|
Computer viruses: Netsky / SomeFool
Description In May 2004 an 18-year old German was arrested for creating both the Netsky and Sasser viruses (see Heise News, in German).
From: and Received: lines: The fact that this mail carried my email address in its From-line doesn't mean I sent it. In fact, looking at the final Received-line (others omitted here) shows that the virus was sent from a computer identifed as ABoulogne-108-1-5-78.w81-49.abo.wanadoo.fr with an IP address of 81.49.15.78. This virus was sent from France. Because the recipient address wasn't actually working, the recipient's mailserver sent "back" a message to me as the supposed sender. That message contained a complete copy of the virus email, which is how we obtained this sample. We reported the details to abuse@wanadoo.fr, the abuse-mailbox of the provider, which located the customer whose machine was infected (jwSpamSpy, our spamfilter mostly automates this process of determining and notifying the provider).Received: from evhr.net (ABoulogne-108-1-5-78.w81-49.abo.wanadoo.fr [81.49.15.78]) by mail.evhr.net (Postfix) with ESMTP id 9CB2D827D5 for <eppi@evhr.net>; Mon, 21 Jun 2004 19:34:55 +0200 (CEST) From: joewein@pobox.com To: eppi@evhr.net Subject: Re: My details Date: Mon, 21 Jun 2004 19:34:56 +0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0012_000077D0.00000877" X-Priority: 3 X-MSMail-Priority: Normal Message-Id: <20040621173455.9CB2D827D5@mail.evhr.net> This is a multi-part message in MIME format. ------=_NextPart_000_0012_000077D0.00000877 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit See the attached file for details. ------=_NextPart_000_0012_000077D0.00000877 Content-Type: application/octet-stream; name="my_details.pif" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="my_details.pif" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAuAAAAKvnXsbvhjCV74Ywle+GMJVsmj6V44YwlQeZOpX2hjCV74YxlbiGMJVsjm2V 4oYwlQeZO5XqhjCVV4A2le6GMJVSaWNo74YwlQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp dGUgKGMpMTk5OSBJYW4gTHVjay4AAFBFAABMAQMA6ZtBQAAAAAAAAAAA4AAPAQsBBgAASAAA APAAAAAAAABCcAEAABAAAABgAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAIABAAAE (continued) Note that abuse@wanadoo.fr will not accept any virus reports that quote the body of a virus (headers only!) - a virus filter will bounce the virus report! Other abuse departments (for example, abuse@att.net) specifically require the message body as well. This creates something of a dilemma. We usually report message headers only, as this is really all that's needed for locating the sender.
Fake HELO name
Subject lines: Here is the file.or like email delivery error messages: Mail Delivery failure (recipient's email address)Some variants can infect a Windows machine by just opening the email if current updates are not installed.
Message body: Here is the file.
Variants:
Removal tool:
jwSpamSpy virus filtering
Anti-Virus Resources:
Xenophobia, Spam and Viruses: The "German Spam" (Sober.H)
Clueless virus filters spam innocent third parties
The Virus Ward: ISPs that appear to ignore reports of infected customer machines |