioned filesystem (a la
what VMS has, but built from the ground up for Linux) is another. I'm
sure there's a third feature as long overdue as these two, but I don't
know what it is.