stop emails with Swen.A worm coming thru

Discussion in 'NOD32 version 2 Forum' started by Clp, Oct 8, 2003.

Thread Status:
Not open for further replies.
  1. Clp

    Clp Guest

    Hi, can anyone help with emails that keep coming thru with this Swen.A worm from Microsoft and return emails from people I've never tried to email. I get about 15 emails a day and Nod32 picks them all up. I have blocked them from my Outlook Express emails system, but I keep getting them and I'm sick of it. Can anyone help with how to stop them?
    Thanks, I would really appreciate it.
    Connie
     
  2. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Try using MailWasher http://www.mailwasher.net/

    Eventually it gives up (swen and return emails), I had the same.

    Cheers :D
     
  4. Clp

    Clp Guest

    Thank you so much for the response, really appreciate it! Will try some of those suggestions.
    Bye for now
    Connie :D
     
  5. rob_nod

    rob_nod Registered Member

    Joined:
    Oct 9, 2003
    Posts:
    6
    I'm in the same boat... about a week ago, in a second of stupidity, I actaully installed the "update from Microsoft" I suddenly noticed my Norton AV was disabled in the tray, then started getting a rush of variations of the same emails. I ran Nortan and it found a bunch on the system. went on line and found more info and the whole proceedure to run the Norton Swen killer, which involved deleting all my saved XP restore points. It did catch the virus, and I thought all was well, but I was still getting bombarded with emails from "Microsoft" and bogus return to sender emails, as if I had sent them. The same virus kept arriving. My Earthlink "Suspected Spam" folder was exceeding the 10MB limit within two days as I was getting about 100 messages a day. I kept deleting and getting more. I finally removed my wild card domain name and the main domain name email address and I changed my earthlink email box to a different name, thinking that would stop it since those names kept appearing in the headder... it worked for about a day then I stared getting the virius again with the bogus failed email attempt emails. I have been on line numerous times to check on latest Norton updates, have run the virus check over and over from on line and from local. I paid for the Zone Alarm Pro version, then paid for Spybot.. nothing has helped. Earhlink has tried to help on their abuse email and on the phone, but have been able to do nothing and say it isn't originating from their server. ZoneAlarm has no live people to talk to, only an idiot question process response. Should I format my harddrive and reinstall everything? I'm GOING NUTS!!!! Why do people do this? Rob
     
  6. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Go to Symantec site for the removal tool: :)

    http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.removal.tool.html
     
  7. rob_nod

    rob_nod Registered Member

    Joined:
    Oct 9, 2003
    Posts:
    6
    Peaches: Thanks, that's what I already did and had to loose all my XP restore points in the process of running that fixit program. It supposedly found the swen virus and deleted the files, but I'm still getting the emails. Rob
     
  8. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Rob, you could reformat your hard drive and still get these emails. It's malware that's in the wild and some people are getting tons of them in their email.

    Not anything you can do about that except perhaps creating a filter in your email client (or in your ISP's web access to your email) for the MS subject title and collect them all in one folder and delete them or use mailwasher or something like that to delete them on the email server before you reach your inbox. Again, some ISP's have email filtering and/or AV scanning capacities at their email servers. If you haven't specifically checked it for that, look into it and see what options may be available on the email server.

    But just receiving emails alone is not a sign that you have been reinfected. Of course since you were infected, it's not surprising that you should be receiving bounced emails, etc. since you contributed to the chain of infection and emails shooting round the net.

    ZoneAlarm is a firewall and this worm doesn't involve the firewall function. But do you use ZA's mailsafe function? How were you able to open the attachment? Mailsafe won't stop you from opening attachments if you really want to but it should make you stop and think about it before you do. But if you do open an infected attachment a firewall will not protect you. That's not it's function.

    SpyBot S&D is for the most part is an after the fact removal tool for spyware, not worms and trojans. The only real defense is be much more careful about what email and attachments you open in the future. As you learned your AV is really a backup system in case of human error, but it isn't always effective as a first line of defense. If you're lucky the AV will be able to catch the malware before it can do any harm and or disable the AV itself. But the user also needs to keep the AV's signatures up to date, either manually or by automatic updates. Still the first most effective line of the defense is the user's savvy and caution, not software.
     
  9. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    BTW, here's a thread from the BBR security forum where just for comparison purposes people were posting how many Swen emails they received, just to show that getting a lot of these emails is not unusual: http://www.dslreports.com/forum/remark,8007910~root=security,1~mode=flat

    And just FYI, although some people don't like to do it, if you use OE 6 SP 1, you can set it to remove access to all attachments set in email. That's quite effective against malware in email attachments. Then if you do have an expected attachment that you want to open, you can reset the settings to allow access to the attachment(s) and then set it back when you've got what you wanted. It's a bit of extra effort, but makes it much harder to open an email attachment by mistake or in a moment of inattention.


    Added URL tags
     
  10. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    First, you have my sympathy for all this damage and inconvenience caused by the low-life of this world. That said, I have to say I consider your ISP's response wholly inadequate.

    I really do think it is time that ISPs put in place proper antivirus scanning of all e-mails originating from or transiting through their servers. Some already do, but the vast majority do not. I would even go so far as to suggest it should become a legal requirement for public ISPs (I know that view will risk the wrath of some liberals, but hey - so what?). It would stop many virus outbreaks in their tracks. You may say that national laws would not be effective, but they would: as soon as subscribers realise they can get better virus protection by using ISPs from other countries, the rest would quickly follow suit. This would be to the benefit of all.
     
