[Dshield] Snake Mail Originator

Thomas Liston tliston at premmag.com
Tue May 21 22:25:45 GMT 2002


It tried several things, ultimately unsuccessful.  Perhaps the people 
responsible for clemail.exe got wise and had access shut down.

When using essentially the same command line as the worm, it 
attempted to use two "from" addresses:

clemail at crosswinds.net and commandlineemail at crosswinds.net

both of which it attempted to use at via the mailserver at 
mail.crosswinds.net

-TL

On 21 May 2002 at 14:28, Coxe, John B. wrote:

> Can you mail (in a controlled way) using it to see what it tries to send as
> the originator?
> 
> -----Original Message-----
> From: Thomas Liston [mailto:tliston at premmag.com]
> Sent: Tuesday, May 21, 2002 1:25 PM
> To: list at dshield.org
> Subject: Re: [Dshield] Snake Mail Originator
> 
> 
> The actual code doesn't specify a "From" address.  I would assume it 
> defaults to something within clemail.exe.  Here are some "guilty-
> looking" strings pulled from there:
> 
> 000537E4   004537E4      0   clemail at crosswinds.net
> 000537FC   004537FC      0   commandlineemail at crosswinds.net
> 0005381C   0045381C      0   mail.crosswinds.net
> 00053830   00453830      0   clemail at nettaxi.com
> 00053844   00453844      0   commandlineemailer at nettaxi.com
> 00053864   00453864      0   mail1.nettaxi.com
> 00053878   00453878      0   clemail at softhome.net
> 00053890   00453890      0   clemail
> 00053898   00453898      0   commandlineemail at softhome.net
> 
> -TL
> 
> On 21 May 2002 at 12:53, Coxe, John B. wrote:
> 
> > Has anyone looked at the code enough to determine the defined originator
> > and/or reply-to address in the ixltd at postone.com mailings.  If the
> > compromised systems are sending to a full mailbox and if that mail is
> > bouncing, it is not apparently coming back to the infected networks.  Is
> > postone a red herring and the reply address the intended destination?
> > 
> > It would be nice to see the whole code.
> > 
> > 
> > 
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> 
> Tom Liston, GSEC
> Network Administrator
> Prem Magnetics, Inc.
> tliston at premmag.com
> tliston at hackbusters.net
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list


Tom Liston, GSEC
Network Administrator
Prem Magnetics, Inc.
tliston at premmag.com
tliston at hackbusters.net




More information about the list mailing list