Full Disclosure mailing list archives

Does Swen forge the sender? WARNING - LONG POST

From: Paul Schmehl <pauls () utdallas edu>
Date: Sat, 27 Sep 2003 11:40:32 -0500

In deference to the experts, Joe and Nick, rather than argue about whatSwen does, I'll just post some headers and ask for a *brief* explanation ofthem.

1st header is a "bounce" to my work account. Unfortunately the bouncingparty didn't bother to include the original message headers, but it'sevident that they *thought* that I sent them the virus. Since the "From"address was "Microsoft Security Support"<dyfotwrltwosb_whweemsf () bulletin msn com>, how does this get back to meunless the "MAIL FROM" command was "pauls () utdallas edu"?

Received: from null-pmn.utdallas.edu ([129.110.10.1]) byutdevs02.campus.ad.utdallas.edu with Microsoft SMTPSVC(5.0.2195.6713);

         Sat, 27 Sep 2003 00:49:54 -0500
Received: from localhost (localhost [127.0.0.1])
        by null-pmn.utdallas.edu (Postfix) with ESMTP id 404FE1A06B1
        for <pauls () utdallas edu>; Sat, 27 Sep 2003 00:50:04 -0500 (CDT)
Received: from mx0.utdallas.edu ([127.0.0.1])
by localhost (ns0 [127.0.0.1]) (amavisd-new, port 10024) with LMTP
id 29640-01-56 for <pauls () utdallas edu>;
Sat, 27 Sep 2003 00:50:03 -0500 (CDT)
Received: from mail.cosmofilms.com (unknown [203.112.156.12])
        by mx0.utdallas.edu (Postfix) with ESMTP id F175A38A92
        for <pauls () utdallas edu>; Sat, 27 Sep 2003 00:46:09 -0500 (CDT)
Received: from mail.cosmofilms.com (localhost [127.0.0.1])
        by mail.cosmofilms.com (8.12.9/8.12.9) with ESMTP id h8R5jW2B005365
        for <pauls () utdallas edu>; Sat, 27 Sep 2003 11:17:10 +0530
Received: from aygad (logistic.cosmofilms.com [192.9.200.210])
        by mail.cosmofilms.com (8.12.9/8.12.9) with SMTP id h8R5ij5w005085;
        Sat, 27 Sep 2003 11:14:45 +0530
Date: Sat, 27 Sep 2003 11:14:45 +0530
Message-Id: <200309270544.h8R5ij5w005085 () mail cosmofilms com>
From: "Microsoft Security Support" <dyfotwrltwosb_whweemsf () bulletin msn com>
To: " " <zwhbfu_ajnkwdm () bulletin msn com>
SUBJECT: Current Net Security Update
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="yczwccphdsq"
Return-Path: webserv () cosmofilms com

X-OriginalArrivalTime: 27 Sep 2003 05:49:54.0912 (UTC)FILETIME=[2D3B5600:01C384BB]


--lodywg
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD></HEAD>
<BODY>
<iframe src=3D"cid:oygkdfqowfov" height=3D0 width=3D0></iframe>
<BR><BR><BR>Undelivered mail to <B>lajgfy () bigfoot com</B>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>
</BODY></HTML>

--lodywg
Content-Type: audio/x-wav; name="ctlsz.scr"
Content-Transfer-Encoding: base64
Content-Id: <oygkdfqowfov>

------------------  Virus Warning Message (on mail.cosmofilms.com)

Found virus WORM_SWEN.A in file Pack6579.exe
The uncleanable file is deleted.

---------------------------------------------------------

The second message is a "bounce" from Swen itself. Interesting that it hasan attachment which does not show up in Outllook Express because I forceplain text for all incoming messages. If I understand what you are sayingcorrectly the infected party should be "mdrake8 () bellsouth net", correct?That *does* appear to be the case, since the mail originated at bellsouth.

