[Dshield] Swen Vs. ISA, Outlook & Norton

Bob Fronk bfronk at davishelliot.com
Tue Sep 23 20:30:18 GMT 2003


Swen will try to execute itself.

Excerpt from Symantec web site on Swen:

W32.Swen.A at mm is similar to W32.Gibe.B at mm in function, and is written in
C++.

This worm exploits a vulnerability in Microsoft Outlook and Outlook
Express in an attempt to execute itself when you open or even preview
the message. Information and a patch for the vulnerability can be found
at: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp



Bob Fronk
bfronk at davishelliot.com
 
 

> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf
> Of Guy Barnum
> Sent: Tuesday, September 23, 2003 3:43 PM
> To: General DShield Discussion List
> Subject: [Dshield] Swen Vs. ISA, Outlook & Norton
> 
> Has anyone seen where Norton's exchange real time protection
(corporate
> edition 7.6) actually triggers the Swen worm carried in the email
message
> it is attempting to clean?
> 
> Or could the time it takes ISA server 2000 to restart after changing
> filtering rules have left my system open for infection that isn't yet
> being picked up by Norton's latest virus definitions?
> 
> background: Originally I had ISA server 2000 set to forward all
incoming
> emails with 'bad' attachments (.exe .com .bat ...) to an admin
account.
> Swen traffic increased too high so I changed the ISA rule to delete
these.
> There was a message from ISA server stating 'after restarting it would
be
> some time before the new changes took affect'.  It's A couple of days
> later and the incoming emails with bad attachments are not being
deleted.
> 
> At the same time I changed the ISA rules I updated the Norton virus
> definitions.  Previous to the ISA and Norton definition changes I
could
> preview the swen email with no virus warning, select the attachment
and
> save it to disk for scanning without any outgoing email being
triggered
> and no Norton warning messages.  Also at no time has the infected
> attachment been manually run.
> 
> Now when I just preview the swen loaded email Norton launches a
warning
> that it has detected a virus (without me opening the attachment),
failed
> to clean it but quarantined the culprit, my system immediately
attempts to
> send an email to: "Security Support"
> <eskiisvp_kqrftflf at newsletters_ms.net>
> which is blocked by exchange server 2000 due to it being infected, as
if
> the worm was triggered or run regardless of Norton's apparent
interception
> and I still didn't open or even click on the attachment!!
> 
> Here is the Norton warning:
> Scan type:  Realtime Protection Scan
> Event:  Virus Found!
> Virus name: Worm.Automat.AHB
> File:  q879253.exe
> Location:  Mail System
> 
> So I'm stumped trying to figure out what changed with either ISA,
Norton
> or the worm (since I didn't change any settings in outlook) that is
now
> triggering the attached infected .exe file which attempts to send some
> part of its email payload, from just previewing the email all done
while
> dodging Norton's scan and ISA's filter.
> 
> Is it a 'Super Swen' or am I missing something obvious?  I've started
and
> stopped this post at least 20 times during my fire fighter routine so
if
> it's all messed up or too long plz forgive me.  I would be happy to
post
> any detailed information I should have included, just yell.
> 
> Guy
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list