W32/Swen Worm
Infection sequence:
- A dummy account posted a test news to hk.test and alt.test
at 30 Sep 2003 14:39:31
- The dummy account got the first worm mail at Sep 30 20:29:36
- By 6 Oct 2003 21:50, the dummy account has already received
57 worm mails. Here is the timestamps and senders of these worm mails.
From chang.yang168@msa.hinet.net Tue Sep 30 20:29:36 2003
From chang.yang168@msa.hinet.net Tue Sep 30 20:40:15 2003
From spachakra@ozemail.com.au Wed Oct 1 08:29:38 2003
From spachakra@ozemail.com.au Wed Oct 1 08:36:45 2003
From dibiagichile@123.cl Wed Oct 1 08:45:58 2003
From framesrnice@cox.net Wed Oct 1 08:53:57 2003
From dibiagichile@123.cl Wed Oct 1 08:54:40 2003
From hannak@iprimus.com.au Wed Oct 1 09:48:13 2003
From mtofte@houston.rr.com Wed Oct 1 10:53:18 2003
From mtofte@houston.rr.com Wed Oct 1 11:25:24 2003
From susanna.palonen@palonen.inet.fi Wed Oct 1 12:20:11 2003
From susanna.palonen@palonen.inet.fi Wed Oct 1 12:21:49 2003
From rustal02@rustal.brk.ru Wed Oct 1 13:40:19 2003
From rustal02@rustal.brk.ru Wed Oct 1 13:41:57 2003
From swnd@klub.med.pl Wed Oct 1 15:10:12 2003
From swnd@klub.med.pl Wed Oct 1 15:56:45 2003
From zytniew@ikem.pwr.wroc.pl Wed Oct 1 16:39:37 2003
From bpeltd@telus.net Wed Oct 1 16:40:45 2003
From zytniew@ikem.pwr.wroc.pl Wed Oct 1 16:49:27 2003
From hengyew@ozemail.com.au Wed Oct 1 18:09:41 2003
From hengyew@ozemail.com.au Wed Oct 1 18:18:14 2003
From menno.watermann@osnanet.de Wed Oct 1 20:07:33 2003
From menno.watermann@osnanet.de Wed Oct 1 20:08:10 2003
From info@untitled-gallery.co.uk Wed Oct 1 21:43:27 2003
From info@untitled-gallery.co.uk Wed Oct 1 21:52:02 2003
From clarosy@tiscalinet.it Thu Oct 2 00:07:09 2003
From clarosy@tiscalinet.it Thu Oct 2 00:14:55 2003
From vgbr35278@cableinet.co.uk Thu Oct 2 05:45:10 2003
From vgbr35278@cableinet.co.uk Thu Oct 2 05:48:46 2003
From bla@telusplanet.net Thu Oct 2 06:34:46 2003
From zsz3@zsz3.siedlce.pl Thu Oct 2 19:47:31 2003
From m.bluteau@videotron.ca Thu Oct 2 21:39:47 2003
From m.bluteau@videotron.ca Thu Oct 2 21:43:46 2003
From unicorndeepcut@eidosnet.co.uk Thu Oct 2 21:45:50 2003
From unicorndeepcut@eidosnet.co.uk Thu Oct 2 21:51:01 2003
From kenneth.newell@btinternet.com Fri Oct 3 03:13:04 2003
From kenneth.newell@btinternet.com Fri Oct 3 03:20:05 2003
From pelita@singnet.com.sg Fri Oct 3 07:25:18 2003
From pelita@singnet.com.sg Fri Oct 3 07:39:28 2003
From kola@ms10.hinet.net Fri Oct 3 19:27:32 2003
From frank@columbiadoor.com Sat Oct 4 01:25:19 2003
From frank@columbiadoor.com Sat Oct 4 01:25:20 2003
From paul.tomlinson50@btinternet.com Sat Oct 4 05:11:45 2003
From paul.tomlinson50@btinternet.com Sat Oct 4 05:18:49 2003
From mup12@singnet.com.sg Sat Oct 4 09:43:51 2003
From mup12@singnet.com.sg Sat Oct 4 09:56:29 2003
From schuster.6201@lkvmobil.at Sat Oct 4 14:17:40 2003
From schuster.6201@lkvmobil.at Sat Oct 4 14:24:01 2003
From vlsc7@singnet.com.sg Sat Oct 4 16:22:42 2003
From vlsc7@singnet.com.sg Sat Oct 4 16:27:20 2003
From ysho1@singnet.com.sg Sat Oct 4 17:30:53 2003
From ysho1@singnet.com.sg Sat Oct 4 17:37:15 2003
From frank@columbiadoor.com Sun Oct 5 03:12:29 2003
From frank@columbiadoor.com Sun Oct 5 03:13:44 2003
From tychh@singnet.com.sg Sun Oct 5 13:11:52 2003
From kola@ms10.hinet.net Sun Oct 5 17:49:12 2003
From amuhp4@t-online.de Mon Oct 6 21:46:32 2003
Here is an example mail that received:
- At 13 Oct 2003 11:21:46, started opening the attachments at the honeypot
- At 13 Oct 2003 11:23:39, started spread the worm through e-mails. Here is the
maillog at the mail server.
Oct 13 11:23:39 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=, relay=[192.168.20.2], rej
ect=550 5.7.1 ... Relaying denied. IP name lookup failed [192.168.20.2]
Oct 13 11:23:40 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=, relay=[192.168.20.2],
reject=550 5.7.1 ... Relaying denied. IP name lookup failed [192.168.20.2]
Oct 13 11:23:40 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=, relay=
[192.168.20.2], reject=550 5.7.1 ... Relaying denied. IP name lookup failed [192.168.20
.2]
Oct 13 11:23:42 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=<0hm400ij7tw3w3@vl-mo-mr001.ip.videotron.ca>, rel
ay=[192.168.20.2], reject=550 5.7.1 <0hm400ij7tw3w3@vl-mo-mr001.ip.videotron.ca>... Relaying denied. IP name lookup failed [192.
168.20.2]
Oct 13 11:23:50 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=, relay=[192.168.20.2],
reject=550 5.7.1 ... Relaying denied. IP name lookup failed [192.168.20.2]
Oct 13 11:23:51 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=, relay=[192.168.20.2]
, reject=550 5.7.1 ... Relaying denied. IP name lookup failed [192.168.20.2]
Oct 13 11:23:52 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=<0hml0081nsr6rx@smtp09.wxs.nl>, relay=[192.168.20
.2], reject=550 5.7.1 <0hml0081nsr6rx@smtp09.wxs.nl>... Relaying denied. IP name lookup failed [192.168.20.2]
Oct 13 11:23:54 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=, relay=[192.168.20.2]
, reject=550 5.7.1 ... Relaying denied. IP name lookup failed [192.168.20.2]
Oct 13 11:23:55 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=, relay=[192.168.20.2],
reject=550 5.7.1 ... Relaying denied. IP name lookup failed [192.168.20.2]
Oct 13 11:23:56 c-srv1 sendmail[26020]: h9D3Nb626020: ruleset=check_rcpt, arg1=,
relay=[192.168.20.2], reject=550 5.7.1 ... Relaying denied. IP name lookup failed
[192.168.20.2]
- Between Oct 13 11:23:39 and Oct 13 21:05:22, the worm has tried to send 13988
worm mails to following 74 e-mail addresses.
<0hm400ij7tw3w3@vl-mo-mr001.ip.videotron.ca>
<0hml0081nsr6rx@smtp09.wxs.nl>
<1a6ov5-0bjsso0@fwd06.sul.t-online.com>
<200310040142.h941gfdh023771@smtp23.singnet.com.sg>
<200310040154.h941sufa021227@smtp22.singnet.com.sg>
<200310040821.h948lsks021226@smtp13.singnet.com.sg>
<200310040826.h948qyfa013303@smtp22.singnet.com.sg>
<200310040929.h949thks011449@smtp13.singnet.com.sg>
<200310040931.h949v0fa022400@smtp22.singnet.com.sg>
<200310050510.h955awhs031276@smtp22.singnet.com.sg>
<200310050947.raa16141@msr58.hinet.net>
<200310080306.h9836cvw027460@smtp.pionet.net>
<200310080314.h983egvw028746@smtp.pionet.net>
Referecnes
CERT: W32/Swen.A Worm
F-Secure Virus Descriptions:Swen