Yet another Mass e-mail worm TM - Gibe-F/Swen-A - E-mail from Microsoft

Discussion in 'Computer Security' started by Lord Shaolin, Sep 19, 2003.

  1. Lord Shaolin

    Lord Shaolin Guest

    Lord Shaolin, Sep 19, 2003
    #1
    1. Advertising

  2. Lord Shaolin

    Moonlit Guest

    Yes,

    Got one too. Looks almost genuine (except for the fact microsoft never sends
    out patches). I wonder what the 'patch' does?

    Regards, Ron AF Greve

    "Lord Shaolin" <abuse@127.0.0.1> wrote in message
    news:q1uab.7517$9.net...
    > Nice Icon
    >
    > Nice GUI
    >
    > Asks you to fill in all your mail-server details, pretty nifty peice of
    > code.
    >
    > More info here:
    >
    > http://www.security-forums.com/forum/viewtopic.php?t=8447
    >
    > --
    > Get your Geek Goodies!
    > http://shop.security-forums.com
    >
    > .: http://www.security-forums.com :.
    >
    > Share your knowledge
    > It's a way to achieve
    > Immortality.
    >
    >
     
    Moonlit, Sep 19, 2003
    #2
    1. Advertising

  3. Lord Shaolin

    John Guest

    John, Sep 19, 2003
    #3
  4. Lord Shaolin

    kyra Guest

    Re: Yet another Mass e-mail worm TM - Gibe-F/Swen-A - E-mail fromMicrosoft

    John wrote:
    > On Fri, 19 Sep 2003 12:56:10 +0200, "Moonlit"
    > <> wrote:
    >
    >
    >>Yes,
    >>
    >>Got one too. Looks almost genuine (except for the fact microsoft never sends
    >>out patches). I wonder what the 'patch' does?
    >>

    >
    > Quite a lot of info here :-
    >
    > http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100662

    uggg i just got 120 in 4 hrs

    --
    http://aleeya.net

    Tell me and I'll forget.
    Show me and I'll remember.
    Involve me and I will learn.


    Give a man a fish, feed him for a day.
    Teach a man to fish, feed him for a lifetime.
     
    kyra, Sep 19, 2003
    #4
  5. Lord Shaolin

    Mimic Guest

    "kyra" <> wrote in message
    news:pXCab.2135$2.webusenet.com...
    > John wrote:
    > > On Fri, 19 Sep 2003 12:56:10 +0200, "Moonlit"
    > > <> wrote:
    > >
    > >
    > >>Yes,
    > >>
    > >>Got one too. Looks almost genuine (except for the fact microsoft never

    sends
    > >>out patches). I wonder what the 'patch' does?
    > >>

    > >
    > > Quite a lot of info here :-
    > >
    > > http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100662

    > uggg i just got 120 in 4 hrs
    >
    > --
    > http://aleeya.net
    >
    > Tell me and I'll forget.
    > Show me and I'll remember.
    > Involve me and I will learn.
    >
    >
    > Give a man a fish, feed him for a day.
    > Teach a man to fish, feed him for a lifetime.
    >
    >


    thats what you get for posting your mail addy to
    www.free-boobie-pics-mail-me.com ;D

    --
    Mimic

    "Without Knowledge you have fear, With fear you create your own nightmares."
    "There are 10 types of people in this world. Those that understand Binary,
    and those that dont."
    "C makes it easy to shoot yourself in the foot. C++ makes it harder, but
    when you do, it blows away your whole leg"
     
    Mimic, Sep 19, 2003
    #5
  6. Lord Shaolin

    Mimic Guest

    "Lord Shaolin" <abuse@127.0.0.1> wrote in message
    news:q1uab.7517$9.net...
    > Nice Icon
    >
    > Nice GUI
    >
    > Asks you to fill in all your mail-server details, pretty nifty peice of
    > code.
    >
    > More info here:
    >
    > http://www.security-forums.com/forum/viewtopic.php?t=8447
    >
    >


