[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Does Swen forge the sender? WARNING - LONG POST

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] Does Swen forge the sender? WARNING - LONG POST
From: Paul Schmehl <pauls@xxxxxxxxxxxx>
Date: Sat, 27 Sep 2003 11:40:32 -0500

In deference to the experts, Joe and Nick, rather than argue about what Swen does, I'll just post some headers and ask for a *brief* explanation of them.

1st header is a "bounce" to my work account. Unfortunately the bouncing party didn't bother to include the original message headers, but it's evident that they *thought* that I sent them the virus. Since the "From" address was "Microsoft Security Support" <dyfotwrltwosb_whweemsf@xxxxxxxxxxxxxxxx>, how does this get back to me unless the "MAIL FROM" command was "pauls@xxxxxxxxxxxx"?

Received: from null-pmn.utdallas.edu ([129.110.10.1]) by utdevs02.campus.ad.utdallas.edu with Microsoft SMTPSVC(5.0.2195.6713); Sat, 27 Sep 2003 00:49:54 -0500 Received: from localhost (localhost [127.0.0.1]) by null-pmn.utdallas.edu (Postfix) with ESMTP id 404FE1A06B1 for <pauls@xxxxxxxxxxxx>; Sat, 27 Sep 2003 00:50:04 -0500 (CDT) Received: from mx0.utdallas.edu ([127.0.0.1]) by localhost (ns0 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 29640-01-56 for <pauls@xxxxxxxxxxxx>; Sat, 27 Sep 2003 00:50:03 -0500 (CDT) Received: from mail.cosmofilms.com (unknown [203.112.156.12]) by mx0.utdallas.edu (Postfix) with ESMTP id F175A38A92 for <pauls@xxxxxxxxxxxx>; Sat, 27 Sep 2003 00:46:09 -0500 (CDT) Received: from mail.cosmofilms.com (localhost [127.0.0.1]) by mail.cosmofilms.com (8.12.9/8.12.9) with ESMTP id h8R5jW2B005365 for <pauls@xxxxxxxxxxxx>; Sat, 27 Sep 2003 11:17:10 +0530 Received: from aygad (logistic.cosmofilms.com [192.9.200.210]) by mail.cosmofilms.com (8.12.9/8.12.9) with SMTP id h8R5ij5w005085; Sat, 27 Sep 2003 11:14:45 +0530 Date: Sat, 27 Sep 2003 11:14:45 +0530 Message-Id: <200309270544.h8R5ij5w005085@xxxxxxxxxxxxxxxxxxx> From: "Microsoft Security Support" <dyfotwrltwosb_whweemsf@xxxxxxxxxxxxxxxx> To: " " <zwhbfu_ajnkwdm@xxxxxxxxxxxxxxxx> SUBJECT: Current Net Security Update Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="yczwccphdsq" Return-Path: webserv@xxxxxxxxxxxxxx X-OriginalArrivalTime: 27 Sep 2003 05:49:54.0912 (UTC) FILETIME=[2D3B5600:01C384BB]

--lodywg
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD></HEAD>
<BODY>
<iframe src=3D"cid:oygkdfqowfov"; height=3D0 width=3D0></iframe>
<BR><BR><BR>Undelivered mail to <B>lajgfy@xxxxxxxxxxx</B>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>
</BODY></HTML>

--lodywg
Content-Type: audio/x-wav; name="ctlsz.scr"
Content-Transfer-Encoding: base64
Content-Id: <oygkdfqowfov>

------------------ Virus Warning Message (on mail.cosmofilms.com)

Found virus WORM_SWEN.A in file Pack6579.exe
The uncleanable file is deleted.

---------------------------------------------------------

The second message is a "bounce" from Swen itself. Interesting that it has an attachment which does not show up in Outllook Express because I force plain text for all incoming messages. If I understand what you are saying correctly the infected party should be "mdrake8@xxxxxxxxxxxxx", correct? That *does* appear to be the case, since the mail originated at bellsouth.

