Security Incidents mailing list archives
Tracking SirCam
From: Peter Krawczyk <petek () mc net>
Date: Wed, 25 Jul 2001 10:49:05 -0600 (MDT)
Trying to track the SirCam virus without looking at the body of the message, we've found a way to track it via headers. In the header of the message, everything looks dynamic, and so tracking it seems to be hard. However, there is a slip -- the Date: header actaully appears as 'date:'. A cursory examination of thousands of emails from mailing lists, private sources, and other sources shows that the only messages using the lower case 'date:' for the header are sent by the SirCam virus. This may help those of you who want to filter on headers and not on message body. -Pete K -- Pete Krawczyk <petek () mc net> Senior System Administrator mc.net <http://www.mc.net/> (847) 594-5111 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Tracking SirCam Peter Krawczyk (Jul 25)
- Re: Tracking SirCam Don Hammond (Jul 25)
- Re: Tracking SirCam Greg A. Woods (Jul 25)
- Re: Tracking SirCam Nick FitzGerald (Jul 26)
- Re: Tracking SirCam Gary Flynn (Jul 25)
- Re: Tracking SirCam Nick FitzGerald (Jul 26)