Several months ago, a correspondent to one of my "private" e-mail boxes seems to have been struck by a worm and his or her address book copied. Since that time I have begun receiving regular virus/worm-laden attachments to it. Today I noted an interesting development. I received an e-mail that seemed clearly to be infected but it appeared in my regular mail file rather than the "Bulk Mail" file that Yahoo so graciously provides.
Actually this is the second or third time, among my various e-mail boxes, that I have seen the ploy I am about to describe. The e-mail was a legitimate reply from "Yahoo! Groups" firstname.lastname@example.org:
We are unable to deliver the message from [my e-mail address]
Your message was not delivered because it was sent to an
announcement-only group, where only the moderator may post.
A copy of your original message is attached.
The original worm was sent to a Yahoo Groups address that automatically bounces messages back to sender. My e-mail address had been pasted into the "From" box when it was sent to the "announcement-only group" . From the perspective of the Yahoo mailbox, it was a legitimate return-mail correspondence. The attachment - entitled "important.zip" - went through the entire process unscathed and arrived intact together with a W32.Netsky.Z@mm worm.
This on W32.Netsky.Z@mm from Symantec:
Uses its own SMTP engine to send itself to email@example.com, as
well as all the email addresses that it finds.
The email has the following characteristics
Subject: (one of the following)
Attachment: (zip file with one of the following file
To read the full Symantec security report click here.