Consider the following creative interpretation of the spread of SoBig.F -- 1. View each e-mail address found by the virus that it used to send forged e-mail (From:) as a universe of potential re-infection.
2. Consider that some electronic social circles are more or less clueless, and that certain From: addresses will have highly successful reinfection rates versus other From: addresses, particularly when a more clueless social circle is penetrated by a highly-successful From: address. 3. Reinfection *should* cause the original highly-successful e-mail address to end up present as plaintext on the newly-infected computer, where it most likely was not present before the virus delivered itself to the target using the From: address. 4. Given enough time to execute and spread itself on the newly-infected host, the same highly-successful From: address *should* be used again on the downstream host in new forged messages; should, by chance, this address end up used to send a copy of the virus to another member of the original more clueless social circle whose first member's computer originally contained said e-mail address, perhaps the chances of reinfection increase? 5. Regardless of probabilities and cluelessness of those people targetted by the virus with forged e-mails, there *should* be a marked difference between the recurrence of infection based on From: address, and there *must* be some address in particular that ends up being the *winner* -- the most successful address used to spread reinfections. 6. Is there any way to determine who the winner is? 7. Does anyone care? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
