Subject: | |
From: | |
Reply To: | |
Date: | Sat, 20 Sep 2003 01:17:36 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
It's just another worm exploiting holes in Microsoft's alleged software:
http://www.f-secure.com/v-descs/swen.shtml
F-Secure Computer Virus Information Pages: Swen
"...Spreading in e-mails and to newsgroups
The worm periodically scans HTML and ASP files on a hard drive and
stores found e-mail addresses in the GERMS0.DBV file located in
Windows folder. The worm also reads .EML, .DBX, .WAB, and .MBX files
and fetches e-mail addresses from there. The worm does not fetch
addresses containing 'delete' and 'spam' strings.
The worm also can search for e-mail addresses in various newsgroups.
It connects to NNTP servers listed in the SWEN1.DAT file, gets a list
of all newsgroups on that server and searches recent messages in these
newsgroups for 'nfrom:' and 'nreply-to:' tags. When such tags are
found, the worm gets e-mail addressed after them and writes them to
the GERMS0.DBV file. This way the worm can harvers a lot of e-mail
addresses to send itself to.
The worm can post its e-mails to newsgroups, the names of which it
finds during searching process. The worm sends the same kind of
messages as it sends via e-mail.
The worm reads SMTP server address and user name from the Registry.
However, if it can't find this info, it shows a fake MAPI error dialog
asking a user to input that data:
The worm sends itself a very legitimately-looking messages that are
composed from different text strings hardcoded in the worm's body.
Here is an example of such message:..."
--Jerry Leslie
Note: [log in to unmask] is invalid for email
"Outlook is a piece of software for giving remote access by
email to all the bugs in Internet Explorer !"
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|
|
|