X-Apparently-To: pschmehl@xxxxxxxxxxxxx via web80308.mail.yahoo.com; 27 Sep 2003 04:00:27 -0700 (PDT) X-YahooFilteredBulk: 205.152.59.72 Return-Path: <mdrake8@xxxxxxxxxxxxx> Received: from vmd-ext.prodigy.net (207.115.63.89) by mta818.mail.yahoo.com with SMTP; 27 Sep 2003 04:00:25 -0700 (PDT) X-Originating-IP: [205.152.59.72] Received: from imf24aec.mail.bellsouth.net (imf24aec.mail.bellsouth.net [205.152.59.72]) by vmd-ext.prodigy.net (8.12.9/8.12.3) with ESMTP id h8RB0OeJ069304 for <pschmehl@xxxxxxxxxxxxx>; Sat, 27 Sep 2003 07:00:24 -0400 Received: from menospxe ([65.81.163.202]) by imf24aec.mail.bellsouth.net (InterMail vM.5.01.05.27 201-253-122-126-127-20021220) with SMTP id <20030927110014.JDHB1810.imf24aec.mail.bellsouth.net@menospxe>; Sat, 27 Sep 2003 07:00:14 -0400 FROM: "Admin" <smtpautomat@xxxxxxxxxxx> TO: "Network User" <receiver@xxxxxxxxxxxx> SUBJECT: Bug Report Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="lodywg" Message-Id: <20030927110014.JDHB1810.imf24aec.mail.bellsouth.net@menospxe> Date: Sat, 27 Sep 2003 07:00:19 -0400

The third message is an actual copy of Swen sent directly to my home address. (I can't get any at work since we bounce them all.) Again this appears to be from pratsc@xxxxxxxx who's computer is infected.

X-Apparently-To: pschmehl@xxxxxxxxxxxxx via web80308.mail.yahoo.com; 27 Sep 2003 07:38:21 -0700 (PDT) X-YahooFilteredBulk: 213.4.129.129 Return-Path: <pratsc@xxxxxxxx> Received: from mailapps1-ext.prodigy.net (EHLO mailapps1-int.prodigy.net) (207.115.63.107) by mta807.mail.yahoo.com with SMTP; 27 Sep 2003 07:38:20 -0700 (PDT) X-Header-Overseas: Mail.from.Overseas.source.213.4.129.129 X-Header-Maps: blocked.by.Prodigy.dialups.list.213.4.129.129 X-Originating-IP: [213.4.129.129] Received: from tsmtp5.mail.isp (smtp.terra.es [213.4.129.129]) by mailapps1-int.prodigy.net (8.12.9/8.12.3) with ESMTP id h8REcIld776526 for <pschmehl@xxxxxxxxxxxxx>; Sat, 27 Sep 2003 10:38:18 -0400 Date: Sat, 27 Sep 2003 10:38:18 -0400 Message-Id: <200309271438.h8REcIld776526@xxxxxxxxxxxxxxxxxxxxxxxxx> Received: from tmvav ([213.97.150.28]) by tsmtp5.mail.isp (terra.es) with SMTP id HLVN7N01.FO3; Sat, 27 Sep 2003 16:35:47 +0200 FROM: "Microsoft Security Center" <rumkxowkdyane_fheumvnb@xxxxxxxxxxxxxx> TO: "Commercial Partner" <partner-chzzawgyg@xxxxxxxxxxxxxx> SUBJECT: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="kbeceexggkugyd"

--kbeceexggkugyd
Content-Type: multipart/related; boundary="foudxvmnxeo";
        type="multipart/alternative"

--foudxvmnxeo
Content-Type: multipart/alternative; boundary="mxdpvsxsnxqyeaia"

--mxdpvsxsnxqyeaia
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Microsoft Partner

this is the latest version of security update, the
"September 2003, Cumulative Patch" update which resolves
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express.
Install now to continue keeping your computer secure.
This update includes the functionality =
of all previously released patches.

So how does the first bounce get to me?

Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Does Swen forge the sender? WARNING - LONG POST
  - From: Nick FitzGerald
- Re: [Full-Disclosure] Does Swen forge the sender? WARNING - LONG POST
  - From: Kee Hinckley

Prev by Date: Re: [Full-Disclosure] Swen
Next by Date: [Full-Disclosure] Eine Mail an Sie von paul schmehl <pauls@utdallas.edu> enthielt einen Virus!
Previous by thread: Re: [Full-Disclosure] Incriminating innocent peer to peer network users
Next by thread: Re: [Full-Disclosure] Does Swen forge the sender? WARNING - LONG POST
Index(es):
- Date
- Thread