[Dshield] MyDoom: understanding headers and possible infection through IE

Laurent Saplairoles lsaplai at telus.net
Fri Jan 30 11:23:42 GMT 2004


Hello all

I want to make sure that I understand the originator e-mail address spoofing process 
correctly.

I have received only 3 copies of the virus on my personal address today. 1 of them is 
actually a bounce from a mail server that says the user's mail box is full (and it didn't 
detect the virus...)

Here is the Received: header of these messages:

Message 1:

Received: from t-online.de ([154.5.162.93])
          by priv-edtnes83.telusplanet.net
          (InterMail vM.6.00.05.02 201-2115-109-103-20031105) with ESMTP
          id <20040129193332.GENJ9578.priv-edtnes83.telusplanet.net at t-online.de>
          for <saplairoles at telus.net>; Thu, 29 Jan 2004 12:33:32 -0700

Message 2:

Received: from winzip.com ([154.5.162.93]) by priv-edtnes82.telusplanet.net
          (InterMail vM.6.00.05.02 201-2115-109-103-20031105) with ESMTP
          id <20040129193833.IZWF11238.priv-edtnes82.telusplanet.net at winzip.com>
          for <lsaplai at telus.net>; Thu, 29 Jan 2004 12:38:33 -0700

The next one is the headers of the bounced message (not the stupid server's, but the 
message it bounced) - Message 3:

Received: from telus.net (d154-5-162-93.bchsia.telus.net [::ffff:154.5.162.93])
  by smtp.cn.tom.com with esmtp; Fri, 30 Jan 2004 02:26:36 +0800
From: lsaplai at telus.net
To: tonglifeng at bj.tom.com
Subject: Status
Date: Thu, 29 Jan 2004 10:32:03 -0800

For messages 1 and 2, the sending servers seem to be t-online.de and winzip.com, but 
the IP address in brackets right after that (154.5.162.93) is actually the IP currently 
assigned to me by my ISP. Both "for <address>" are correct addresses of mine.

For the 3rd message, it seems to be coming from me (lsaplai at telus.net) with my ISP 
and IP address in the Received: header.

At the time the messages were transmitted (i am at GMT -8), I was not connected, but 
my wife was (same computer, but she boots under Win98 and I use Win2k - long story, 
I'll skip ;-).
I think that the messages originated from her system: it was effectively infected with 
MyDoom.A (shame on me for letting that in) but I am not sure how: we do not use 
Kazaa and her mail client will not auto-execute an attachment: she uses M2, Opera's 
integrated mail client. I found 1 instance of MyDoom.A in her mail, but it had been 
classified as spam and sent to the spam folder; she wouldn't have executed it.

My virus scanner (AVG free edition), once updated (sic), detected 1 instance of 
MyDoom.A in Windows\Temp. I guess that's what was executed and infected the 
system (which I have since cleaned). I do not know where that one came from. Opera 
does not use that temp directory.

On the other hand, she also uses IE (version 6, all patched) for part of her web 
browsing. She might check some web-based e-mails with it.

Is it possible that her system got infected though IE?

Lastly, the question related to the subject line: is the IP address I am reading in the 
header [154.5.162.93] correct, meaning that those messages actually originated from 
our system, or is it also spoofed?
My understanding is that that address is supposed to be correct as it is supposed to be 
added by the receiving MTA.

Thank you for bringing me your lights!

Cheers!

-- 
Laurent
Sacha Guitry (1895 - 1957)
Je suis contre les femmes. tout contre.






More information about the list mailing list