To: Mitchell
Good, you're still as sharp as ever, now...
September 18, 2003
Kaspersky Labs, a leading information security expert, announces the detection of the network worm, I-Worm.Swen. This malicious program spreads via email, the Kazaa file sharing network and IRC channels.
The worm, which goes by a variety of names, including Swen, W32/Swen@MM, Gibe, and W32/Gibe-F, can pose as an e-mail from Microsoft bearing a bogus security update as a file attachment.
October 9, 2003
Two additional variants of this worm have been received by AVERT, created by minor edits of certain strings within the initial worm, and subsequent packing with UPX. Both are already detected as virus or variant W32/Swen@MM with the 4294 DATs or greater. Exact identification of the first (as W32/Swen@MM ) was included in the 4297 DATs. Exact identification of the latter will be included in 4298 DATs. Both of these variants are of filesize 52,224 bytes.
When first launched, the worm accesses the following remote website:
http://ww2.fce.vutbr.cz/bin/counter.gif/link=bacillus&width=6&set=cnt006
To: Shermy
Ping.
To: Van der Waals; Allan; Shermy
Cute. Needless to say, this isn't the same situation as with Nimda, because when Swen was released in 2003, the significance of the dates Sept. 18 and Oct. 9 was public knowledge (as was the theory that Nimda might have been related in some way to the anthrax mailings). Anybody could have intentionally released a virus on those anniversary dates in 2003 to make the virus appear to have something to do with the anthrax mailings. (In contrast, at the time of Nimda's release, nobody knew the significance of those dates except for the people involved with the anthrax mailings.)
By the way, I don't think the "bacillus" keyword for the counter means much here. Perhaps you look at the word "Bacillus" and imagine "anthracis" after it, but I think it would be quite natural for computer virus writers to pick words with biological connotations, like "bacillus", for use in their code.
Also note that the worm called Swen is apparently the latest incarnation of the earlier Gibe worm, so 9/18/2003 and 10/9/2003 are just the latest two dates in a longer series of release dates.
So, here are three possibilities regarding Swen:
- Possibility 1. The dates are just a coincidence. If you look, you can find many things that happened on Sept. 18, and some that happened on both Sept. 18 and Oct. 9 in some year.
- Possibility 2. Someone who had nothing to do with the anthrax mailings intentionally picked the anniversary dates, just because he thought it would be a cool thing to do.
- Possibility 3. Someone who had something to do with the anthrax mailings picked those dates on purpose. But why would he do that? Two possible reasons:
- Possibility 3(a). Disinformation. This presupposes that the Nimda theory is false; the purpose of Swen would then be to divert resources into investigation of a (false) Nimda connection to the anthrax mailings.
- Possibility 3(b). To draw attention to the earlier release dates of Gibe/Swen:
- Mar. 4, 2002
- Feb. 24, 2003
(There were also minor follow-up variants released on Mar. 16, 2003, and Mar. 24, 2003.)
Why draw attention to these earlier dates? I don't know, but that attention to the earlier Gibe-worm release dates is a predictable consequence of the later Swen releases on the anthrax anniversary dates. In this theory 3(b), it's as if someone is saying: "Look at the release dates!"
My guess is that it's just a coincidence - Possibility 1.
40 posted on
12/20/2003 9:50:27 PM PST by
Mitchell
To: Van der Waals
I tend to agree, nevertheless the "
link=bacillus" - not just "bacillus" is, as you say, cute.
BTW, have you by chance taken a look at the "hoax" chemical letters released in Europe some months ago?
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson