Full Disclosure mailing list archives

RE: MyDoom virus sent is an earlier message with subject "Error"

From: "Bill Royds" <full-disclosure () royds net>
Date: Sun, 8 Feb 2004 11:26:52 -0500
An earlier message sent to the Full Disclosure list was a copy of the Mydoom virus (since FD is not moderated).

It shows a little how this virus is propagating and one reason for its fast spread and persistence.

By using email addresses in files and saved email and also generating random addresses to the domains it finds, it is 
finding many more delivery addresses than previous viruses and using NDR responses to propagate to make multiple copies 
of itself to forward.

Here is the email to FD with headers that I received with some annotation to show deceptions that virus practises to 
help propagate.

The key header is the third Received: header
Received: from helgeson.com (80-235-33-127-dsl.mus.estpak.ee [80.235.33.127])
        by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i18EnoU08477
        for <full-disclosure () lists netsys com>; Sun, 8 Feb 2004 09:49:51 -0500 (EST)

The message claims to be from Joel () helgeson com, who is probably a member of the FD list, but who had absolutely 
nothing to do with the sending of the email. It was sent from host 80-235-33-127-dsl.mus.estpak.ee [80.235.33.127] (in 
Estonia) which was running the virus's SMTP engine, which fakes the SMTP HELO response to say it is helgeson.com.
  This seems to persuade some SMTP MTA's that it is not being forged, since the domain of nominal sender and the HELO 
domain are the same.

If instead of reaching a valid recipient (such as full-disclosure () lists netsys com in this case), it had been sent 
to susan () lists netsys com (one of its made-up email addresses), the lists.netsys.com NDR bounce message would send 
the message back to Joel () helgeson com carrying the complete virus (as it doesn't analyse the message, just returns 
it as attachment in bounce message).

Joel () helgeson com will be bombarded by the virus as if it were coming from postmaster () lists netsys com, which may 
be on a whitelist and let through. So the virus manages to gain delivery through third parties as well as directly.

AV programs that send warnings to the from address do even more harm to Joel, who had nothing to do with the virus 
other than once posting in FD.

==================================================

Return-Path: <full-disclosure-admin () lists netsys com>
Received: from netsys.com (NETSYS.COM [199.201.233.10])
        by mail2.zoneedit.com (Postfix) with ESMTP id D7D662EA976
        for <full-disclosure () royds net>; Sun,  8 Feb 2004 10:43:46 -0500 (EST)
Received: from NETSYS.COM (localhost [127.0.0.1])
        by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i18EpXS09093;
        Sun, 8 Feb 2004 09:51:34 -0500 (EST)
Received: from helgeson.com (80-235-33-127-dsl.mus.estpak.ee [80.235.33.127])
        by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i18EnoU08477
        for <full-disclosure () lists netsys com>; Sun, 8 Feb 2004 09:49:51 -0500 (EST)
Message-Id: <200402081449.i18EnoU08477 () netsys com>
From: joel () helgeson com
To: full-disclosure () lists netsys com
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0004_830D6A05.0CE2EC43"
X-Priority: 3
X-MSMail-Priority: Normal
Subject: [Full-disclosure] Error
Sender: full-disclosure-admin () lists netsys com
Errors-To: full-disclosure-admin () lists netsys com
X-BeenThere: full-disclosure () lists netsys com
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <http://lists.netsys.com/mailman/listinfo/full-disclosure>,
        <mailto:full-disclosure-request () lists netsys com?subject=unsubscribe>
List-Id: Discussion of security issues <full-disclosure.lists.netsys.com>
List-Post: <mailto:full-disclosure () lists netsys com>
List-Help: <mailto:full-disclosure-request () lists netsys com?subject=help>
List-Subscribe: <http://lists.netsys.com/mailman/listinfo/full-disclosure>,
        <mailto:full-disclosure-request () lists netsys com?subject=subscribe>
List-Archive: <http://lists.netsys.com/pipermail/full-disclosure/>
Date: Sun, 8 Feb 2004 16:49:34 +0200


AS4ð
Ÿˆt_1óé.,8(š9øƒW8Es†‚Ë_D²jŒ1ä_“PñU]Ý5õÃ etc.

******************   McAfee VirusScan ************************
******* Alert generated at: Sun, 08 Feb 2004 10:57:21 -0500 *********
*********************************************************************

McAfee VirusScan has detected a potential threat in this e-mail 
sent by joel () helgeson com.
The following actions were attempted on each suspicious part. 
We strongly recommend that you report this virus-related activity 
to joel () helgeson com.


 The attachment "doc.zip" is infected with the W32/Mydoom.a@MM Virus(es). 
This attachment has been cleaned.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:

Error joel (Feb 08)
- RE: MyDoom virus sent is an earlier message with subject "Error" Bill Royds (Feb 08)
  - Re: MyDoom virus sent is an earlier message with subject "Error" Joel R. Helgeson (Feb 08)