On Sun, 19 Oct 2003, Nikolai Weibull wrote:

> I've been receiving a lot of Swen emails to my ruby-talk address lately.
> This mailing alias is rather new and so my guess is that this list is
> actively being harvested for emails.

That turns out not to be the case.

Swen, like a number of other windows trojans, viruses, and worms,
automatically scrapes a system's address book, mailboxes, web cache, and
in some cases general files looking for anything that looks like an e-mail
address. There's no list that's distributed, or any Master Evil Spammer
sending these things out--just a depressingly large number of folks who
actively infected their machines (swen *required* the user to run the
infecting attachment by hand) and now have a widget installed that does
the local scraping and mailing.

If your email address is on someone's local machine for any
reason--they're subscribed to the ruby-talk list, read a message via
google groups, you sent them mail, someone sent them mail with you on the
CC line, someone installed software with your email address in the docs,
or is subscribed to a newsgroup with a local newsreader--you're going to
get a swen if they get infected. Possibly many of them.

Obfuscating email addresses on the web pages may help a bit, at least for
a while, for the virus mail. Won't stop the spammers as much, as they're
more likely to put a bit more effort into the deobfuscation, but it will,
for now, slow swen and its ilk.

Note that once *anyone* with your email address legitimately in their
inbox or outbox gets infected you *will* get swens and their like--since
these viruses all forge the from: as well as the to:, other people will
get mail that looks like it's from you, which puts your address in the
inbox, which makes it fair game for the automated scanners on more
machines. And even if they avoid immediate infection, it may well be
around for the next round of infection.

					Dan