'Swen-mail' and the elapsed time between a Usenet newsgroup post with a valid e-mail addres and the arrival of the first infected message in the mail box

That's why I started the reply with "AND".

--
Phil Weldon, pweldonatmindjumpdotcom
For communication,
replace "at" with the 'at sign'
replace "mindjump" with "mindspring."
replace "dot" with "."

"Strontium" wrote in message
news
Right. That's the 'from' and 'to' lines. Not the body of the message.
It
also gets email addresses from the body, using the .dbx files. I feel for
all those, out there, that are naive enough to even post to usenet with a
real address. I learned my lesson, 5yrs ago, after getting 5-10 spams a
day
after just one post with my real email address. Switched ISP's and
stopped
using real address. I don't get spam.


-
Phil Weldon stood up at show-n-tell, in
t, and said:

AND
"The worm also can search for e-mail addresses in various newsgroups.
It connects to NNTP servers listed in the SWEN1.DAT file, gets a list
of all newsgroups on that server and searches recent messages in
these newsgroups for 'nfrom:' and 'nreply-to:' tags. When such tags
are found, the worm gets e-mail addressed after them and writes them
to the GERMS0.DBV file. This way the worm can harvest a lot of e-mail
addresses to send itself to." (From FSecure at
http://www.f-secure.com/v-descs/swen.shtml .)



"Strontium" wrote in message
...
It gets them from the *.dbx files.

-
Phil Weldon stood up at show-n-tell, in
, and said:

Not exactly; I believe the 'swen' worm get the e-mail addresses
directly from the newsgroup postings. I open another new mailbox,
posted ONCE to alt.comp.hardware.overclocking, and then killed that
newsreader account, but kept the mailbox. It took 17 minutes for
the first 'swen-mail' to arrive at that mailbox.


"Triffid" wrote in message
...


Phil Weldon wrote:

'Swen-mail' and the elapsed time between a Usenet newsgroup post
with a valid e-mail addres and the arrival of the first infected
message in the mail box.

I created a new mailbox and used it to post to
microsoft.public.security.virus. Elapsed time to the first
'swen-mail'; 2 hours 2 minutes.

Which effectively means it took a whole 2 hours before someone
using an infected machine read your post.

I'm *really* glad I have access to server-side filters and can dump
this crud before it clogs my mailbox - the flood has slowed
somewhat, but the filters are still deleting a couple of hundred
swens daily.

--
Strontium

"If you get tired, of satellite flyers. And, fame, has let you down.
Under the wire. And, over the Moon, I'm around... When you gonna
grow up?" - Angie Aparo

--
Strontium

"If you get tired, of satellite flyers. And, fame, has let you down.
Under the wire. And, over the Moon, I'm around... When you gonna grow
up?" - Angie Aparo

Sheesh;

Maybe, maybe not. Probably not.

The 'swen' worm also gets the e-mail addresses off the news servers.

"The worm also can search for e-mail addresses in various newsgroups. It
connects to NNTP servers listed in the SWEN1.DAT file, gets a list of all
newsgroups on that server and searches recent messages in these newsgroups
for 'nfrom:' and 'nreply-to:' tags. When such tags are found, the worm gets
e-mail addressed after them and writes them to the GERMS0.DBV file. This way
the worm can harvest a lot of e-mail addresses to send itself to." (From
FSecure at http://www.f-secure.com/v-descs/swen.shtml .)


--
Phil Weldon, pweldonatmindjumpdotcom
For communication,
replace "at" with the 'at sign'
replace "mindjump" with "mindspring."
replace "dot" with "."

"Triffid" wrote in message
...
Not exactly; I believe the 'swen' worm get the e-mail addresses directly
from the newsgroup postings.

How do you suppose it does that? There is no evidence of the worm
connecting to news servers and reading headers. It doesn't, it waits for
the infected user to run his newsreader, scoops addresses from the
headers (via files created by the newsreader), and adds them to it's
list of targets.

I open another new mailbox, posted ONCE to
alt.comp.hardware.overclocking, and then killed that newsreader account,
but
kept the mailbox. It took 17 minutes for the first 'swen-mail' to
arrive at
that mailbox.

Exactly. 17 minutes until an infected user read your post.

-- Phil Weldon, pweldonatmindjumpdotcom For communication, replace "at"
with the 'at sign' replace "mindjump" with "mindspring." replace "dot" with
"." "Triffid" wrote in message
...



Phil Weldon wrote:


'Swen-mail' and the elapsed time between a Usenet newsgroup post
with a
valid e-mail addres and the arrival of the first infected message
in the
mail box.

I created a new mailbox and used it to post to
microsoft.public.security.virus. Elapsed time to the first
'swen-mail';

2

hours 2 minutes.


Which effectively means it took a whole 2 hours before someone using
an
infected machine read your post.

I'm *really* glad I have access to server-side filters and can dump
this
crud before it clogs my mailbox - the flood has slowed somewhat, but
the
filters are still deleting a couple of hundred swens daily.

You're an anal little bitch, aren't you?

-
Phil Weldon stood up at show-n-tell, in
t, and said:

That's why I started the reply with "AND".


"Strontium" wrote in message
news
Right. That's the 'from' and 'to' lines. Not the body of the
message. It also gets email addresses from the body, using the .dbx
files. I feel for all those, out there, that are naive enough to
even post to usenet with a real address. I learned my lesson, 5yrs
ago, after getting 5-10 spams a day after just one post with my real
email address. Switched ISP's and stopped using real address. I
don't get spam.


-
Phil Weldon stood up at show-n-tell, in
t, and said:

AND
"The worm also can search for e-mail addresses in various
newsgroups. It connects to NNTP servers listed in the SWEN1.DAT
file, gets a list of all newsgroups on that server and searches
recent messages in
these newsgroups for 'nfrom:' and 'nreply-to:' tags. When such tags
are found, the worm gets e-mail addressed after them and writes them
to the GERMS0.DBV file. This way the worm can harvest a lot of
e-mail addresses to send itself to." (From FSecure at
http://www.f-secure.com/v-descs/swen.shtml .)



"Strontium" wrote in message
...
It gets them from the *.dbx files.

-
Phil Weldon stood up at show-n-tell, in
, and said:

Not exactly; I believe the 'swen' worm get the e-mail addresses
directly from the newsgroup postings. I open another new mailbox,
posted ONCE to alt.comp.hardware.overclocking, and then killed
that newsreader account, but kept the mailbox. It took 17
minutes for
the first 'swen-mail' to arrive at that mailbox.


"Triffid" wrote in message
...


Phil Weldon wrote:

'Swen-mail' and the elapsed time between a Usenet newsgroup post
with a valid e-mail addres and the arrival of the first infected
message in the mail box.

I created a new mailbox and used it to post to
microsoft.public.security.virus. Elapsed time to the first
'swen-mail'; 2 hours 2 minutes.

Which effectively means it took a whole 2 hours before someone
using an infected machine read your post.

I'm *really* glad I have access to server-side filters and can
dump this crud before it clogs my mailbox - the flood has slowed
somewhat, but the filters are still deleting a couple of hundred
swens daily.

--
Strontium

"If you get tired, of satellite flyers. And, fame, has let you
down. Under the wire. And, over the Moon, I'm around... When you
gonna
grow up?" - Angie Aparo

--
Strontium

"If you get tired, of satellite flyers. And, fame, has let you down.
Under the wire. And, over the Moon, I'm around... When you gonna
grow up?" - Angie Aparo

--
Strontium

"If you get tired, of satellite flyers. And, fame, has let you down.
Under the wire. And, over the Moon, I'm around... When you gonna grow
up?" - Angie Aparo