On 31/8/03 23:34, Dean Anderson wrote: > Your comments are true in general, but I don't think they take into > consideration the differences between this virus and the ones that go > through the address book. One can (more) easily get such valid, trusted, > familiar addresses from the address book. Many virues do just that, > probably with just the purpose you mentioned. However, this virus is > different. It is using 'valid' addresses that aren't found in address > books--addresses that wouldn't be familiar to anyone, but are still valid. > There must be a reason why they would go to such trouble... I think this virus wasn't just designed to spread, I think it was designed to remain alive on each machine it infected. If you send out emails to a user's address book from that user, they will quickly get emails from their friends saying "I think you've got a virus Bob, I just got this weird email from you." Or they will receive bounces/vacation-messages for emails they know they didn't send. Faking the From address means that replies will go to someone completely random. Since that means the sender will be a stranger, you might as well grab as many To addresses as possible rather than just restricting yourself to the user's address book. Faking the From address also adds another vector for infection in that people start getting bounces saying "Sorry I was unable to deliver your message." They open these to figure out what the original message was and get infected. Now the virus can use a vast network of unwitting relays to further spread and mask its location. I have received dozens of emails from helpful systems and people notifying me that I have the virus - and I have a Mac. I could crawl through the headers on the bounces to determine the machine that has actually been infected and has my email address, but once I've got an IP number I have no easy way to turn that into an email address for the user. The disinformation strategy clearly worked, so I expect to see more of this style of virus in the future. Many have suggested that the purpose of the virus may have been to setup a large zombie spamming network - I'm not sure if it was this time, but I'm pretty sure it will be next time. Jonathan