[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F740F31.21285.15AB9E86@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Swen Really Sucks
"Schmehl, Paul L" <pauls@...allas.edu> to Joe Stewart:
> > The "From" or Return-Path address specified by the MAIL FROM:
> > transaction in the SMTP session is the real email address of the
> > infected user, or at least is what they entered on the fake
> > MAPI dialog
> > that Swen uses to get that information.
> >
> Please tell me you don't believe this is true. ...
I doubt Joe would have written it did he not believe it.
And, FWIW, I believe it too.
> ... If you know anything
> about SMTP you know that the MAIL FROM: can be anything you want it to
> be. ...
Yes, but we are specifically talking here about what _Swen_ "wants" it
to be...
>... And Swen certainly forges the sender, as the hundreds of bounces I
> get will testify. There is *nothing* in an SMTP transaction that you
> can rely on except the headers *if* you know how to read headers. If
> you don't, even those will fool you.
Swen has code to locate the "Default Mail Account" under the Internet
Account Manager registry key then to extract the "SMTP Email Address"
value appropriately. This is then stored in a variable in the virus
that is later used for the argument to the "MAIL FROM:" SMTP command
while sending Email. (It is possible that some other part of the Swen
code I have not closely analysed surreptitiously changes the contents
of this variable in some circumstances, but there is no obvious code
that also alters the contents of the buffer used to hold the string
pulled from the registry location just described...)
This is all based on disassembly and is corroborated by reports from
other researchers who have watched it under debuggers, emulation, etc.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists