Microsoft "Swen" Worm Squiggles Into Sight

greenhide writes "As forecast in this story, a new Microsoft worm has indeed wriggled to the surface. The W32.Swen's claim to fame is its professional looking email advertisement that pretends to be a fake Microsoft patch. Earlier viruses have made the claim, but none of them looked this good. It appears to have infected over 1.5 million machines. "

Wow

[HanzoSan]

Thats one hell of a virus.

I suggest all Windows users go to http://www.knoppix.net/ and burn the CD.

Re:Wow

[gl4ss]

dude, that knoppix cd will be useful when the windows installation gets kicked up a notch, it's really handy to have a cd like that to retrieve the really imporant data out there.

it's also good enough to keep you on 'net while you're trying to figure out wtf went wrong.

unless you got an as good a windows running livecd system?

Re:Wow

[NanoGator]

"I suggest all Windows users go to http://www.knoppix.net/ and burn the CD."

I know this is marked as funny, but Knoppix is pretty damn useful. I've never particularly liked Linux, but I can tell you that my respect for that OS went way up after trying Knoppix out. I burned a couple of copies to keep around the office in case something like a worm lays waste to the network.

On a side note, it'd be nice if other Linux distros paid more attention to how Knoppix works. It auto-detects everything and doesn't require an install. Just pop in the disc, have it copy a few files over as read-only, and reboot. System corrupt? No prob, just copy the disc over again.

Re:Wow

[binarybum]

??

In case you turned stupid and ran a fake patch that was emailed to you?

Re:Wow

[dakryx]

Would you believe that some people don't have administrative priveledges on their computers at work? That means they can't patch it themselves, don't go calling people names all willy nilly.

And all 1.5 million

[robochan]

of those machines seem to ahve sent it to me :(

Fascinating isn't it?

[Afrosheen]

After all these worms and virii are hitting MS boxen from every angle, there still aren't mentions of alternatives from major news sources. The Dallas Morning News, last week, had at least a causal glance by saying in one line "Macintosh users are unaffected".

Why isn't Linux and Macintosh turning this into a big propaganda opportunity? Both OS's can hold up the 'come to us, we've had our shots, we'll never get worms' flags and pray that the big media mentions it.

Re:Fascinating isn't it?

[M.+Silver]

When is the last time your car mechanic told you that you couldn't drive your vehicle because you are an idiot? Does your plumber forbid you from using your faucets?

I can't speak to the plumber situation, but if you've ever listened to mechanics behind the scenes, they sound *exactly* like computer techs. Sometimes they really *do* wish they could tell people they shouldn't drive a vehicle because they're idiots. (I'm betting body shop folks do even more of that sort of griping...)

Re:Fascinating isn't it?

[Afrosheen]

Your point is invalid.

The fact that Windows is so exploitable is the reason it's exploited, not the fact that it's the most widespread.

Free/OpenBSD and linux/unix have been around for quite awhile, and both are getting more usage daily. Both are on the net all over the place. Yet they're still not a target or at the very least, an unsuccessful target. Why? Security and built-in holes are kept to a minimum and usually patched in a timely manner. Some people get rooted once in awhile but it's usually their own fault or the fault of the admin that forgot to apt-get a new fixed daemon or library.

Just face it, Windows was never designed with security in mind, and all the patching in the world may never make it more secure. Once again let me reiterate: Windows is a target because it's too easy.

Oh yeah...

[JoeLinux]

At work, they have duped over 5 of my collegues...even AFTER the email went out saying that it was going around. Well, Make an OS that any idiot can use, and only idiots will use it, I guess...

My problem with all these worms is that it doesn't do anything after it propogates, so no one will really care except bandwidth-concious IT people. It should send itself out, then erase all the FAT tables on a hard drive.

Or deltree the c:\winnt or c:\windows directory (or both).

That would REALLY piss people off, who would demand that they do something to make sure that not happen again...like...I dunno...Linux or OSX?

Just a thought...

Whew!

[dupper]

That's one good looking worm. Great UI and user friendly, too! There goes the whole 'Linux advocates create these worms to embarass MS' arguments.

/troll

Virus Warning

[Henry+V+.009]

The fake update has made it to Windows Update itself. Here is the name: "Recommended Update for Windows Rights Management client 1.0."

Do not download, it's only there to own your system.

It's not a worm, it's a virus

[Telcontar]

The virus needs user interaction to propagate. Hence it is an e-mail virus. Only programs that propagate automatically are worms. One cannot necessarily expect the Washington Post to get such technicalities right. However, it would be nice if at least /. used proper terminology.

Then again, if it did, it wouldn't be the /. we known anymore, would it...

Worm Load

[m.dillon]

There were over 4500 attempted deliveries of this 150K+ worm through my mail server overnight, and they are still coming. Easy to filter, but this is by far the worst worm load I've seen to date on my little server.

On the bright side, deliveries of unrelated spam seem to have fallen due to the worm's load on the internet :-)

Sweet!

[endeitzslash]

I was happy to get this e-mail from Microsoft so I could apply a cumulative patch. I'm usually so bad about patching my system in time, but this time they took the trouble to remind me personally!

