Security Incidents mailing list archives

Tracking SirCam

From: Peter Krawczyk <petek () mc net>
Date: Wed, 25 Jul 2001 10:49:05 -0600 (MDT)

Trying to track the SirCam virus without looking at the body of the
message, we've found a way to track it via headers.

In the header of the message, everything looks dynamic, and so tracking it
seems to be hard.  However, there is a slip -- the Date: header actaully
appears as 'date:'.

A cursory examination of thousands of emails from mailing lists, private
sources, and other sources shows that the only messages using the lower
case 'date:' for the header are sent by the SirCam virus.

This may help those of you who want to filter on headers and not on
message body.

-Pete K
--
Pete Krawczyk <petek () mc net>
  Senior System Administrator
  mc.net <http://www.mc.net/>
  (847) 594-5111



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Tracking SirCam Peter Krawczyk (Jul 25)
- Re: Tracking SirCam Don Hammond (Jul 25)
- Re: Tracking SirCam Greg A. Woods (Jul 25)
  - Re: Tracking SirCam Nick FitzGerald (Jul 26)
- Re: Tracking SirCam Gary Flynn (Jul 25)
  - Re: Tracking SirCam Nick FitzGerald (Jul 26)