    Nice to see someone taking pride and effort in their work :p

    --
    Mimic

    "Without Knowledge you have fear, With fear you create your own nightmares."
    "There are 10 types of people in this world. Those that understand Binary,
    and those that dont."
    "C makes it easy to shoot yourself in the foot. C++ makes it harder, but
    when you do, it blows away your whole leg"
     
    Mimic, Sep 19, 2003
    #6
  7. Lord Shaolin

    Mimic Guest

    "Lord Shaolin" <abuse@127.0.0.1> wrote in message
    news:q1uab.7517$9.net...
    > Nice Icon
    >
    > Nice GUI
    >
    > Asks you to fill in all your mail-server details, pretty nifty peice of
    > code.
    >
    > More info here:
    >
    > http://www.security-forums.com/forum/viewtopic.php?t=8447


    heh, well if people are stupid enough to open exe's from their email. I'm
    assuming it spoofs the from feild as M$ ? othewise its gunna look even more
    strange if all your mates are sending you patches, i guess... hrmmm...... .

    Anyway, i dont know if i mentioned it, but i dont run AV software, i used to
    occasionally scan when i got updates from work, but i'm too lazy. Anyway, i
    got my first virus in 6 years the other day wooooooooo. Or should i say my
    first infection. Blaster Worm :p anyway, i got the rpc error so i knew
    summink was up, then my firewall kicked off. in about 30secs i knew where it
    came from (kazaa :p), identified the file, killed it, killed the process and
    removed all entries, completely clean. But just to be safe i downloaded the
    AV scan/patch, over 20 fucking minutes it took and the result, to summarize
    exactly what i had done (and what it failed to as i was clean). Bah to it
    all :p

    --
    Mimic

    "Without Knowledge you have fear, With fear you create your own nightmares."
    "There are 10 types of people in this world. Those that understand Binary,
    and those that dont."
    "C makes it easy to shoot yourself in the foot. C++ makes it harder, but
    when you do, it blows away your whole leg"
     
    Mimic, Sep 19, 2003
    #7
  8. Lord Shaolin

    Moonlit Guest

    Hi,

    Thanks for the link, so it is mainly replicating and major nuisance (with
    the false error messages).

    Regards Ron.
    "John" <> wrote in message
    news:...
    > On Fri, 19 Sep 2003 12:56:10 +0200, "Moonlit"
    > <> wrote:
    >
    > >Yes,
    > >
    > >Got one too. Looks almost genuine (except for the fact microsoft never

    sends
    > >out patches). I wonder what the 'patch' does?
    > >

    > Quite a lot of info here :-
    >
    > http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100662
     
    Moonlit, Sep 19, 2003
    #8
  9. Lord Shaolin

    Moonlit Guest

    Hi,

    It looks so real I think this one is going to beat a lot of other virusses
    (as one said this virus relies heavily on social engineering and
    unfortunately that works).

    Luckily I only got two in the past 24 hours.

    Regards, Ron AF Greve.

    "kyra" <> wrote in message
    news:pXCab.2135$2.webusenet.com...
    > John wrote:
    > > On Fri, 19 Sep 2003 12:56:10 +0200, "Moonlit"
    > > <> wrote:
    > >
    > >
    > >>Yes,
    > >>
    > >>Got one too. Looks almost genuine (except for the fact microsoft never

    sends
    > >>out patches). I wonder what the 'patch' does?
    > >>

    > >
    > > Quite a lot of info here :-
    > >
    > > http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100662

    > uggg i just got 120 in 4 hrs
    >
    > --
    > http://aleeya.net
    >
    > Tell me and I'll forget.
    > Show me and I'll remember.
    > Involve me and I will learn.
    >
    >
    > Give a man a fish, feed him for a day.
    > Teach a man to fish, feed him for a lifetime.
    >
    >
     
    Moonlit, Sep 19, 2003
    #9
  10. In article <>, "Mimic" <>
    wrote:
    >heh, well if people are stupid enough to open exe's from their email. I'm
    >assuming it spoofs the from feild as M$ ? othewise its gunna look even more
    >strange if all your mates are sending you patches, i guess... hrmmm...... .