No more worries for me!

it also mines usenet

[poptones]

I have never had a virus sent to my home machine because I jealously protect my email domain (every individual gets an email address and if it leaks they never hear from me again). Most commercial sites even seem to respect this. But I made a "junk" address for groups.google.com and, although I have only posted through there a couple of times many months ago, the virus found this address. Apparently it is also crawling usenet, or at least the groups served by google.

Five of'em in one day. Of course, the rest will go into the trash automatically, but it was an interesting experience finally catching a taste of the "commoner" internet.

Re:Heh

[ctid]

That's kind of funny, although it seems that this virus requires user interaction in order to spread, so we can't really blame M$ for this one :P

Why not? Why make an email system that allows an unskilled user to run an untrusted executable? Seems bizarre to me.

...Not a Good Idea (R)

[thermopile]

I should think it would be exceedingly hard for a marketing community to market its 'immunity' to virii -- even a marketing staff as highly trained as whatever Apple hires -- without setting itself up as the next target.

Hypothetical advertisement: "Hey, we're Macs, and we don't have viruses."

I guarantee you that every virus writer and his(/her?) grandmother would flock to OS X and start writing viruses with reckless abandon. Apple, Linux, Amiga, Commodore 64, and whatever other less-used operating system is probably perfectly happy to have its users sitting fat, dumb, and happy and not bragging about it.

Accepted as the norm now?

[thenextpresident]

I can't help but feel that people have accepted the fact that Computers in general get Viruses. People complain about Windows, but Windows, to most people, is the only solution. So for them, the concept that Windows gets hit with so many viruses means that users in general get hit. No matter the OS.

I was explaining the other day to one of my business partners not to install this virus, and to delete it right away if he gets it.

He asked me if my computer was infected, whereby I had to explain once again that running Linux, I generally don't have to worry about things like this.

But the point is, for him, computers just get viruses. And because of that, I believe that most people are thinking: "Hrm, my computer got a virus.", not "Windows let another Virus through."

So the majority of the people that aren't really computer illeterate (the majority), don't really know what to think when people tell them Linux is more secure.

Because for them, it's still running on their computer, and their 'computer' got a virus. It's just their mentality. Of course, this is simply my opinion.

Skynet is here

[JonnyRo88]

You know that if the situation in Terminator 3 (virus spreads over majority of systems) were to ever happen, it would happen as a result of having a massively homogenous computing environment. I really think that we should stop teaching kids how to use Word and Excel in middle school, and start teaching them how to install their own linux systems. We could create an army of informed computer users, something that Microsoft fears the most.

html

[BWJones]

So, I have recieved a number of these (thank goodness I am running OS X) and it appears that the "notification" also contains html. So, examining the html, it appears that it actually references microsoft.com.

If I were microsoft, it appears there is a simple way to defeat this by inserting html in the referenced source that warns recipients of this sort of thing.

Vicious worms don't survive

[IncohereD]

....because they're noticed too quickly. If you destroy your host immediately you're not going to propogate too far, now are you?

Yes, you could make it a little more complex with time-outs or a way to select certain targets as hosts for more sending and others to destroy, but it wouldn't last and last like some of the recent worms, because it's effects would be so noticeable.

The installer looks genuine too

[Stonent1]

Network Assocaites has some screenshots of the installer http://vil.nai.com/vil/content/v_100662.htm

Reject Executable Attachements

[KidSock]

It's a very good idea these days to just reject all executable attachments at "the gates" so to speak. I use postfix 1.1 so I added:

body_checks = pcre:/etc/postfix/mime_header_checks

to /etc/main.cf where the file referenced came from here:

http://www.securitysage.com/files/mime_header_chec ks

but there are many regular expression filters like this one. Note, with 2.x you need to use the 'mime_header_checks' directive rather than 'body_checks'.

If you want to send someone an executable, send it to them in a zip or tar.gz.

Re:Huh?

[WhiteBandit]

Um no. You could defend against the RPC worm a variety of ways.

1.) Applying the patch
2.) Using *any* software firewall. Even WinXP's own firewall. ZoneAlarm is trash in my opinion. But it isn't your only protection.
3.) Using a hardware firewall which blocks the RPC port anyway.

The only defense is to stay vigilant and be smart about computers. Just because someone is using linux doesn't make it secure. No matter what Operating System you are on, you have to be somewhat proactive in protecting your computer.

W32Swen infection rate

Some guy tracked the hidden counter inside the virus and posted the numbers: http://smharr4.dnsalias.net/security/index.html Pretty neat.

Lucky?

[Kircle]

If you were using XP and you didnt get infected by the RPC worm you were lucky. The only way you could defend against it is Zone Alarm.

Lucky? Zone Alarm?? Well, at least you were able to show that you really don't know much about Windows (or at least not as much as you think you do).

Re:Huh?

