• Welcome to Valhalla Legends Archive.
 

Got my first email worm today!

Started by iago, March 08, 2004, 05:49 PM

Previous topic - Next topic

iago

By "get" I mean "recieved".  Beagle-h or something.  I was impressed at the social engineering that went into it.  It said, "There have been large numbers of emails going out from your account, blahblahblalh, and it was spoofed from "Umanitoba.ca staff", and was about removing a virus, we're sending you a free virus sender.

Sadly, whoever did it forgot to
a) spoof the reply-to address (so when I looked at the header I found the address of the infected person and warned him)
b) they made several spelling mistakes, which is pretty atypical of an automated administration message.
c) they had it from "Umanitoba.ca", but my school ALWAYS uses "UManitoba.CA".

It was pretty convincing, anyway, but I find it more fun to just virus scan it and laugh.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


hismajesty

My mom received that as well, only it was from [email protected] or something like that. Luckily I found it first and deleted it, else she would have downloaded it I'm sure. I'm assuming it was the same thing since it said I had a complaint about a large number of emails; however, I don't recall it offering a free virus scan. Anyway, I'm sure they're related :).

MyndFyre

Quote from: iago on March 08, 2004, 05:49 PM
a) spoof the reply-to address (so when I looked at the header I found the address of the infected person and warned him)

The reply-to address probably was spoofed -- what I've found is that when a worm infects your computer, it looks at your address book, claims to be from someone else on your address book, and sends it to other people from there.

My mom got one from [email protected].
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

iago

Quote from: Myndfyre on March 08, 2004, 06:59 PM
Quote from: iago on March 08, 2004, 05:49 PM
a) spoof the reply-to address (so when I looked at the header I found the address of the infected person and warned him)

The reply-to address probably was spoofed -- what I've found is that when a worm infects your computer, it looks at your address book, claims to be from someone else on your address book, and sends it to other people from there.

My mom got one from [email protected].

It was in the email header from the server. The "From" header was "[email protected]", which was obviously spoofed.  Plus, I don't keep an address book, so even if it HAD gotten onto my computer, it wouldn't have been able to make it appear to come from one of my friends (perhaps some email address from temp internet files, but that would be pretty random)
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Grok

Quote from: iago on March 08, 2004, 05:49 PM
By "get" I mean "recieved".  Beagle-h or something.  I was impressed at the social engineering that went into it.  It said, "There have been large numbers of emails going out from your account, blahblahblalh, and it was spoofed from "Umanitoba.ca staff", and was about removing a virus, we're sending you a free virus sender.

At least they were honest.

iago

Quote from: Grok on March 08, 2004, 08:55 PM
Quote from: iago on March 08, 2004, 05:49 PM
By "get" I mean "recieved".  Beagle-h or something.  I was impressed at the social engineering that went into it.  It said, "There have been large numbers of emails going out from your account, blahblahblalh, and it was spoofed from "Umanitoba.ca staff", and was about removing a virus, we're sending you a free virus sender.

At least they were honest.

Scanner* :P
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


muert0

Did your scanner find it?
It might havebeen after variant.H I think it was variant.K that they started coming through in a password protected encrypted attachment. AV programs couldn't open the file to scan it.
To lazy for slackware.

iago

Quote from: crashtestdummy on March 09, 2004, 12:40 AM
Did your scanner find it?
It might havebeen after variant.H I think it was variant.K that they started coming through in a password protected encrypted attachment. AV programs couldn't open the file to scan it.

Yes, it was in a password protected zip, and it was filtered out at the school's pop3 server.  I didn't believe it anyway, but that's not the point :)
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Stealth

Quote from: iago on March 08, 2004, 05:49 PM
(so when I looked at the header I found the address of the infected person and warned him)

Sources of these e-mails are not always as they seem -- the From address is gleaned by many viruses from Outlook Express' contact list. This becomes especially apparent when your e-mail address is widely available.
- Stealth
Author of StealthBot