From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,c7ee0d960296483
X-Google-Attributes: gid103376,public
X-Google-ArrivalTime: 2003-09-22 17:39:06 PST
Path: archiver1.google.com!postnews1.google.com!not-for-mail
From: aek@vib.usr.pu.ru (Alexander Kopilovitch)
Newsgroups: comp.lang.ada
Subject: Re: Current "Swen" worm attack
Date: 22 Sep 2003 17:39:05 -0700
Organization: http://groups.google.com/
Message-ID: <e2e5731a.0309221639.48c4a1ed@posting.google.com>
References: <e2e5731a.0309211905.2a77a257@posting.google.com>
 <D8Abb.13208$Uv2.1249@nwrdny02.gnilink.net>
 <slrnbmtoes.77c.randhol+abuse@kiuk0152.chembio.ntnu.no>
NNTP-Posting-Host: 213.33.245.85
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1064277546 13279 127.0.0.1 (23 Sep 2003 00:39:06
 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: 23 Sep 2003 00:39:06 GMT
Xref: archiver1.google.com comp.lang.ada:42765
Date: 2003-09-23T00:39:06+00:00
List-Id: <comp.lang.ada>

Preben Randhol wrote:

> Note that the worm grabs e.mail address from USENET groups such as thi
> groups.

Yes, today I received one unusual result of this virus's action - virus at last
reached central Russia (specifically, Nizhnij Novgorod) and here, on non-friendly
territory, it somehow loses control -:) . So, inside that message I receieved
full list of addresses, to which the virus attempted to send messages that time.
First half of this list was very familiar to me - all addresses there were
well-known correspondents to comp.lang.ada (including you and me). The second
half of the list was of quite another nature... I don't know anyone of those
addresses, except the name in the last address - it was full name of famous in
the past German football player (and now senior football official) -:) .

> I got 3 copies of each virus as it had managed to find three
> addresses from the news groups.

I'm getting only 2 copies of each virus.

> However I managed to put a stop to it by
> grepping (at the ISP) for a patterns in the base64 encoding of the exe files
> and sending the mails containing them into /dev/null.

Well, you are lucky in that you are permitted to do things at your ISP -;)
Interesting, how much time will pass until the persons responsible for general
Internet security will indentify and shot the websites that spread infection?
 
> First day I got about 200-300 Mb of this virus.

I think I got about 80-90 Mb for now (that is, for 4 days).


 
Alexander Kopilovitch                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia