Just had an email seemingly from MS (Microsoft Program Security Department) that says:

MS Client

this is the latest version of security update, the "September 2003, Cumulative Patch" update which resolves all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three newly discovered vulnerabilities. Install now to help protect your computer from these vulnerabilities. This update includes the functionality of all previously released patches.

attached is a file "upgrade1952.exe"

Is this legit?

No, it is definitely NOT legit. Delete it - pronto!!!

It's a Worm known as "Swen".

A cruel hoax aimed at the unwary...........

For reference in future, Microsoft NEVER sends any type of security update info by email.

If you haven't opened the attachment, you won't be infected. :) :)

Thanks Mitch. I thought so :)

Well done!

This one is said to be spreading fast!

More about it from Trend Micro:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWEN.A

:) :)

Very sorry, Ernie. Didn't see your earlier thread on SWEN until too late.


My sincere apologies..............:o :o

"Very sorry, Ernie. Didn't see your earlier thread on SWEN until too late.


My sincere apologies.............. "

Ditto! I saw that as well, but no harm in repeating.. the emails do look very kosher.

One of the greatest compliments you can recieve is to be copied/mimiced:D

Just about 10 minutes ago I got something in my email (I have Outlook Express) which looked suspicious so I deleted it without opening it. It supposedly was from MS and said something to the effect that the original message had a virus which was cleaned. I didn't read it all because I didn't trust it. Could this one have been the one that is called SWEN?

More than likely

MS does not send e-mails out to anyone - especially mails that warn of updates etc.

WOW! I'm glad I deleted it, Ernie. It just didn't smell right. By the way, I took a look at your web-site and then clicked on that link that shows your picture. It's amazing, but I have a cousin who looks exactly like that!

More likely than not, if had a message about being cleaned of a virus it was "safe"...it had passed through at least one ISP that regularly scans incoming mail for viruses.

Was just about to post this alert, then discovered someone had got here first. Am getting quite a few of these mails in one of my Yahoo accounts, all with different wording. I am also getting other peculiar ones such as:

From: Administrator. Subject: Failure notice.
From: Inet message delivery service. Subject: message: returned to mailer.
From: Technical Bulletin. Subject: [none]
From: mail storage system. Subject: undeliverable message.

Some of these do not have any attachments, and are not addresses I have not sent mail to. Others have no messages inside them, which makes no sense.

Anyone else getting these?

Sounds like one of the indirect effects of the SOBIG worm.

SOBIG has likely infected a machine somewhere that, legitimately, has your email address in its address book.

Amongst other things, it can then "use" your email address to send itself to many other unsuspecting individuals.

If someone then bounces such an email, it is returned to your address as if you had sent it yourself - yes, a spoof!

This is almost certainly what you have been seeing, but don't in any event open such emails - even if there is no attachment. Bin them! :) :)

Actually it could also be Swen......it does the same thing as Sobig, spoofing the addresses.

mike2002, most of what you are seeing is bounced virus mail, whetehr it is from Swen or Sobig doesn't really matter. It is trash, and some idiot admin ***STILL*** hasn't found a clue and is ***STILL*** bouncing the AV generated traffic!

See if you can set up a couple of filters to automatically delete it....it will save you time and headaches later. (no, I don't remember how to do filters on Yahoo...I have to look it up everytime)

Otherwise, why not download Mailwasher.

Takes a lot of the pain out of spam............. :) :)

Mitch: I did actually open one of these mails just to see what it was all about. As for the attachments - no NEVER. I update my AVG Anti-virus Free Edition regularly but, just to be safe, I did a complete system scan using 'Housecall' by Trend Micro. Their site lists comprehensive info about these viruses. 'Housecall' did pick up on a 'joke' .exe file which, when clicked on, turns your screen upside down. Strangely enough AVG has never singled this one out at all.
Yes I do have MailWasher, but it doesn't, as yet, operate on web-based accounts.

mjc: I've already deleted all my Yahoo mail, but maybe I'll set up some rules should these mails re-appear again. I believe Yahoo automatically sends out a warning if you attempt to open any attachments, and does offer online scanning. I've just tried this out by sending one to Yahoo but, after waiting some 15 minutes, it still hasn't appeared in my Inbox.

It's finally arrived, and yes, Yahoo won't let you open any attachments, and gives users the facility to scan with Norton anti-virus. I sent the 'joke' .exe file to Yahoo and, strangely enough, Norton didn't see it as a virus as Trend Micro did.

Originally posted by mjc
See if you can set up a couple of filters to automatically delete it....it will save you time and headaches later. (no, I don't remember how to do filters on Yahoo...I have to look it up everytime)

It's difficult to filter on subject as there are a bunch of variations. I'm having fair success now with sender domain. I've received over 60 copies of the mail to date. Here's the sender domain blacklist I've compiled:

@*.ms.com
@accessus.net
@advisor.net
@bulletin.com
@confidence.com
@confidence.net
@ms-smtp-02.nyroc.rr.com
@news.com
@news.net
@newsletters.com
@newsletters.msn.com
@newsletters.net
@redirect.msnbc.com
@support.com
@support.microsoft.com
@support.msn.com
@technet.com
@technet.microsoft.com
@technet.net
@updates.net

I've caught the last 7 arrivals without a miss :)

Yeah, that is probably the way to go.....

There's certainly a lot of variations to filter individually.

Are these particular virues likely to disappear after a short while, or could they possible keep going round and round for any considerable length of time?

Frank
Goodlooking ain't I :D

I am still receiving more than 50 copies of the bogus Microsoft email with the Swen virus per day. The good news is that that the sender domain list is not multiplying nearly as rapidly :) Here is an updated complete list to date:

*@*.ms.com
*@accessus.net
*@advisor.com
*@advisor.net
*@bulletin.com
*@bulletin.net
*@confidence.com
*@confidence.net
*@ipsap.com
*@ms-smtp-02.nyroc.rr.com
*@namf.com
*@news.com
*@news.microsoft.com
*@news.net
*@newsletter.msn.com
*@newsletters.com
*@newsletters.microsoft.com
*@newsletters.msn.com
*@newsletters.net
*@qusi.com
*@redirect.msnbc.com
*@support.com
*@support.go.microsoft.akadns.net
*@support.microsoft.com
*@support.msn.com
*@support.net
*@technet.com
*@technet.microsoft.com
*@technet.net
*@updates.com
*@updates.net

Thats a lot of virus to be getting each day. Im glad its not me that has to put up with it.

I also got that dubious message from "Microsoft" today. Only a moment earlier I heard a warning on the radio saying that such mails should not be opened, because they contain a virus. They said that Microsoft never send any updates by mail.
As Mitch said, MailWasher is handy with these unwanted messages.

Still no sign of the tide slacking :)

I use spamassassin on the mail server. The list of domains I posted above are included in spamassassin's blacklist, so they are tagged as spam immediately. I connect to the server using IMAP instead of POP3, which (initially) only downloads mail headers. I can then easily delete the spam-tagged mail without downloading the body or attachments.