The Holder of this blog uses no cookies and collects no data whatsoever. He is only a guest on the Blogger platform. He has made no agreements concerning third party data collection and is not provided the opportunity to know the data collection policies of any of the standard blogging applications associated with the host platform. For information regarding the data collection policies of Facebook applications used on this blog contact Facebook. For information about the practices regarding data collection on the part of the owner of the Blogger platform contact Google Blogger.

Wednesday, March 23, 2005

W32.Netsky.Z@mm - The Bounce-Back Ploy.

Being a public presence on the Web can be highly instructive. Having posted my gwpurdy@yahoo.com address in my publishing bios, I receive vast amounts of junk mail, fraudulent business offers and virus/worm-laden attachments. Several months ago, a correspondent to one of my "private" e-mail boxes seems to have been struck by a worm and his or her address book copied. Since that time I have begun receiving regular virus/worm-laden attachments to it. Today I noted an interesting development. I received an e-mail that seemed clearly to be infected but it appeared in my regular mail file rather than the "Bulk Mail" file that Yahoo so graciously provides. Actually this is the second or third time, among my various e-mail boxes, that I have seen the ploy I am about to describe. The e-mail was a legitimate reply from "Yahoo! Groups" notify@yahoogroups.com:
We are unable to deliver the message from [my e-mail address] to namimnlist@yahoogroups.com. Your message was not delivered because it was sent to an announcement-only group, where only the moderator may post. A copy of your original message is attached.
The original worm was sent to a Yahoo Groups address that automatically bounces messages back to sender. My e-mail address had been pasted into the "From" box when it was sent to the "announcement-only group" . From the perspective of the Yahoo mailbox, it was a legitimate return-mail correspondence. The attachment - entitled "important.zip" - went through the entire process unscathed and arrived intact together with a W32.Netsky.Z@mm worm. This on W32.Netsky.Z@mm from Symantec:

Uses its own SMTP engine to send itself to jamainlbbbsdef@yahoo.com, as well as all the email addresses that it finds. The email has the following characteristics Subject: (one of the following) Hello Hi Important Important bill! Important data! Important details! Important document! Important informations! Important notice! Important textfile! Important! Information From: (spoofed)

Attachment: (zip file with one of the following file names) Bill.zip Data.zip Details.zip Important.zip Informations.zip Notice.zip Part-2.zip Textfile.zip

To read the full Symantec security report click here.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)