X-Apparently-To: pschmehl () sbcglobal net via web80308.mail.yahoo.com; 27 Sep2003 04:00:27 -0700 (PDT)

X-YahooFilteredBulk: 205.152.59.72
Return-Path: <mdrake8 () bellsouth net>
Received: from vmd-ext.prodigy.net (207.115.63.89)
 by mta818.mail.yahoo.com with SMTP; 27 Sep 2003 04:00:25 -0700 (PDT)
X-Originating-IP: [205.152.59.72]

Received: from imf24aec.mail.bellsouth.net (imf24aec.mail.bellsouth.net[205.152.59.72])

        by vmd-ext.prodigy.net (8.12.9/8.12.3) with ESMTP id h8RB0OeJ069304
        for <pschmehl () sbcglobal net>; Sat, 27 Sep 2003 07:00:24 -0400
Received: from menospxe ([65.81.163.202]) by imf24aec.mail.bellsouth.net
         (InterMail vM.5.01.05.27 201-253-122-126-127-20021220) with SMTP
         id <20030927110014.JDHB1810.imf24aec.mail.bellsouth.net@menospxe>;
         Sat, 27 Sep 2003 07:00:14 -0400
FROM: "Admin" <smtpautomat () bigfoot com>
TO: "Network User" <receiver () mxserver com>
SUBJECT: Bug Report
Mime-Version: 1.0
Content-Type: multipart/alternative;
        boundary="lodywg"
Message-Id: <20030927110014.JDHB1810.imf24aec.mail.bellsouth.net@menospxe>
Date: Sat, 27 Sep 2003 07:00:19 -0400

The third message is an actual copy of Swen sent directly to my homeaddress. (I can't get any at work since we bounce them all.) Again thisappears to be from pratsc () terra es who's computer is infected.

X-Apparently-To: pschmehl () sbcglobal net via web80308.mail.yahoo.com; 27 Sep2003 07:38:21 -0700 (PDT)

X-YahooFilteredBulk: 213.4.129.129
Return-Path: <pratsc () terra es>

Received: from mailapps1-ext.prodigy.net (EHLO mailapps1-int.prodigy.net)(207.115.63.107)

 by mta807.mail.yahoo.com with SMTP; 27 Sep 2003 07:38:20 -0700 (PDT)
X-Header-Overseas: Mail.from.Overseas.source.213.4.129.129
X-Header-Maps: blocked.by.Prodigy.dialups.list.213.4.129.129
X-Originating-IP: [213.4.129.129]
Received: from tsmtp5.mail.isp (smtp.terra.es [213.4.129.129])
        by mailapps1-int.prodigy.net (8.12.9/8.12.3) with ESMTP id h8REcIld776526
        for <pschmehl () sbcglobal net>; Sat, 27 Sep 2003 10:38:18 -0400
Date: Sat, 27 Sep 2003 10:38:18 -0400
Message-Id: <200309271438.h8REcIld776526 () mailapps1-int prodigy net>
Received: from tmvav ([213.97.150.28]) by tsmtp5.mail.isp

(terra.es) with SMTP id HLVN7N01.FO3; Sat, 27 Sep 2003 16:35:47+0200

FROM: "Microsoft Security Center" <rumkxowkdyane_fheumvnb () confidence net>
TO: "Commercial Partner" <partner-chzzawgyg () confidence net>
SUBJECT:
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="kbeceexggkugyd"

--kbeceexggkugyd
Content-Type: multipart/related; boundary="foudxvmnxeo";
        type="multipart/alternative"

--foudxvmnxeo
Content-Type: multipart/alternative; boundary="mxdpvsxsnxqyeaia"

--mxdpvsxsnxqyeaia
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Microsoft Partner

this is the latest version of security update, the
"September 2003, Cumulative Patch" update which resolves
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express.
Install now to continue keeping your computer secure.
This update includes the functionality =
of all previously released patches.

So how does the first bounce get to me?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Does Swen forge the sender? WARNING - LONG POST Paul Schmehl (Sep 27)
- Re: Does Swen forge the sender? WARNING - LONG POST Nick FitzGerald (Sep 27)
- Re: Does Swen forge the sender? WARNING - LONG POST Kee Hinckley (Sep 27)