Re: Swen Really Sucks

["Mary Landesman" <mlande () bellsouth net>]

Swen does not only compose email pretending to be a patch from Microsoft. It
also composes email pretending to be a bounced message. There are various
renditions of the false 'return to sender'. A couple of examples follow:

-----------------------------------------
Hi.
I'm afraid I wasn't able to deliver your message to one or more
destinations.
Undeliverable mail to ykhytbgqcg () bigfoot net
------------------------------------------
I'm sorry to have to inform you that the message returned below could not be
delivered to one or more destinations.
Undeliverable message to sxlpvjk () america net
------------------------------------------
Undelivered mail to pdijepslaw () netmail net
Message follows:
-----------------------------------------

F-Secure has a complete list at:
http://www.f-secure.com/v-descs/swen.shtml

Regards,
Mary Landesman
Antivirus About.com Guide
http://antivirus.about.com


----- Original Message ----- 
From: "Kye Lewis" <kye () lewislan id au>
To: <full-disclosure () lists netsys com>
Cc: "Craig Pratt" <craig () strong-box net>
Sent: Friday, September 26, 2003 10:03 AM
Subject: Re: [Full-disclosure] Swen Really Sucks


[..]

> So, has anyone actually sent mail to an envelope sender to see if
> they're actually infected? Or is it possible this thing just likes to
> fake the same sender for all outgoing messages?

Seeing that I have a collection of around 2000 unique and believable
return-paths from this virus, it seems quite likely that they're legitimate.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html