    As you say, people are stupid (I prefer to say "naive" or "ignorant" - it's
    slightly more polite). Yes, the virus spoofs to make it look like it comes
    from the right place. It'd probably spread even if it didn't - it looks so
    pretty that some people just have to click - they'd probably even follow
    instructions to open a zip file, enter a password, open the file, save it to
    their network server, and run it. Social engineering exploits that one big
    bug that noone can quite manage to fix.

    >Anyway, i dont know if i mentioned it, but i dont run AV software, i used to
    >occasionally scan when i got updates from work, but i'm too lazy. Anyway, i
    >got my first virus in 6 years the other day wooooooooo. Or should i say my
    >first infection. Blaster Worm :p anyway, i got the rpc error so i knew
    >summink was up, then my firewall kicked off. in about 30secs i knew where it
    >came from (kazaa :p), identified the file, killed it, killed the process and
    >removed all entries, completely clean. But just to be safe i downloaded the
    >AV scan/patch, over 20 fucking minutes it took and the result, to summarize
    >exactly what i had done (and what it failed to as i was clean). Bah to it
    >all :p


    Ooh, you're soooo butch!

    Yeah, I hear you on the "I don't run AV software" thing - for the most part,
    it's a waste of time for someone who reads the right lists and has a good
    amount of knowledge. But then, that's not the same group of people that are
    clicking on attachments, is it? The "click anything with a blue line under
    it" brigade need some form of automated protection.

    [If MS didn't exist, and we were all using Linux, these guys would _still_
    save attachments out to the disk, drop into a shell, and execute away!]

    Alun.
    ~~~~

    [Please don't email posters, if a Usenet response is appropriate.]
    --
    Texas Imperial Software | Find us at http://www.wftpd.com or email
    1602 Harvest Moon Place | .
    Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers.
    Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
     
    Alun Jones [MS MVP], Sep 19, 2003
    #10
  11. Lord Shaolin

    Jim Watt Guest

    On Fri, 19 Sep 2003 03:41:12 +0100, "Lord Shaolin" <abuse@127.0.0.1>
    wrote:

    >Nice Icon
    >
    >Nice GUI
    >
    >Asks you to fill in all your mail-server details, pretty nifty peice of
    >code.


    Hell it should be able to find that out for itself :)

    the MS patch thing seems rampant here, just got six.


    --
    Jim Watt http://www.gibnet.com
     
    Jim Watt, Sep 20, 2003
    #11
  12. Lord Shaolin

    Dave Guest

    The problem here is not the virus, which is easily detected by a number of
    AV programs, but the jamming of email boxes. One of my boxes has 1210
    messages, all with 106KB attachements, just in the last few hours. I can't
    download all those messages to sift out the real ones, so that effectively
    renders this box useless.



    This is a box I opened recently, so I know pretty much where the spam is
    coming from. I used the address in posting to comp.os.linux.misc, and
    comp.os.ms-windows.misc. I was even careful to modify the address, so it
    could only be used by a real person not a robot. Someone is making a big
    effort to spread this worm.



    I guess the only solution is to never use your real identity or email
    address in a newsgroup.



    - Dave
     
    Dave, Sep 20, 2003
    #12
  13. Mimic wrote:
    > "Lord Shaolin" <abuse@127.0.0.1> wrote in message
    > news:q1uab.7517$9.net...
    >> Nice Icon
    >>
    >> Nice GUI
    >>
    >> Asks you to fill in all your mail-server details, pretty nifty peice

    > of
    >> code.
    >>
    >> More info here:
    >>
    >> http://www.security-forums.com/forum/viewtopic.php?t=8447

    >
    > heh, well if people are stupid enough to open exe's from their email.
    > I'm
    > assuming it spoofs the from feild as M$ ? othewise its gunna look even
    > more
    > strange if all your mates are sending you patches, i guess...
    > hrmmm...... .
    >

    Speaking from experience, (I have gotten well over 200 of them in the
    last 36 hours), it looks a lot like the work of a hipcrime bot, lots of
    different headers and lots of nonsensical addresses etc. It's a fucking
    pain in the ass if you ask me. My webmail has filters but they are
    pretty weak, they don't allow regular expressions but I finally figured
    out how to filter them to the trash by specifying the mime type in the
    header which is something the bot/virus/worm can't change if it wants to
    send me an attachment.


