Security Incidents mailing list archives
Re: Tracking SirCam
From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Thu, 26 Jul 2001 10:47:43 +1200
Gary Flynn <flynngn () jmu edu> wrote:
In the header of the message, everything looks dynamic, and so tracking it seems to be hard. However, there is a slip -- the Date: header actaully appears as 'date:'.
Which, while odd, is standards-compliant...
Sorry I haven't kept up with this one. This message seems to be saying the virus engineers its own SMTP header.
Of course -- it does *not* use Outlook, OE, Eudora or any other mailer for doing its Email. It has its own SMTP sending code so it has to create its own headers...
Is the FROM: information correct?
No. Except it "usually" will be... SirCam grabs some settings from the Internet Account Manager registry key, including the user's Email address and display name. It uses those two for its "from" information headers (envelope and message). Thus, From: will be "correct" if the victim machine has a correctly configured IE, OE or Outlook (?) installation (and maybe other things use the IAM keys/values too?). Regards, Nick FitzGerald ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Tracking SirCam Peter Krawczyk (Jul 25)
- Re: Tracking SirCam Don Hammond (Jul 25)
- Re: Tracking SirCam Greg A. Woods (Jul 25)
- Re: Tracking SirCam Nick FitzGerald (Jul 26)
- Re: Tracking SirCam Gary Flynn (Jul 25)
- Re: Tracking SirCam Nick FitzGerald (Jul 26)