On Mon, 19 Jan 2004 10:53:18 EST, Noel Chiappa said: > This virus/worm is actually mildly interested in the way it operates. I'm > seeing lots of email from people with whom I would have corresponded long ago >From http://www.viruslist.com/eng/alert.html?id=783050: The worm searches disk drives for files with the following extensions: wab, txt, htm, html, r1 and scans them for email-like text strings, then sends infected messages to the email addresses found. The worm uses its own SMTP engine to send infected messages. > So it's probably mining web pages for old email, and using the addresses it > finds in the headers as source/dest pairs. Old notebooks, but you're on the right track. > I wonder how long it will take before the spammers catch onto this trick. They already have. Somebody on the NANOG list is infected with something that takes the RFC822 headers of incoming mail and glues them onto a spam. I found this when I got a "sensitive content" warning 8 minutes after I posted to NANOG. The victim site's filter coughed up the from/to/subject - but by the time it had gotten there, the body had mutated into an ad for a male enhancement pill. The clever part here is that since it's using near-in-real-time headers from actual discussions, there's a very good chance that the spam recipient will open it, thinking it's the ongoing discussion....
Attachment:
pgp00409.pgp
Description: PGP signature