Full Disclosure mailing list archives
Re: Does Swen forge the sender? WARNING - LONG POST
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sun, 28 Sep 2003 08:18:15 +1200
Paul Schmehl <pauls () utdallas edu> wrote:
In deference to the experts, Joe and Nick, rather than argue about what Swen does, I'll just post some headers and ask for a *brief* explanation of them. 1st header is a "bounce" to my work account. Unfortunately the bouncing party didn't bother to include the original message headers, but it's evident that they *thought* that I sent them the virus. Since the "From" address was "Microsoft Security Support" <dyfotwrltwosb_whweemsf () bulletin msn com>, how does this get back to me unless the "MAIL FROM" command was "pauls () utdallas edu"?
<<snip headers Paul has correctly deciphered>> As well as what Joe and I have already said about Swen's grabbing the "SMTP Email Address" value from the deafult IAM account in the regsitry and its use of this as the MAIL FROM: argument, don't forget that as well as mass-sending itself as an apparent MS security patch, Swen also sends itself as an attachment to Emails faked as bounce messages. This seems to be what the first example message you posted is. Note that it has an Incorrect MIME Type exploit in the body _of the bounce message_. If it were really a bounce of a Swen message, that exploit would be in the body of the bounced message rather than in the message part telling you it was unable to deliver some other message. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Does Swen forge the sender? WARNING - LONG POST Paul Schmehl (Sep 27)
- Re: Does Swen forge the sender? WARNING - LONG POST Nick FitzGerald (Sep 27)
- Re: Does Swen forge the sender? WARNING - LONG POST Kee Hinckley (Sep 27)