Wednesday, March 23, 2005

W32.Netsky.Z@mm - The Bounce-Back Ploy.

Being a public presence on the Web can be highly instructive. Having posted my gwpurdy@yahoo.com address in my publishing bios, I receive vast amounts of junk mail, fraudulent business offers and virus/worm-laden attachments.

Several months ago, a correspondent to one of my "private" e-mail boxes seems to have been struck by a worm and his or her address book copied. Since that time I have begun receiving regular virus/worm-laden attachments to it. Today I noted an interesting development. I received an e-mail that seemed clearly to be infected but it appeared in my regular mail file rather than the "Bulk Mail" file that Yahoo so graciously provides.

Actually this is the second or third time, among my various e-mail boxes, that I have seen the ploy I am about to describe. The e-mail was a legitimate reply from "Yahoo! Groups" notify@yahoogroups.com:



We are unable to deliver the message from [my e-mail address]
to namimnlist@yahoogroups.com.

Your message was not delivered because it was sent to an
announcement-only group, where only the moderator may post.

A copy of your original message is attached.


The original worm was sent to a Yahoo Groups address that automatically bounces messages back to sender. My e-mail address had been pasted into the "From" box when it was sent to the "announcement-only group" . From the perspective of the Yahoo mailbox, it was a legitimate return-mail correspondence. The attachment - entitled "important.zip" - went through the entire process unscathed and arrived intact together with a W32.Netsky.Z@mm worm.

This on W32.Netsky.Z@mm from Symantec:

Uses its own SMTP engine to send itself to jamainlbbbsdef@yahoo.com, as
well as all the email addresses that it finds.

The email has the following characteristics

Subject: (one of the following)

Hello
Hi
Important
Important bill!
Important data!
Important details!
Important document!
Important informations!
Important notice!
Important textfile!
Important!
Information

From: (spoofed)

Attachment: (zip file with one of the following file
names)
Bill.zip
Data.zip
Details.zip
Important.zip
Informations.zip
Notice.zip
Part-2.zip
Textfile.zip


To read the full Symantec security report click here.



web tracker

No comments: