Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Swen Really Sucks

From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Fri, 26 Sep 2003 14:59:41 +1200
"Schmehl, Paul L" <pauls () utdallas edu> replied to me:


Swen has code to locate the "Default Mail Account" under the Internet 
Account Manager registry key then to extract the "SMTP Email Address" 
value appropriately.  This is then stored in a variable in the virus 
that is later used for the argument to the "MAIL FROM:" SMTP command 
while sending Email.  (It is possible that some other part of 
the Swen 
code I have not closely analysed surreptitiously changes the contents 
of this variable in some circumstances, but there is no obvious code 
that also alters the contents of the buffer used to hold the string 
pulled from the registry location just described...)

This is all based on disassembly and is corroborated by reports from 
other researchers who have watched it under debuggers, emulation, etc.


If it's as poorly written as most malware is, it most likely screws this
up as well.  ...


8-)

You should be careful -- I get hate mail for saying stuff like that...


...  All I can tell you is that I get tens of bounces on my
personal home email account daily, and I can assure you that I am not
infected.  I'll take a look tonight (because I'm sure there will be at
least 50 or 60 virus mails and bounces in my deleted items folder) and
see what's in the headers.


Ahhhhh -- I didn't understand what you were saying before.

I am getting such bogus "bounces" too (about one for every ten 
"natural" samples I receive), but recall that many stupid Email gateway 
scanners will send "bounces" to addresses in the  From: and/or Sender: 
headers (and even to addresses in Reply-To:, X-Originally-From: and 
other weird custom headers -- clearly these products are written by 
chimpanzees that cannot read RFCs...).


You can disassemble and run simulations til you're blue in the face, but
things don't work perfectly in the real world, as I *know* you know.


Indeed I can, but when I do -- like Joe -- I tend to take quite some 
professional pride in the work (unlike the folk who wrote the SMTP 
processors that are busy sending you those "bounces").


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: