[bink]

iMac 800mhz running 10.2.6

I am getting overrun with the following attachments and need to know which microsoft worm or virus these are associated with.

Latest Microsoft Security Patch
Last Internet Critical update
Last Network update
Upgrade
Security Patch
Mail
Returned Message
Bug Notice
Notice
Bug Letter
Current net Update
Current Internet Critical Patch
Error Advice
Newest Critical Update
Abort Message
Announcement
Newest Net Critical Update
Current Net Security Update
Current Patch
Failure Notice
Undeliverrable Mail: Return To Sender
Failure Advice
Latest Net Security Upgrade
Abort Announcement
Notice
Net Pack
Security Update
Latest Security Pack
internet critical patch
New network Security Pack
Newest Microsoft Critical Patch
Undeliverable Message: User unknown
returned mail returned to mailer

Most attachments are in the 150k range.

tia......Rich

[kampl]

Too many subjects to really tell. What does strings file |sort|less give you?

[bink]

Originally posted by kampl:
Too many subjects to really tell. What does strings file |sort|less give you?

Ummm, I have no idea what you are talking about.

Rich

[ghporter]

One of the more unpleasant ways that a current worm, called "Swen," propagates itself by sending emails that are supposed to look like antivirus update notices. It sounds like someone you've corresponded with has been infected and your email address is being flooded by that worm, or one like it. DELETE ALL OF THEM! THEN EMPTY YOUR TRASH! Do not open anything like this; it's too dangerous.

[kampl]

First of all, if it is W32.Swen.A@mm it is completely harmless to you on your iMac as it is yet another mass mailer virus infecting MS Windows only. I couldn't say what it is exactly without a sample attachment. Mac OS virii are few and far between these days, but I'm sure some interesting things will turn up in the future.

As for strings file | sort | less , this can be run in a terminal window on the file to look for human readable strings contained in the binary which often give some insight as to what worm and virii code might be doing. Not very in depth, but command strings can often be found. It was somewhat useful on 0day of Nimda before any AV companies had released analysis details. Surfed to an infected webserver on my Mac, downloaded the file (this was also spreading through an IE vulnerability), and issued the strings command on a captured binary which yielded some information regarding how an infected system would be affected. In particular, you could see all the "net" commands issued by the worm, some of which enabled the guest account and then added that account to the administrator group.

file filename will tell you if it is a Windows executable or not which would be useful in this case as well. It should say something like MS-DOS executable (EXE) or something to that effect if it is an MS Windows binary.

[bink]

Originally posted by GHPorter:
One of the more unpleasant ways that a current worm, called "Swen," propagates itself by sending emails that are supposed to look like antivirus update notices. It sounds like someone you've corresponded with has been infected and your email address is being flooded by that worm, or one like it. DELETE ALL OF THEM! THEN EMPTY YOUR TRASH! Do not open anything like this; it's too dangerous.

OK, what can I do to get rid of these messages using Apple's Mail application. I have tried any number of rules and non of them seem to work. All messages have unknown as sender but having a rule where the sender is unknown gets sent to junk does not work.

Thoughts appreciated......Rich

[kennedy]

Originally posted by bink:
OK, what can I do to get rid of these messages using Apple's Mail application. I have tried any number of rules and non of them seem to work. All messages have unknown as sender but having a rule where the sender is unknown gets sent to junk does not work.

I just kept junking them... and Mail has it figured out now... it hasn't missed one in the last 24 hours. Very cool.

[ghporter]

I agree with kampl about how dangerous these emails AREN'T to your Mac, but if you don't dump them and clean out your trash, there's a possibility that something (who knows what!) could send that garbage out from your connection. He's also 100% on about the Mac community not getting too smug about how few Mac viruses there are today; wait until some script kiddie figures out how to break through Samba, or to hack into Timbuctu, and whoo boy! will we see some junk aimed at Macs!

kenedy has the right method for dealing with these emails; delete them consistently and eventually Mail will nail the pattern and do it for you.

[bink]

Originally posted by GHPorter:
kenedy has the right method for dealing with these emails; delete them consistently and eventually Mail will nail the pattern and do it for you.

Only thing is, I have to let the things through so that I can mark them as junk. That means I download all 400 or so 150K attachments which I really do not want to do.

Thanks for the replies!

Thoughts.......Rich