Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft "Swen" Worm Squiggles Into Sight

Posted by timothy on from the mmm-wriggling dept.

greenhide writes "As forecast in this story, a new Microsoft worm has indeed wriggled to the surface. The W32.Swen's claim to fame is its professional looking email advertisement that pretends to be a fake Microsoft patch. Earlier viruses have made the claim, but none of them looked this good. It appears to have infected over 1.5 million machines. "

7 of 789 comments (clear)

  1. it also mines usenet by poptones · · Score: 4, Informative
    I have never had a virus sent to my home machine because I jealously protect my email domain (every individual gets an email address and if it leaks they never hear from me again). Most commercial sites even seem to respect this. But I made a "junk" address for groups.google.com and, although I have only posted through there a couple of times many months ago, the virus found this address. Apparently it is also crawling usenet, or at least the groups served by google.

    Five of'em in one day. Of course, the rest will go into the trash automatically, but it was an interesting experience finally catching a taste of the "commoner" internet.

  2. The installer looks genuine too by Stonent1 · · Score: 5, Informative

    Network Assocaites has some screenshots of the installer http://vil.nai.com/vil/content/v_100662.htm

  3. Reject Executable Attachements by KidSock · · Score: 5, Informative

    It's a very good idea these days to just reject all executable attachments at "the gates" so to speak. I use postfix 1.1 so I added:

    body_checks = pcre:/etc/postfix/mime_header_checks

    to /etc/main.cf where the file referenced came from here:

    http://www.securitysage.com/files/mime_header_chec ks

    but there are many regular expression filters like this one. Note, with 2.x you need to use the 'mime_header_checks' directive rather than 'body_checks'.

    If you want to send someone an executable, send it to them in a zip or tar.gz.

  4. Re:Huh? by WhiteBandit · · Score: 4, Informative

    Um no. You could defend against the RPC worm a variety of ways.

    1.) Applying the patch
    2.) Using *any* software firewall. Even WinXP's own firewall. ZoneAlarm is trash in my opinion. But it isn't your only protection.
    3.) Using a hardware firewall which blocks the RPC port anyway.

    The only defense is to stay vigilant and be smart about computers. Just because someone is using linux doesn't make it secure. No matter what Operating System you are on, you have to be somewhat proactive in protecting your computer.

  5. W32Swen infection rate by Anonymous Coward · · Score: 4, Informative

    Some guy tracked the hidden counter inside the virus and posted the numbers: http://smharr4.dnsalias.net/security/index.html Pretty neat.

  6. Re:Wow by NanoGator · · Score: 4, Informative

    "I suggest all Windows users go to http://www.knoppix.net/ and burn the CD."

    I know this is marked as funny, but Knoppix is pretty damn useful. I've never particularly liked Linux, but I can tell you that my respect for that OS went way up after trying Knoppix out. I burned a couple of copies to keep around the office in case something like a worm lays waste to the network.

    On a side note, it'd be nice if other Linux distros paid more attention to how Knoppix works. It auto-detects everything and doesn't require an install. Just pop in the disc, have it copy a few files over as read-only, and reboot. System corrupt? No prob, just copy the disc over again.

    --
    "Derp de derp."
  7. Re:Wow by dakryx · · Score: 4, Informative

    Would you believe that some people don't have administrative priveledges on their computers at work? That means they can't patch it themselves, don't go calling people names all willy nilly.