"Schmehl, Paul L" <[EMAIL PROTECTED]> replied to me: > > Swen has code to locate the "Default Mail Account" under the Internet > > Account Manager registry key then to extract the "SMTP Email Address" > > value appropriately. This is then stored in a variable in the virus > > that is later used for the argument to the "MAIL FROM:" SMTP command > > while sending Email. (It is possible that some other part of > > the Swen > > code I have not closely analysed surreptitiously changes the contents > > of this variable in some circumstances, but there is no obvious code > > that also alters the contents of the buffer used to hold the string > > pulled from the registry location just described...) > > > > This is all based on disassembly and is corroborated by reports from > > other researchers who have watched it under debuggers, emulation, etc. > > If it's as poorly written as most malware is, it most likely screws this > up as well. ...
8-) You should be careful -- I get hate mail for saying stuff like that... > ... All I can tell you is that I get tens of bounces on my > personal home email account daily, and I can assure you that I am not > infected. I'll take a look tonight (because I'm sure there will be at > least 50 or 60 virus mails and bounces in my deleted items folder) and > see what's in the headers. Ahhhhh -- I didn't understand what you were saying before. I am getting such bogus "bounces" too (about one for every ten "natural" samples I receive), but recall that many stupid Email gateway scanners will send "bounces" to addresses in the From: and/or Sender: headers (and even to addresses in Reply-To:, X-Originally-From: and other weird custom headers -- clearly these products are written by chimpanzees that cannot read RFCs...). > You can disassemble and run simulations til you're blue in the face, but > things don't work perfectly in the real world, as I *know* you know. Indeed I can, but when I do -- like Joe -- I tend to take quite some professional pride in the work (unlike the folk who wrote the SMTP processors that are busy sending you those "bounces"). -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html