Re: Tracking SirCam

[Don Hammond <admin1 () tradersdata com>]

On 25 Jul, Peter Krawczyk wrote:
| Trying to track the SirCam virus without looking at the body of the
| message, we've found a way to track it via headers.
| 
| In the header of the message, everything looks dynamic, and so tracking it
| seems to be hard.  However, there is a slip -- the Date: header actaully
| appears as 'date:'.
| 
| A cursory examination of thousands of emails from mailing lists, private
| sources, and other sources shows that the only messages using the lower
| case 'date:' for the header are sent by the SirCam virus.
| 
| This may help those of you who want to filter on headers and not on
| message body.

That may guarantee no false positives, but I don't think it guarantees
no false negatives (i.e. don't rely on it to catch all of them). All
but one of these I've seen came through mail lists (sans payload), so
the Date: header wouldn't be as originally sent.  But I have one that
came direct and has a "normal" Date: header that is not lower case.




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com