Thread: Are you still bothered with the W32.Swen.A@mm worm?
View Single Post
  #3   Report Post  
Stig Arne Bye
 
Posts: n/a
Default Are you still bothered with the W32.Swen.A@mm worm?
Josh Assing wrote:

Actually; the return-path is also spoofed.
I've seen plenty where the "IP" address of the sending computer is nothing like
the return-path's domain...

I don't deny that the "Return-Path"-line could be faked in some cases,
but there are still some facts he

1. I have stored all headers from the about 5,500 infected e-mail I
have received (after Norton AntiVirus(TM) has removed the infected
attachment of course).
When examining and sorting _all_ headers (I even wrote a small
program for that), I have noticed that whenever an infected e-mail
appear to come from the same sender, i.e. when the originating
IP-address and other informations are identical, then the
e-mail address in the "Return-Path"-line is always identical
between these, even if these has been sent on different times
and/or dates.

2. The "Received:"-line(s) is the header (that contain IP-addresses
and other server information) are usually impossible to fake as
these are appended by the relaying server(s) through the network,
i.e. after the infected mail already has left the infected senders
computer and therefore no longer under control of the virus/worm.

3. When I was sending abuse directly to the originating ISP by
forwarding the entire headers, then at least two ISP's returned a
report message saying that when they parsed the server and
connection logs, they also noticed a match between the
ISP-username and the e-mail address in the "Return-Path"-line.

4. It's a true fact that many Internet users don't have any kind of
antivirus-program installed on their computer.
When sending a notification to the user (e-mail address) found in
the "Return-Path"-line (including links to free scanning tools on
the net), I have in several cases received a mail in return saying
that they actually found the Swen.A worm (or other viruses/worms)
on the computer without their knowledge, and that they now will
install antivirus-program.


online.no has been so infected, that we blocked all of their IP's from sending
to us until this virus thing calms down....

Online (a division of the national phone company) is on of the oldest
and largest ISP in Norway with almost 400,000 customers (that equal
approx. 10% of the total population in Norway).

However, of all the Swen.A infected e-mail I so far have received,
infections from online.no customers constitutes only about 1-2% of
these.
The majority of Swen.A infected e-mail is from other countries, with
France, Germany and Italy amongst the worst countries.



Stig Arne Bye

E-mail ......:
Contact .....: AOL IM: VT480TFE / MSN: / ICQ: 403349
Snail-Mail ..: P.O.Box 169, NO-9915 Kirkenes, Norway
Homepage ....: http://home.online.no/~stigbye/index.html
------------------------------------------------------------------------
Located just about 70°N 30°E - Almost at the top of the world!
Reply With QuoteReply With Quote