    > Anyway, i dont know if i mentioned it, but i dont run AV software, i
    > used to
    > occasionally scan when i got updates from work, but i'm too lazy.
    > Anyway, i
    > got my first virus in 6 years the other day wooooooooo. Or should i
    > say my
    > first infection. Blaster Worm :p anyway, i got the rpc error so i
    > knew
    > summink was up, then my firewall kicked off. in about 30secs i knew
    > where it
    > came from (kazaa :p), identified the file, killed it, killed the
    > process and
    > removed all entries, completely clean. But just to be safe i
    > downloaded the
    > AV scan/patch, over 20 fucking minutes it took and the result, to
    > summarize
    > exactly what i had done (and what it failed to as i was clean). Bah to
    > it
    > all :p


    I don't run av software either because it's a pain in the ass and can
    bring even the most powerful computer to it's knees just running in the
    background. AV software is useless for protecting you from the latest
    viri anyway. When they come up with "forward looking" anti virus
    software I might be interested. My wife got the msblast virus merely by
    turning off her firewall to play a game. It happened the same day I read
    about it, and was going to implement the necessary changes to her
    computer when she finished playing, instead I had to clean it up.
    Anti-virus definations weren't even available at the time she became
    infected (not that it would have done any good because she wasn't
    running antivirus anyway)
     
    Rev Turd Fredericks, Sep 20, 2003
    #13
  14. Lord Shaolin

    Zarggg Guest

    Re: Yet another Mass e-mail worm TM - Gibe-F/Swen-A - E-mail fromMicrosoft

    Lord Shaolin wrote On 18 Sep 03 22:41:

    > Nice Icon
    >
    > Nice GUI
    >
    > Asks you to fill in all your mail-server details, pretty nifty peice
    > of code.
    >
    > More info here:
    >
    > http://www.security-forums.com/forum/viewtopic.php?t=8447
    >


    Yep. I've gotten over 260 spam e-mails as a result of this worm (90+ on
    Thursday, 90+ by lunchtime EDT today, and 80+ more after coming home
    from work). It's obviously based on harvested e-mail addresses, as I
    received them to all three of my "public" e-mail addresses, two of which
    are domain-based aliases.
    --
    _____________________________________________________
    Zarggg | zarggg at zarggg dot net | KeyID: 0xC00D540D
    | http://www.zarggg.net/ |
    -----------------------------------------------------
     
    Zarggg, Sep 20, 2003
    #14
  15. Lord Shaolin

    Dave Guest

    "Rev Turd Fredericks" <> wrote in message
    news:p...
    >
    > My wife got the msblast virus merely by
    > turning off her firewall to play a game.


    Microsoft advocates are claiming that XP is just as secure as Linux, that
    you can't get a virus without doing something stupid, like clicking on an
    email attachement. Could you tell us more about this incident. Does "play
    a game" mean download some program and run it? Why would you need to turn
    off a firewall to play a game on your own computer?

    I've also heard that msblast can infect a computer without *any* user
    interaction. I was told this by a system administrator who takes care of
    hundreds of Windows workstations. I asked him what network services were
    running on the computers (telnet, ftp, etc.) and he said none. The virus
    can apparently propagate with just the basic network communication
    protocols.

    - Dave
     
    Dave, Sep 20, 2003
    #15
  16. Dave wrote:
    > "Rev Turd Fredericks" <> wrote in message
    > news:p...
    >>
    >> My wife got the msblast virus merely by
    >> turning off her firewall to play a game.

    >
    > Microsoft advocates are claiming that XP is just as secure as Linux,
    > that
    > you can't get a virus without doing something stupid, like clicking on
    > an
    > email attachement. Could you tell us more about this incident. Does
    > "play
    > a game" mean download some program and run it? Why would you need to
    > turn
    > off a firewall to play a game on your own computer?


    It was an online game called Neverwinter nights. The program was not
    downloaded, it was purchased. She doesn't use email at home either. The
    firewall was disabled because it sometimes interferes with the game, I
    have since fixed that and the game can be played with the firewall on.
    There was no user interaction required. The only reason we found out was
    when she renabled her firewall, the firewall warning window popped up
    and asked "msblast.exe requests a connection to IP xxx.xxx.xxx.xxx".
    msblast takes advantage of an RPC vulnerability. She doesn't use XP but
    it is also vulnerable to msblast in the same manner.

    >
    > I've also heard that msblast can infect a computer without *any* user
    > interaction. I was told this by a system administrator who takes care
    > of
    > hundreds of Windows workstations. I asked him what network services
    > were
    > running on the computers (telnet, ftp, etc.) and he said none. The
    > virus
    > can apparently propagate with just the basic network communication
    > protocols.
    >

    Yup.
     
    Rev Turd Fredericks, Sep 20, 2003
    #16
  17. Lord Shaolin

    Juha Laiho Guest

    Rev Turd Fredericks <> said:
    >>> My wife got the msblast virus merely by turning off her firewall
    >>> to play a game.

    ....
    >The firewall was disabled because it sometimes interferes with the
    >game, I have since fixed that and the game can be played with the
    >firewall on.

    ....
    >The only reason we found out was when she renabled her firewall, the
    >firewall warning window popped up and asked "msblast.exe requests a
    >connection to IP xxx.xxx.xxx.xxx". msblast takes advantage of an RPC
    >vulnerability.


    And fixes to close the RPC hole used by msblast were published by
    Microsoft some months before the msblast attack, if I recall correctly.

    If the machine in question is running NT 4.0 workstation, it might be
    that the fix is not available, as the OS is no longer supported by MS,
    in which case the firewall is the only remaining protection. But _if_
    the OS was something for which the fix was available, this infection
    was caused by user ignorance/neglicience.

    It is unfortunate the Internet has turned this way, that everyone
    connecting to it must be acutely aware of security issues. And it is
    unfortunate the integrity of software available is what it is (for
    those starting to advocate open source software at this point, look
    at recent issues with sendmail, OpenSSH, some ftp daemons, etc; perhaps
    not as bad as Microsoft side, but not completely solid, either).
    --
    Wolf a.k.a. Juha Laiho Espoo, Finland
    (GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
    PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
    "...cancel my subscription to the resurrection!" (Jim Morrison)
     
    Juha Laiho, Sep 20, 2003
    #17
  18. Lord Shaolin

    Mimic Guest

    "Dave" <> wrote in message
    news:...
    > "Rev Turd Fredericks" <> wrote in message
    > news:p...
    > >
    > > My wife got the msblast virus merely by
    > > turning off her firewall to play a game.

    >
    > Microsoft advocates are claiming that XP is just as secure as Linux, that
    > you can't get a virus without doing something stupid, like clicking on an
    > email attachement. Could you tell us more about this incident. Does

    "play
    > a game" mean download some program and run it? Why would you need to turn
    > off a firewall to play a game on your own computer?
    >
    > I've also heard that msblast can infect a computer without *any* user
    > interaction. I was told this by a system administrator who takes care of
    > hundreds of Windows workstations. I asked him what network services were
    > running on the computers (telnet, ftp, etc.) and he said none. The virus
    > can apparently propagate with just the basic network communication
    > protocols.
    >
    > - Dave
    >
    >


    I imagine if it was an online game she'd wanna squeeze every bit of
    bandwidth and cpu out of the box for the game, i turn mine off sometimes
    when my games get lagged.

