W32/Swen Worm

Infection sequence:
  1. A dummy account posted a test news to hk.test and alt.test at 30 Sep 2003 14:39:31

  2. The dummy account got the first worm mail at Sep 30 20:29:36

  3. By 6 Oct 2003 21:50, the dummy account has already received 57 worm mails. Here is the timestamps and senders of these worm mails. From chang.yang168@msa.hinet.net Tue Sep 30 20:29:36 2003 From chang.yang168@msa.hinet.net Tue Sep 30 20:40:15 2003 From spachakra@ozemail.com.au Wed Oct 1 08:29:38 2003 From spachakra@ozemail.com.au Wed Oct 1 08:36:45 2003 From dibiagichile@123.cl Wed Oct 1 08:45:58 2003 From framesrnice@cox.net Wed Oct 1 08:53:57 2003 From dibiagichile@123.cl Wed Oct 1 08:54:40 2003 From hannak@iprimus.com.au Wed Oct 1 09:48:13 2003 From mtofte@houston.rr.com Wed Oct 1 10:53:18 2003 From mtofte@houston.rr.com Wed Oct 1 11:25:24 2003 From susanna.palonen@palonen.inet.fi Wed Oct 1 12:20:11 2003 From susanna.palonen@palonen.inet.fi Wed Oct 1 12:21:49 2003 From rustal02@rustal.brk.ru Wed Oct 1 13:40:19 2003 From rustal02@rustal.brk.ru Wed Oct 1 13:41:57 2003 From swnd@klub.med.pl Wed Oct 1 15:10:12 2003 From swnd@klub.med.pl Wed Oct 1 15:56:45 2003 From zytniew@ikem.pwr.wroc.pl Wed Oct 1 16:39:37 2003 From bpeltd@telus.net Wed Oct 1 16:40:45 2003 From zytniew@ikem.pwr.wroc.pl Wed Oct 1 16:49:27 2003 From hengyew@ozemail.com.au Wed Oct 1 18:09:41 2003 From hengyew@ozemail.com.au Wed Oct 1 18:18:14 2003 From menno.watermann@osnanet.de Wed Oct 1 20:07:33 2003 From menno.watermann@osnanet.de Wed Oct 1 20:08:10 2003 From info@untitled-gallery.co.uk Wed Oct 1 21:43:27 2003 From info@untitled-gallery.co.uk Wed Oct 1 21:52:02 2003 From clarosy@tiscalinet.it Thu Oct 2 00:07:09 2003 From clarosy@tiscalinet.it Thu Oct 2 00:14:55 2003 From vgbr35278@cableinet.co.uk Thu Oct 2 05:45:10 2003 From vgbr35278@cableinet.co.uk Thu Oct 2 05:48:46 2003 From bla@telusplanet.net Thu Oct 2 06:34:46 2003 From zsz3@zsz3.siedlce.pl Thu Oct 2 19:47:31 2003 From m.bluteau@videotron.ca Thu Oct 2 21:39:47 2003 From m.bluteau@videotron.ca Thu Oct 2 21:43:46 2003 From unicorndeepcut@eidosnet.co.uk Thu Oct 2 21:45:50 2003 From unicorndeepcut@eidosnet.co.uk Thu Oct 2 21:51:01 2003 From kenneth.newell@btinternet.com Fri Oct 3 03:13:04 2003 From kenneth.newell@btinternet.com Fri Oct 3 03:20:05 2003 From pelita@singnet.com.sg Fri Oct 3 07:25:18 2003 From pelita@singnet.com.sg Fri Oct 3 07:39:28 2003 From kola@ms10.hinet.net Fri Oct 3 19:27:32 2003 From frank@columbiadoor.com Sat Oct 4 01:25:19 2003 From frank@columbiadoor.com Sat Oct 4 01:25:20 2003 From paul.tomlinson50@btinternet.com Sat Oct 4 05:11:45 2003 From paul.tomlinson50@btinternet.com Sat Oct 4 05:18:49 2003 From mup12@singnet.com.sg Sat Oct 4 09:43:51 2003 From mup12@singnet.com.sg Sat Oct 4 09:56:29 2003 From schuster.6201@lkvmobil.at Sat Oct 4 14:17:40 2003 From schuster.6201@lkvmobil.at Sat Oct 4 14:24:01 2003 From vlsc7@singnet.com.sg Sat Oct 4 16:22:42 2003 From vlsc7@singnet.com.sg Sat Oct 4 16:27:20 2003 From ysho1@singnet.com.sg Sat Oct 4 17:30:53 2003 From ysho1@singnet.com.sg Sat Oct 4 17:37:15 2003 From frank@columbiadoor.com Sun Oct 5 03:12:29 2003 From frank@columbiadoor.com Sun Oct 5 03:13:44 2003 From tychh@singnet.com.sg Sun Oct 5 13:11:52 2003 From kola@ms10.hinet.net Sun Oct 5 17:49:12 2003 From amuhp4@t-online.de Mon Oct 6 21:46:32 2003

