RE: Swen Really Sucks

["Schmehl, Paul L" <pauls () utdallas edu>]

> -----Original Message-----
> From: Nick FitzGerald [mailto:nick () virus-l demon co uk] 
> Sent: Thursday, September 25, 2003 5:05 PM
> To: full-disclosure () lists netsys com
> Subject: RE: [Full-disclosure] Swen Really Sucks
>
> Swen has code to locate the "Default Mail Account" under the Internet 
> Account Manager registry key then to extract the "SMTP Email Address" 
> value appropriately.  This is then stored in a variable in the virus 
> that is later used for the argument to the "MAIL FROM:" SMTP command 
> while sending Email.  (It is possible that some other part of 
> the Swen 
> code I have not closely analysed surreptitiously changes the contents 
> of this variable in some circumstances, but there is no obvious code 
> that also alters the contents of the buffer used to hold the string 
> pulled from the registry location just described...)
>
> This is all based on disassembly and is corroborated by reports from 
> other researchers who have watched it under debuggers, emulation, etc.

If it's as poorly written as most malware is, it most likely screws this
up as well.  All I can tell you is that I get tens of bounces on my
personal home email account daily, and I can assure you that I am not
infected.  I'll take a look tonight (because I'm sure there will be at
least 50 or 60 virus mails and bounces in my deleted items folder) and
see what's in the headers.

You can disassemble and run simulations til you're blue in the face, but
things don't work perfectly in the real world, as I *know* you know.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html