[azzy]

No, it's not just you. Same here. Me too!!! I open every e-mail and run every attached executable, even if I don't know who it is from. And I've never had my computer affected with any virus or worm or trojan or whatever. Sure it crashes now and then, but all computers do, and sometimes I can't find my files... I probably didn't save them right in the first place or forgot where I put them. When it all gets really bad, the kid next door comes and fiddles with it, re-installs my system.. or something like that.. but that's just normal too.. windows has always been like this for me. And it's the best OS around, so thank god I don't have something worse.. like one of those hobby play operating systems!

Re:Huh?

[AstroDrabb]

A lot of people wil blame it on "dumb" end-users. However, the scary thing is that just by an end-user clicking on the attachment in the email, they could hose their system. Even if an end user executed an attachement under Linux, it would only run as an that user, not Administrator or root. The worst that would happen is the users home directory being deleted. This is why MS Windows security is so bad IMO. Every user runs as Administrator out-of-the-box. This is the only reason ms windows is said to be "user friendly". Take a user out of Administrator mode and it is not any more user friendly then Linux. MS picked user friendly over security. Sure there are some tech savvy ms windows users that can secure their boxes much better then the masses. However, for the average user, MS gave them a friendlier environment to work in with no regards to the value of their data.

Uninterested?

[chihowa]

I'm a mechanic (ASE and all that crap) as well as a computer dork. I can (and do) fix my own plumbing, do my own carpentry, and am learning to adequately use a loom (which I made) to make clothes. I grow a substantial amount of my own food. I'm posting this from a browser that I wrote myself.

No troll, I'm dead serious.

I wish people took more interest in the things that they use every day and take for granted. Everything is so completely fascinating. I think that there is no better pursuit in life than to learn the hell out of everything. The way people learn one thing and then get all arrogant about it is, in my opinion, the worst behavior of all.

There are tons of things that I don't know, I don't look down on people for not knowing things. It does bother me when they refuse to learn, though.

People do awful things to their computers and people do awful things to their cars (and their plumbing!). If people took a little more time to appreciate the things that they take for granted, many of our problems would be gone.

I didn't mean for this to end up all preachy, but I don't remember where I was going. If I hadn't already typed so damn much, I'd just quit now, but hell...

That's absurd.

[Alethes]

If popularity is what makes Windows insecure, then why is IIS being hit many more times than Apache even while Apache runs 60% of the websites out there?

the Linux version

[commodoresloat]

Greetings. You have been infected with GNU/Swen, a worm brought to you by members of the linux community. In order to get this worm to infect your system properly, you will need to use wget to download gnuswen-config-2.4.6 from one of the usual mirrors. Be careful; this version of the worm is not compatible with versions of gnuswen-config prior to 2.4.4. After you have downloaded the config tools and issued the usual incantations (./config, make, make install), you can configure the worm from any directory simply by typing sudo gnuswen-config -ort [your login id] [full path to your email client]. If you have any questions, be sure to RTFM, the docs are installed at /usr/share/info/gnuswen and all your config files are stored at ~/.gnuswen.

Linux virus

[Kazymyr]

The other day I got a Linux email virus. It was this perfectly innocent looking message, with the subject line reading "Important!". So I opened it, and inside I found the following:

"This is an email virus for Linux users. It works on the honor system. Upon receipt of this message, you should manually forward it to everyone in your address book, then login as root and randomly delete a bunch of files. Thank you!"

Re:How did that get mod'ed "insightful"?

[Vellmont]

In a proper environment a virus can't delete your email on the IMAP server. It can try to connect, but it doesn't know the password; and the MUA isn't scriptable for this very reason.

That's true of any environment. If a windows computer uses IMAP and doesn't store the password locally it can't delete your mail either.

The virus also can't email itself because the SMTP host on the network requires TLS and authorization to do that, and the virus is not in posession of the login credentials.

Who said you had to use the SMTP host on the network? Any old program that knows how can speak SMTP and mail itself out to the next victim. In fact from what the article says this virus knows how to speak SMTP. For an external MTA it's pretty hard for it to only accept SMTP sesions that use TLS as TLS is poorly supported across the internet. I know all my machines running an MTA don't have secure SMTP setup (I really don't like paying the $100 a year blood money to the damn certificate authorities).

I will agree that unix machines tend to be better administered, and are more likely to be patched better simply because the OS is less tied together and inter-dependant like windows is (and thus the huge service packs MS puts out). Take the latest openSSH patch for example. The changes were all back-ported to the version of OpenSSH running on a distribution+version. We also know exactly what changed (2 or 3 lines of code), and they're fairly simple changes. Vigourous testing of the patches isn't as pertinent as it is in the case of MS products, so patches will be applied more often.

Re:Huh?

[cscx]

If you run a malicious attachment, it will be pretty much harmless to the machine. It may be able to wipe out your home directory, but that is about it.

That is the *biggest* crock of shit ever, but I hear it time and time again on Slashdot. /home is the most valuable part of the system! You can re-install Linux in under an hour, and recover /usr, /var, and pretty much everything else (with a slight exception of changed to /etc, but that's not important). If you lose /home, you are, simply put, FUCKED. Big time. Try reconstructing that data in under an hour. You can't. If you could back up *anything* on your system (assuming you had a choice), that choice should be /home.

Why on earth would would you care if your applications got borked? It's the data that's important.