    Here is an example mail that received:

  4. At 13 Oct 2003 11:21:46, started opening the attachments at the honeypot

  5. At 13 Oct 2003 11:23:39, started spread the worm through e-mails. Here is the maillog at the mail server. Oct 13 11:23:39 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=<zsz3@zsz3.siedlce.pl>, relay=[192.168.20.2], rej ect=550 5.7.1 <zsz3@zsz3.siedlce.pl>... Relaying denied. IP name lookup failed [192.168.20.2] Oct 13 11:23:40 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=<fhdv@newsletters.ms.net>, relay=[192.168.20.2], reject=550 5.7.1 <fhdv@newsletters.ms.net>... Relaying denied. IP name lookup failed [192.168.20.2] Oct 13 11:23:40 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=<mynrrxcsfejgp-tfangu@newsletters.ms.net>, relay= [192.168.20.2], reject=550 5.7.1 <mynrrxcsfejgp-tfangu@newsletters.ms.net>... Relaying denied. IP name lookup failed [192.168.20 .2] Oct 13 11:23:42 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=<0hm400ij7tw3w3@vl-mo-mr001.ip.videotron.ca>, rel ay=[192.168.20.2], reject=550 5.7.1 <0hm400ij7tw3w3@vl-mo-mr001.ip.videotron.ca>... Relaying denied. IP name lookup failed [192. 168.20.2] Oct 13 11:23:50 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=<recipient@smtpserver.com>, relay=[192.168.20.2], reject=550 5.7.1 <recipient@smtpserver.com>... Relaying denied. IP name lookup failed [192.168.20.2] Oct 13 11:23:51 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=<postautomat@microsoft.net>, relay=[192.168.20.2] , reject=550 5.7.1 <postautomat@microsoft.net>... Relaying denied. IP name lookup failed [192.168.20.2] Oct 13 11:23:52 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=<0hml0081nsr6rx@smtp09.wxs.nl>, relay=[192.168.20 .2], reject=550 5.7.1 <0hml0081nsr6rx@smtp09.wxs.nl>... Relaying denied. IP name lookup failed [192.168.20.2] Oct 13 11:23:54 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=<recipient@emailserver.net>, relay=[192.168.20.2] , reject=550 5.7.1 <recipient@emailserver.net>... Relaying denied. IP name lookup failed [192.168.20.2] Oct 13 11:23:55 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=<postautomat@freemail.com>, relay=[192.168.20.2], reject=550 5.7.1 <postautomat@freemail.com>... Relaying denied. IP name lookup failed [192.168.20.2] Oct 13 11:23:56 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=<auto-000022044700@remt26.cluster1.charter.net>, relay=[192.168.20.2], reject=550 5.7.1 <auto-000022044700@remt26.cluster1.charter.net>... Relaying denied. IP name lookup failed [192.168.20.2]

