lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: pauls at utdallas.edu (Paul Schmehl)
Subject: Does Swen forge the sender? WARNING - LONG POST

In deference to the experts, Joe and Nick, rather than argue about what 
Swen does, I'll just post some headers and ask for a *brief* explanation of 
them.

1st header is a "bounce" to my work account.  Unfortunately the bouncing 
party didn't bother to include the original message headers, but it's 
evident that they *thought* that I sent them the virus.  Since the "From" 
address was "Microsoft Security Support" 
<dyfotwrltwosb_whweemsf@...letin.msn.com>, how does this get back to me 
unless the "MAIL FROM" command was "pauls@...allas.edu"?

Received: from null-pmn.utdallas.edu ([129.110.10.1]) by 
utdevs02.campus.ad.utdallas.edu with Microsoft SMTPSVC(5.0.2195.6713);
	 Sat, 27 Sep 2003 00:49:54 -0500
Received: from localhost (localhost [127.0.0.1])
	by null-pmn.utdallas.edu (Postfix) with ESMTP id 404FE1A06B1
	for <pauls@...allas.edu>; Sat, 27 Sep 2003 00:50:04 -0500 (CDT)
Received: from mx0.utdallas.edu ([127.0.0.1])
 by localhost (ns0 [127.0.0.1]) (amavisd-new, port 10024) with LMTP
 id 29640-01-56 for <pauls@...allas.edu>;
 Sat, 27 Sep 2003 00:50:03 -0500 (CDT)
Received: from mail.cosmofilms.com (unknown [203.112.156.12])
	by mx0.utdallas.edu (Postfix) with ESMTP id F175A38A92
	for <pauls@...allas.edu>; Sat, 27 Sep 2003 00:46:09 -0500 (CDT)
Received: from mail.cosmofilms.com (localhost [127.0.0.1])
	by mail.cosmofilms.com (8.12.9/8.12.9) with ESMTP id h8R5jW2B005365
	for <pauls@...allas.edu>; Sat, 27 Sep 2003 11:17:10 +0530
Received: from aygad (logistic.cosmofilms.com [192.9.200.210])
	by mail.cosmofilms.com (8.12.9/8.12.9) with SMTP id h8R5ij5w005085;
	Sat, 27 Sep 2003 11:14:45 +0530
Date: Sat, 27 Sep 2003 11:14:45 +0530
Message-Id: <200309270544.h8R5ij5w005085@...l.cosmofilms.com>
From: "Microsoft Security Support" <dyfotwrltwosb_whweemsf@...letin.msn.com>
To: " " <zwhbfu_ajnkwdm@...letin.msn.com>
SUBJECT: Current Net Security Update
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="yczwccphdsq"
Return-Path: webserv@...mofilms.com
X-OriginalArrivalTime: 27 Sep 2003 05:49:54.0912 (UTC) 
FILETIME=[2D3B5600:01C384BB]

--lodywg
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD></HEAD>
<BODY>
<iframe src=3D"cid:oygkdfqowfov" height=3D0 width=3D0></iframe>
<BR><BR><BR>Undelivered mail to <B>lajgfy@...foot.com</B>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>
</BODY></HTML>

--lodywg
Content-Type: audio/x-wav; name="ctlsz.scr"
Content-Transfer-Encoding: base64
Content-Id: <oygkdfqowfov>

------------------  Virus Warning Message (on mail.cosmofilms.com)

Found virus WORM_SWEN.A in file Pack6579.exe
The uncleanable file is deleted.

---------------------------------------------------------

The second message is a "bounce" from Swen itself.  Interesting that it has 
an attachment which does not show up in Outllook Express because I force 
plain text for all incoming messages.  If I understand what you are saying 
correctly the infected party should be "mdrake8@...lsouth.net", correct? 
That *does* appear to be the case, since the mail originated at bellsouth.

