On Wed, Sep 24, 2003 at 09:11:16AM +0000, Michal Pasternak wrote:
> do you have any proofs that the worm really scans WWW pages, searching
> for e-mail addresses?

The various anti-virus companies reverse engineer these worms to
figure out what they do... I haven't seen any of their descriptions
mention that Swen scans WWW pages on the net.

According to the description at <http://www.f-secure.com/v-descs/swen.shtml>,

Swen "periodically scans HTML and ASP files on a hard drive .... The
worm also reads .EML, .DBX, .WAB, and .MBX files and fetches e-mail
addresses from there.

"The worm also can search for e-mail addresses in various newsgroups.
It connects to NNTP servers listed in the SWEN1.DAT file, gets a list
of all newsgroups on that server and searches recent messages in these
newsgroups for 'nfrom:' and 'nreply-to:' tags."
-- 
Name: Dave Huang         |  Mammal, mammal / their names are called /
INet: khym@azeotrope.org |  they raise a paw / the bat, the cat /
FurryMUCK: Dahan         |  dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 27 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++