RE: [Full-Disclosure] Swen Really Sucks

From: Schmehl, Paul L (pauls_at_utdallas.edu)
Date: 09/26/03

  • Next message: Jeremiah Cornelius: "Re: [Full-Disclosure] Verisign Login Hijacking" 
    To: <nick@virus-l.demon.co.uk>, <full-disclosure@lists.netsys.com>
Date: Thu, 25 Sep 2003 18:23:12 -0500

    > -----Original Message-----
    > From: Nick FitzGerald [mailto:nick@virus-l.demon.co.uk]
    > Sent: Thursday, September 25, 2003 5:05 PM
    > To: full-disclosure@lists.netsys.com
    > Subject: RE: [Full-Disclosure] Swen Really Sucks
    >
    > Swen has code to locate the "Default Mail Account" under the Internet
    > Account Manager registry key then to extract the "SMTP Email Address"
    > value appropriately. This is then stored in a variable in the virus
    > that is later used for the argument to the "MAIL FROM:" SMTP command
    > while sending Email. (It is possible that some other part of
    > the Swen
    > code I have not closely analysed surreptitiously changes the contents
    > of this variable in some circumstances, but there is no obvious code
    > that also alters the contents of the buffer used to hold the string
    > pulled from the registry location just described...)
    >
    > This is all based on disassembly and is corroborated by reports from
    > other researchers who have watched it under debuggers, emulation, etc.

    If it's as poorly written as most malware is, it most likely screws this
    up as well. All I can tell you is that I get tens of bounces on my
    personal home email account daily, and I can assure you that I am not
    infected. I'll take a look tonight (because I'm sure there will be at
    least 50 or 60 virus mails and bounces in my deleted items folder) and
    see what's in the headers.

    You can disassemble and run simulations til you're blue in the face, but
    things don't work perfectly in the real world, as I *know* you know.

    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    The University of Texas at Dallas
    AVIEN Founding Member
    http://www.utdallas.edu/~pauls/

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Jeremiah Cornelius: "Re: [Full-Disclosure] Verisign Login Hijacking"

    Relevant Pages

    • Re: MS security updates or...
      ... > the virus world, and what the latest scam is. ... The worm that attacked you in ... dozens of warnings from everywhere- how devious! ... good pay besides- which bounces, and the position goes to the next man. ...
      (alt.computer.security)
    • Re: MS security updates or...
      ... >> the virus world, and what the latest scam is. ... dozens of warnings from everywhere- how devious! ... > good pay besides- which bounces, and the position goes to the next man. ... > ..Life-time membership ...
      (alt.computer.security)
    • Re: W32/Novarg.A virus
      ... > messages come as bounced e-mail messages. ... > appear to be genuine bounces. ... This virus, like many others forges it's origin. ... somewhat prone to viruses run perimeter defences - unfortunately the ...
      (comp.os.linux.security)
    • Re: [Full-Disclosure] The incredible intolerance of Knud
      ... > I strongly object to people using terms of sexual orientation as a put-down. ... I think Knud was just being ironic, and besides we do that a lot in Denmark. ... > this year as a virus as well. ... I still get bounces on several advisories where AV vendors labelled my example ...
      (Full-Disclosure)
    • RE: [Full-Disclosure] PLEASE QUIT YACKING ABOUT M$
      ... btw)) virus is just kicking out stuff to heck and back. ... --> returned-check-fee ($15 and fair if you are a fool who bounces checks) ... --> those crazy skater kids get with their laptops, ... Can somebody please send me an ORKUT invitation?!?! ...
      (Full-Disclosure)