  11. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Earthlink is a huge ISP. I find it odd if they don't have spam/AV filtering for their email. AT&T Worldnet has both for dialup. Don't know if their DSL offering does or not.

    But another ISP giant, Comcast (Cable), doesn't have AV filtering. While AV filtering may not be 100% effective, it should help especially in cases like these mass mailing worms where some people have been deluged by this stuff.

    (BTW, thanks for fixing the URL Pieter. :) )
     
  12. rob_nod

    rob_nod Registered Member

    Joined:
    Oct 9, 2003
    Posts:
    6
    First, a big thanks everyone for the help and back patting :) I can get around in Windows and am fairly computer literate, but the whole internet email situation is confusing. At the time of the "attack" I had the free ZoneAlarm from Earthlink set up, which doesn't check for virus files. After removing the virus and changing my domain forwarding name and Earthlink mailbox names, I was still getting the emails and the returned email notices, which also had swen attached. At that point I paid and updated to ZoneAlarm Pro with virus checking. It caught a few, but it doesn't seem to be working and I have checked the settings for mailsafe, in and out going are on. I gave up on tech support at ZoneAlarm, it's all automated and I couldn't find answers. One tech at Earthlink suggested it could be on my computer still. I then paid for PestPatrol, which is supposed to find trojans, etc., it found a bunch of stuff, but nothing listed as trojans or key-loggers, etc. I have rescanned from Symantic on line and from my Norton serval times and they are finding no infections now, and I have latest virus updates. My brother swears by Nod32, but I've been reluctant to have to buy another program as I have about 9 months of free updates on my Norton. What's wierd is I keep getting these returned email error mail with the swen attached, I look at the header and it's looping through my domain name and my Earthlink addresses (the new ones) The last two lines before the subject line of "Failure Notice" are:
    FROM: "network delivery service" <smailengine@america.com>
    TO: "Mail Recipient" <user@smtpdomain.com>
    is that a general delivery to everyone? Sorry, I don't understand all the headder stuff and don't have time to try to chase down the orgins and send emails to their servers, etc., as suggested by Earthlink in some bulletins
    Sorry this is so long winded, it's probably of interest to all of you though as you all seem to be in to this. Again, thanks for the help, Rob PS: Just got a notice from Dell to watch out for the Swen virus... lol, sort of late..
     
  13. rob_nod

    rob_nod Registered Member

    Joined:
    Oct 9, 2003
    Posts:
    6
    ramble, ramble... Would it do any good to install the Nod32 trial version I just downloaded and see if it can come up with anything that Norton didn't catch in their full system scans? And if I do that, do I need to just turn Norton off while installing and using Nod32, or do I have to uninstall Norton first? Thanks, Rob
     
  14. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Again, ZAP doesn't have a virus checker. Its mailsafe function simply blocks you from immediately opening attachments of certain types of files. That's all it does. It has no AV function. It does have additional outgoing email features that if set properly would prevent your email client from sending out mass mailings and using a spoofed email address once you are infected. But it has no virus checker function.

    If you want second or third opinions of whether you're clean or not there are free tools and online scanners available at the websites of McAfee, Panda and other AV vendors. Disable your running AV while running these tests if you use any of these to avoid conflicts. Download and update trial versions of other AV's if you wish. (But again make sure your current AV is not running to avoid conflicts.)

    And the point I tried to emphasize by posting a link to a thread in another forum is you don't have to be infected to get these emails or to get bounce backs as most of these worms now have email source address spoofers so that even people who never were infected can receive these emails, just because someone who had their addy in their address books was infected.

    Do as you wish, but you can spend tons of money and time buying more products and running scans all you want that will show you clean and yet you can still receive these emails. Simply because they are out there, like spam. You cannot stop them any more than anyone else can, if your ISP doesn't filter out infected emails at their servers.

    IMO if you want to spend some time and effort on this, you should also spend some time learning how these infections work and what they do, what your security products do and don't do (and how how they work) and how to secure your PC better through the products available to you like how to use the more secure settings in your email client.
     
  15. rob_nod

    rob_nod Registered Member

    Joined:
    Oct 9, 2003
    Posts:
    6
    OK, Sig, thanks for the info. I'm at the point where I feel like most of my time is being spent on forums like this and screwing around with trying to learn new programs, etc. while I'm spending less and less time getting anything meaningful done of my own, and that's not what I got the computer for. :mad:
    Case in point... I installed the new ZoneAlarm Pro and was immediatelly confronted with all those warnings about programs with obscure names trying to make connections to the internet, and when you click on the info button, it basically says the same thing each time... if you think this is safe allow it to connect... how am I supposed to know unless it appears obviously after I open a familiar program, etc.?
    Anyway, I totally agree with you, the ISP's should be more responsible, I didn't realize the ZAP was not goint to catch viruses, the wording sounded like it was. Maybe your solution is too simple and would cut into all these companies software sales! ;)
    I know, my big mistake was opening that "Microsoft" file, I should have known better.. a few glases of wine after a hard day at work and my mind wasn't in gear, oh well, I DID learn my lesson.
    Thanks, Rob
     
Thread Status:
Not open for further replies.