HTTrack Website Copier
Free software offline browser - FORUM
Subject: Fake email viruses, warning!
Author: Xavier Roche
Date: 04/29/2002 19:54
 
Hi folks,

You may have received some strange virus notifications 
recently, maybe from me or from other HTTrack 
contributors, or you may have been warned by users 
that you were infected, and sending viruses.

A new virus is currently spreading over the internet, 
and is replicating using infected attachments. The 
virus is able to forge email headers so that the mail 
*appear* to come from any address (which is NOT the 
real sender address).

The typical behaviour of this virus:
- once installed on a victim's PC, it scans the 
Internet Explorer cache and various other sources 
(documents, news, address book entries) and get three 
information: a victim email address, which will be 
used for replication, a "sender" address, which will 
be used to falsify the infected email, and a subject, 
generally a piece of sentense cut from a web page 
(generally the same where the email addresses were 
found)

The propagation method is vicious, as the "visible" 
sender is not concerned by the infection, and as the 
real sender address is hidden.

The only way to detect the source of the virus (and 
the infected victim) is to analyse email headers, and 
either:
- find a "return path" header added by the victim's 
mail server, which will contains the REAL sender 
address (this field is NOT displayed, by default, by 
most mail agents - you will have to ask for "full 
headers")
- find in the "Received:" fields the originating IP - 
but this is much more difficult, especially for 
dynamic IP's (you will only be able to notify the 
victim's postmaster, who will have to match IP and 
timestamp to know the infected people, but this 
require some time and abilities, and good will)

Therefore, if you receive virus notifications, or 
viruses in attachments that "appear" to come from an 
httrack contributor, check the headers to detect 
the "real" origin.

I personnaly receive tens of viruses everyday on my 
gateway, with forged sender addresses, because my 
various email addresses are on the httrack website.

Fortunately, there is no risks with this forum: all 
email addresses are encoded so that they don't appear 
in "clear text".
 
Reply


All articles

Subject Author Date
Fake email viruses, warning!

04/29/2002 19:54




e

Created with FORUM 2.0.11