X-Apparently-To: pschmehl@...global.net via web80308.mail.yahoo.com; 27 Sep 
2003 04:00:27 -0700 (PDT)
X-YahooFilteredBulk: 205.152.59.72
Return-Path: <mdrake8@...lsouth.net>
Received: from vmd-ext.prodigy.net (207.115.63.89)
  by mta818.mail.yahoo.com with SMTP; 27 Sep 2003 04:00:25 -0700 (PDT)
X-Originating-IP: [205.152.59.72]
Received: from imf24aec.mail.bellsouth.net (imf24aec.mail.bellsouth.net 
[205.152.59.72])
	by vmd-ext.prodigy.net (8.12.9/8.12.3) with ESMTP id h8RB0OeJ069304
	for <pschmehl@...global.net>; Sat, 27 Sep 2003 07:00:24 -0400
Received: from menospxe ([65.81.163.202]) by imf24aec.mail.bellsouth.net
          (InterMail vM.5.01.05.27 201-253-122-126-127-20021220) with SMTP
          id <20030927110014.JDHB1810.imf24aec.mail.bellsouth.net@...ospxe>;
          Sat, 27 Sep 2003 07:00:14 -0400
FROM: "Admin" <smtpautomat@...foot.com>
TO: "Network User" <receiver@...erver.com>
SUBJECT: Bug Report
Mime-Version: 1.0
Content-Type: multipart/alternative;
	boundary="lodywg"
Message-Id: <20030927110014.JDHB1810.imf24aec.mail.bellsouth.net@...ospxe>
Date: Sat, 27 Sep 2003 07:00:19 -0400


The third message is an actual copy of Swen sent directly to my home 
address.  (I can't get any at work since we bounce them all.)  Again this 
appears to be from pratsc@...ra.es who's computer is infected.

X-Apparently-To: pschmehl@...global.net via web80308.mail.yahoo.com; 27 Sep 
2003 07:38:21 -0700 (PDT)
X-YahooFilteredBulk: 213.4.129.129
Return-Path: <pratsc@...ra.es>
Received: from mailapps1-ext.prodigy.net  (EHLO mailapps1-int.prodigy.net) 
(207.115.63.107)
  by mta807.mail.yahoo.com with SMTP; 27 Sep 2003 07:38:20 -0700 (PDT)
X-Header-Overseas: Mail.from.Overseas.source.213.4.129.129
X-Header-Maps: blocked.by.Prodigy.dialups.list.213.4.129.129
X-Originating-IP: [213.4.129.129]
Received: from tsmtp5.mail.isp (smtp.terra.es [213.4.129.129])
	by mailapps1-int.prodigy.net (8.12.9/8.12.3) with ESMTP id h8REcIld776526
	for <pschmehl@...global.net>; Sat, 27 Sep 2003 10:38:18 -0400
Date: Sat, 27 Sep 2003 10:38:18 -0400
Message-Id: <200309271438.h8REcIld776526@...lapps1-int.prodigy.net>
Received: from tmvav ([213.97.150.28]) by tsmtp5.mail.isp
          (terra.es) with SMTP id HLVN7N01.FO3; Sat, 27 Sep 2003 16:35:47 
+0200
FROM: "Microsoft Security Center" <rumkxowkdyane_fheumvnb@...fidence.net>
TO: "Commercial Partner" <partner-chzzawgyg@...fidence.net>
SUBJECT:
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="kbeceexggkugyd"

--kbeceexggkugyd
Content-Type: multipart/related; boundary="foudxvmnxeo";
	type="multipart/alternative"

--foudxvmnxeo
Content-Type: multipart/alternative; boundary="mxdpvsxsnxqyeaia"

--mxdpvsxsnxqyeaia
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Microsoft Partner

this is the latest version of security update, the
"September 2003, Cumulative Patch" update which resolves
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express.
Install now to continue keeping your computer secure.
This update includes the functionality =
of all previously released patches.

So how does the first bounce get to me?

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