    --
    Mimic

    "Without Knowledge you have fear, With fear you create your own nightmares."
    "There are 10 types of people in this world. Those that understand Binary,
    and those that dont."
    "C makes it easy to shoot yourself in the foot. C++ makes it harder, but
    when you do, it blows away your whole leg"
     
    Mimic, Sep 20, 2003
    #18
  19. Lord Shaolin

    Mimic Guest

    "Zarggg" <> wrote in message
    news:nbNab.2214$...
    > Lord Shaolin wrote On 18 Sep 03 22:41:
    >
    > > Nice Icon
    > >
    > > Nice GUI
    > >
    > > Asks you to fill in all your mail-server details, pretty nifty peice
    > > of code.
    > >
    > > More info here:
    > >
    > > http://www.security-forums.com/forum/viewtopic.php?t=8447
    > >

    >
    > Yep. I've gotten over 260 spam e-mails as a result of this worm (90+ on
    > Thursday, 90+ by lunchtime EDT today, and 80+ more after coming home
    > from work). It's obviously based on harvested e-mail addresses, as I
    > received them to all three of my "public" e-mail addresses, two of which
    > are domain-based aliases.
    > --


    heh i dunno how you people do it :p 200 a day, heh I havent hd any i'd i'll
    bet 10$ i wont get it.
    On a further note, it might be useful to have a fwding email address, i use
    one for people i dont know / aint really interested in.
    fwds to my isp account, that way if the spam fills, i can just terminate or
    redirect the fwding.

    --
    Mimic

    "Without Knowledge you have fear, With fear you create your own nightmares."
    "There are 10 types of people in this world. Those that understand Binary,
    and those that dont."
    "C makes it easy to shoot yourself in the foot. C++ makes it harder, but
    when you do, it blows away your whole leg"
     
    Mimic, Sep 20, 2003
    #19
  20. Lord Shaolin

    Mimic Guest

    "Dave" <> wrote in message
    news:...
    > The problem here is not the virus, which is easily detected by a number of
    > AV programs, but the jamming of email boxes. One of my boxes has 1210
    > messages, all with 106KB attachements, just in the last few hours. I

    can't
    > download all those messages to sift out the real ones, so that effectively
    > renders this box useless.
    >
    >
    >
    > This is a box I opened recently, so I know pretty much where the spam is
    > coming from. I used the address in posting to comp.os.linux.misc, and
    > comp.os.ms-windows.misc. I was even careful to modify the address, so it
    > could only be used by a real person not a robot. Someone is making a big
    > effort to spread this worm.
    >
    >
    >
    > I guess the only solution is to never use your real identity or email
    > address in a newsgroup.
    >
    >
    >
    > - Dave
    >
    >


    Well thatll teach you for being so darn popular ;D

    --
    Mimic

    "Without Knowledge you have fear, With fear you create your own nightmares."
    "There are 10 types of people in this world. Those that understand Binary,
    and those that dont."
    "C makes it easy to shoot yourself in the foot. C++ makes it harder, but
    when you do, it blows away your whole leg"
     
    Mimic, Sep 20, 2003
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Thore Schmechtig
    Replies:
    17
    Views:
    795
    Gregg Dotoli
    Sep 27, 2003
  2. Thore Schmechtig

    [SWEN tiny FAQ] How to filter Swen mails with M$OE 6

    Thore Schmechtig, Sep 25, 2003, in forum: Computer Security
    Replies:
    19
    Views:
    582
    kd7sk
    Sep 27, 2003
  3. Netuser 58

    Microsoft Info On Swen Worm

    Netuser 58, Nov 8, 2003, in forum: Computer Security
    Replies:
    0
    Views:
    392
    Netuser 58
    Nov 8, 2003
  4. Imhotep
    Replies:
    4
    Views:
    640
    Edw. Peach
    Jan 30, 2006
  5. Netuser 58

    Microsoft Info On Swen Worm

    Netuser 58, Nov 8, 2003, in forum: Computer Information
    Replies:
    0
    Views:
    373
    Netuser 58
    Nov 8, 2003
Loading...

Share This Page