  6. Between Oct 13 11:23:39 and Oct 13 21:05:22, the worm has tried to send 13988 worm mails to following 74 e-mail addresses. <0hm400ij7tw3w3@vl-mo-mr001.ip.videotron.ca> <0hml0081nsr6rx@smtp09.wxs.nl> <1a6ov5-0bjsso0@fwd06.sul.t-online.com> <200310040142.h941gfdh023771@smtp23.singnet.com.sg> <200310040154.h941sufa021227@smtp22.singnet.com.sg> <200310040821.h948lsks021226@smtp13.singnet.com.sg> <200310040826.h948qyfa013303@smtp22.singnet.com.sg> <200310040929.h949thks011449@smtp13.singnet.com.sg> <200310040931.h949v0fa022400@smtp22.singnet.com.sg> <200310050510.h955awhs031276@smtp22.singnet.com.sg> <200310050947.raa16141@msr58.hinet.net> <200310080306.h9836cvw027460@smtp.pionet.net> <200310080314.h983egvw028746@smtp.pionet.net> <amuhp4@t-online.de> <auto-000022044700@remt26.cluster1.charter.net> <client@homeserver.net> <client@maildomain.com> <client.mhpslu@advisor.msn.net> <client_qkwhmplii@ytoryus.com> <client_qxfjfekewh@confidence.microsoft.com> <client@updates.microsoft.net> <consumer-saqmrlgekw@technet.net> <customer_hsjbiqn@support.msn.com> <customer_iyelxiscu@xeitpl_msn.net> <customer.kypjwiynt@lb.redirect.msnbc.com> <e1a5fiy-0006kw-00@pam.utanet.at> <e1a5fp2-0004m0-00@plenty.utanet.at> <e1a5x7k-0007hw-00@zinc.btinternet.com> <e1a5x8o-0007lv-00@zinc.btinternet.com> <e1a78lz-000apn-00@uti.com> <e1a78nb-000age-00@uti.com> <e1a7ngm-00004v-00@gadolinium.btinternet.com> <e1a7nh7-0000cu-00@gadolinium.btinternet.com> <emaildaemon@bigfoot.com> <emailservice@yahoo.net> <fhdv@newsletters.ms.net> <fmailbot@microsoft.com> <ftcxvy@kuistng.ms.com> <gnrcu-csvbuhjyck@advisor.msn.com> <iwphsbhepnfbmm@xyoekt.net> <jnhnabzmwdaizhs@advisor.msn.com> <kxjbwoqwwekj_plcd@xeitpl_msn.net> <ljfnghl-uculj@updates.microsoft.net> <lmipoir@support.microsoft.net> <mailroutine@netmail.net> <masterroutine@rocketmail.net> <mynrrxcsfejgp-tfangu@newsletters.ms.net> <opfwqpr@advisor.msn.net> <postautomat@freemail.com> <postautomat@microsoft.net> <rdlgoujmiszzjnp_jauiebh@kuistng.ms.com> <receiver@homeserver.com> <receiver@smtpdomain.com> <receiver@yourserver.com> <recipient@emailserver.net> <recipient@smtpserver.com> <recipient@yourserver.com> <rvtsrppfjenm@support.msn.com> <rzrfqmzjvsltrye@lb.redirect.msnbc.com> <smtpbot@puremail.com> <sxzshbozlbul@technet.net> <telnqlxfk@confidence.microsoft.com> <tmailform@rocketmail.com> <user-gpunfdsji@xyoekt.net> <user@homedomain.net> <user@maildomain.com> <user@maildomain.net> <user@smtpserver.net> <user@yourserver.com> <webform@netmail.com> <webrobot@bigfoot.net> <wmailprogram@america.net> <wmailprogram@bigfoot.com> <zsz3@zsz3.siedlce.pl>

Referecnes
CERT: W32/Swen.A Worm

F-Secure Virus Descriptions:Swen