Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tracking SirCam

From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Thu, 26 Jul 2001 10:47:43 +1200
Gary Flynn <flynngn () jmu edu> wrote:


In the header of the message, everything looks dynamic, and so tracking it
seems to be hard.  However, there is a slip -- the Date: header actaully
appears as 'date:'.


Which, while odd, is standards-compliant...


Sorry I haven't kept up with this one. This message seems to be saying
the virus engineers its own SMTP header.


Of course -- it does *not* use Outlook, OE, Eudora or any other 
mailer for doing its Email.  It has its own SMTP sending code so it 
has to create its own headers...


Is the FROM: information correct?


No.

Except it "usually" will be...

SirCam grabs some settings from the Internet Account Manager registry
key, including the user's Email address and display name.  It uses
those two for its "from" information headers (envelope and message).  
Thus, From: will be "correct" if the victim machine has a correctly 
configured IE, OE or Outlook (?) installation (and maybe other things 
use the IAM keys/values too?).


Regards,

Nick FitzGerald

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: