[DShield] mass mailing worm

Rich Kittell richkittell at mindspring.com
Mon Oct 1 21:05:26 GMT 2001


Viruses, worms, and other programs in general do not have to send e-mail via the Outlook MAPI interface. They can use their own SMTP (outbound) client to connect to your ISP's SMTP server, a capability that is attributed to Nimda. In that case you'll have no indication that e-mail has been sent from your system. 

Furthermore, the 'Automatically send messages' option is a Registry value and could be changed by malicious code, although it wouldn't take effect until you next started the program. Worse, there is a "Hidden" form flag used by the messages that carry meeting and task requests and keep Net Folders in sync. Malicious code need only set that flag (and clear the Save Copy flag) for each message and you won't see it's infectious spew in your Outbox. You might wonder why a Send / Receive pass is taking so long, though.

One useful factor to consider is that e-mail that is not sent through your Outbox will usually not have the same appearance as the e-mail you send. Formatting, how your name and return address appear, and so forth. The e-mail headers will for sure be different. That is sometimes a giveaway to the alert recipient that the e-mail did not actually originate from the human whose name it carries.

The task of writing an Outlook Rules Wizard plug-in to sample the e-mail headers of each Inbox message and perform "source validation" has not, as far as I know, been done. If each header was parsed and the originating client mailer's "signature" stored in a Contacts folder entry for that sender, each new message could be compared to the stored value. A compare failure could generate a warning and flag the message's source as questionable.


-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of David Sentelle
Sent: Monday, October 01, 2001 8:05 AM
To: dshield at dshield.org
Subject: Re: [Dshield] mass mailing worm

While knocking on wood, I'll say that I have not been infected by any of these email viruses.  If you DO get infected, does the 'Automatically send messages' option have an effect on any of these email worms?  If you have the option turned off, I would expect to see either a huge number of emails, or a single email to a large number of people,  that I did not compose sitting in my outbox.   This is assuming that they've not got a 'send/receive email' action programmed into the script.

David Sentelle
Network Operations Specialist
Commerce National Bank
614.334.6282 Voice    614.848.8830 Fax

This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this e-mail in error, please notify admin at cnbcbank.com and delete it from your system.

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield

More information about the list mailing list