Re: Does Swen forge the sender? WARNING - LONG POST

[Nick FitzGerald <nick () virus-l demon co uk>]

Paul Schmehl <pauls () utdallas edu> wrote:

> In deference to the experts, Joe and Nick, rather than argue about what 
> Swen does, I'll just post some headers and ask for a *brief* explanation of 
> them.
>
> 1st header is a "bounce" to my work account.  Unfortunately the bouncing 
> party didn't bother to include the original message headers, but it's 
> evident that they *thought* that I sent them the virus.  Since the "From" 
> address was "Microsoft Security Support" 
> <dyfotwrltwosb_whweemsf () bulletin msn com>, how does this get back to me 
> unless the "MAIL FROM" command was "pauls () utdallas edu"?
<<snip headers Paul has correctly deciphered>>

As well as what Joe and I have already said about Swen's grabbing the 
"SMTP Email Address" value from the deafult IAM account in the regsitry 
and its use of this as the MAIL FROM: argument, don't forget that as 
well as mass-sending itself as an apparent MS security patch, Swen also 
sends itself as an attachment to Emails faked as bounce messages.

This seems to be what the first example message you posted is.  Note 
that it has an Incorrect MIME Type exploit in the body _of the bounce 
message_.  If it were really a bounce of a Swen message, that exploit 
would be in the body of the bounced message rather than in the message 
part telling you it was unable to deliver some other message.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html