An earlier message sent to the Full Disclosure list was a copy of the Mydoom virus
(since FD is not moderated).
It shows a little how this virus is propagating and one reason for its fast spread and
persistence.
By using email addresses in files and saved email and also generating random addresses
to the domains it finds, it is finding many more delivery addresses than previous
viruses and using NDR responses to propagate to make multiple copies of itself to
forward.
Here is the email to FD with headers that I received with some annotation to show
deceptions that virus practises to help propagate.
The key header is the third Received: header
Received: from helgeson.com (80-235-33-127-dsl.mus.estpak.ee [80.235.33.127])
by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i18EnoU08477
for <[EMAIL PROTECTED]>; Sun, 8 Feb 2004 09:49:51 -0500 (EST)
The message claims to be from [EMAIL PROTECTED], who is probably a member of the FD
list, but who had absolutely nothing to do with the sending of the email. It was sent
from host 80-235-33-127-dsl.mus.estpak.ee [80.235.33.127] (in Estonia) which was
running the virus's SMTP engine, which fakes the SMTP HELO response to say it is
helgeson.com.
This seems to persuade some SMTP MTA's that it is not being forged, since the domain
of nominal sender and the HELO domain are the same.
If instead of reaching a valid recipient (such as [EMAIL PROTECTED] in this case), it
had been sent to [EMAIL PROTECTED] (one of its made-up email addresses), the
lists.netsys.com NDR bounce message would send the message back to [EMAIL PROTECTED]
carrying the complete virus (as it doesn't analyse the message, just returns it as
attachment in bounce message).
[EMAIL PROTECTED] will be bombarded by the virus as if it were coming from [EMAIL
PROTECTED], which may be on a whitelist and let through. So the virus manages to gain
delivery through third parties as well as directly.
AV programs that send warnings to the from address do even more harm to Joel, who had
nothing to do with the virus other than once posting in FD.
==================================================
Return-Path: <[EMAIL PROTECTED]>
Received: from netsys.com (NETSYS.COM [199.201.233.10])
by mail2.zoneedit.com (Postfix) with ESMTP id D7D662EA976
for <[EMAIL PROTECTED]>; Sun, 8 Feb 2004 10:43:46 -0500 (EST)
Received: from NETSYS.COM (localhost [127.0.0.1])
by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i18EpXS09093;
Sun, 8 Feb 2004 09:51:34 -0500 (EST)
Received: from helgeson.com (80-235-33-127-dsl.mus.estpak.ee [80.235.33.127])
by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i18EnoU08477
for <[EMAIL PROTECTED]>; Sun, 8 Feb 2004 09:49:51 -0500 (EST)
Message-Id: <[EMAIL PROTECTED]>
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0004_830D6A05.0CE2EC43"
X-Priority: 3
X-MSMail-Priority: Normal
Subject: [Full-Disclosure] Error
Sender: [EMAIL PROTECTED]
Errors-To: [EMAIL PROTECTED]
X-BeenThere: [EMAIL PROTECTED]
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <http://lists.netsys.com/mailman/listinfo/full-disclosure>,
<mailto:[EMAIL PROTECTED]>
List-Id: Discussion of security issues <full-disclosure.lists.netsys.com>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Help: <mailto:[EMAIL PROTECTED]>
List-Subscribe: <http://lists.netsys.com/mailman/listinfo/full-disclosure>,
<mailto:[EMAIL PROTECTED]>
List-Archive: <http://lists.netsys.com/pipermail/full-disclosure/>
Date: Sun, 8 Feb 2004 16:49:34 +0200
AS4Ã
ÅËt_1ÃÃ.,8(Å9ÃÆW8EsââÃ_DÂjÅ1Ã_ÂÂâPÂÃU]ÃÂ5Ãà etc.
****************** McAfee VirusScan ************************
******* Alert generated at: Sun, 08 Feb 2004 10:57:21 -0500 *********
*********************************************************************
McAfee VirusScan has detected a potential threat in this e-mail
sent by [EMAIL PROTECTED]
The following actions were attempted on each suspicious part.
We strongly recommend that you report this virus-related activity
to [EMAIL PROTECTED]
The attachment "doc.zip" is infected with the W32/[EMAIL PROTECTED] Virus(es).
This attachment has been cleaned.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
