Swen does not only compose email pretending to be a patch from Microsoft. It also composes email pretending to be a bounced message. There are various renditions of the false 'return to sender'. A couple of examples follow:
----------------------------------------- Hi. I'm afraid I wasn't able to deliver your message to one or more destinations. Undeliverable mail to [EMAIL PROTECTED] ------------------------------------------ I'm sorry to have to inform you that the message returned below could not be delivered to one or more destinations. Undeliverable message to [EMAIL PROTECTED] ------------------------------------------ Undelivered mail to [EMAIL PROTECTED] Message follows: ----------------------------------------- F-Secure has a complete list at: http://www.f-secure.com/v-descs/swen.shtml Regards, Mary Landesman Antivirus About.com Guide http://antivirus.about.com ----- Original Message ----- From: "Kye Lewis" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: "Craig Pratt" <[EMAIL PROTECTED]> Sent: Friday, September 26, 2003 10:03 AM Subject: Re: [Full-Disclosure] Swen Really Sucks [..] > So, has anyone actually sent mail to an envelope sender to see if > they're actually infected? Or is it possible this thing just likes to > fake the same sender for all outgoing messages? Seeing that I have a collection of around 2000 unique and believable return-paths from this virus, it seems quite likely that they're legitimate. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
