Badtrans Virus - False Sender Details

[DonalMcLoughlin]

Can the Badtrans virus change the "Email Sender" setting so as to say that someone else has sent the virus rather than the real sender?

If you were the "Email Sender", someone would ring you up telling you that you have just sent them a virus. Their anti virus software is working properly and probably have received the virus. But because the "Email Sender" field has been faked/forged, they are being told that you sent it to them.

You may send and receive a lot of emails to & from this person/company.

It is quite possible that both the Real Sender and the person named in the "Email Sender" field are not acting maliciously. The real sender's computer is probably infected with the virus but are not deliberately sending a virus. The "Email Sender" may be completely innocent.

Does this happen with any other viruses?
If you are named as the "Email Sender", what do you do to prove you did not send them it?

 

[AcquisitiveOne]

I thought I had this problem one time. Someone in my office was recieved the love bug virus from my email address at home. I scanned my CPU @ home to check for any viruses and came up clean. I checked the email headers on the actual email to find out what IP address this email came from and it gave me a Time Warner Roadrunner IP address. (You could tell by 123.12.22.112 santx.rr.com saw this in the email headers). I didn't use roadrunner for my email account and therefore new the email wasn't coming from me. I then remebered that I sold my old CPU to someone and that I had left my Outlook email profile on that computer. When the computer sent email it made it seem like it was coming from My email address and name but was being sent through roadrunners networks. Pain in the butt I tell ya!! So check the email headers on the infected email. That I know of there is no way that a virus can change the email sender on its own. (YET AT LEAST!) So be sure you aren't having a similiar problem. Also see thread I posted called LOVEBUG VIRUS NEED EXPERT HELP ITS IN THIS FORUM.

Acquisitive - 1. Characterized by a strong desire to gain and possess. 2. Tending to acquire and retain ideas or information

 

[ChrisHirst]

AcquisitiveOne You are incorrect about a virus capable of masking the sender address. Badtrans does indeed have this capability!

These are from NAI;

Badtrans.b details:

http://vil.nai.com/vil/content/v_99069.htm

This mass mailing worm attempts to send itself using Microsoft Outlook by replying to unread and read email messages. It also mails itself to email addresses found within files that exist on your system. It drops a keylogging trojan (detected as PWS-Hooker with the 4173 DATs, or greater) into the SYSTEM directory as KDLL.DLL. This trojan logs keystrokes for the purpose of stealing personal information (such as credit card and bank account numbers and passwords). This information is later emailed to the virus author(s).

When run, this variant copies itself to the WINDOWS SYSTEM directory as KERNEL32.EXE and creates a registry run key to load itself at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce\kernel32=kernel32.exe

This variant replies to incoming email messages and sends itself to email addresses found in "*.asp" and "*.ht*" files. The sender address used by the virus when emailing itself to others may be chosen from the following list:
&quot; Anna&quot; <aizzo@home.com>
&quot;JUDY&quot; <JUJUB271@AOL.COM>
&quot;Rita Tulliani&quot; <powerpuff@videotron.ca>
&quot;Tina&quot; <tina0828@yahoo.com>
&quot;Kelly Andersen&quot; <Gravity49@aol.com>
&quot;Andy&quot; <andy@hweb-media.com>
&quot;Linda&quot; <lgonzal@hotmail.com>
&quot;Mon S&quot; <spiderroll@hotmail.com>
&quot;Joanna&quot; <joanna@mail.utexas.edu>
&quot;JESSICA BENAVIDES&quot; <jessica@aol.com>
&quot; Administrator&quot; <administrator@border.net>
&quot; Admin&quot; <admin@gte.net>
&quot;Support&quot; <support@cyberramp.net>
&quot;Monika Prado&quot; <monika@telia.com>
&quot;Mary L. Adams&quot; <mary@c-com.net>

Additionally, the virus prepends the return address used with an &quot;_&quot; (underscore). Thus replying to an infected message will fail to reach the intended recipient.

And Magistr.a

http://vil.nai.com/vil/content/v_99040.htm

An additional item of note is that this worm often alters the REPLY-TO email address when mailing itself to others. In a similar fashion to the other name changes made by this virus, one letter of the address is incremented or decremented. Thus when attempting to contact the infected user to alert them, the message is often returned do to this address modification.


Chris.

 

[AcquisitiveOne]

I know viruses can change the sender address to a generic predetermined email address. But what this guy is saying is that a virus is being sent to a person and the virus is using his email address as the senders address. Even though he believes that it is not his computer sending the virus infected email. I know viruses can scan items for email addresses to send infected email messages to (the TO: Line), but I have yet to see a virus which scans for email addresses so that it can replace the senders (the FROM: line) email address. I believe badtrans like you said can only use predetermined sender addresses and not change them on the fly based on email addresses it scanned and found from the infected computer. Please correct me if I am wrong! I dont know everything! Acquisitive - 1. Characterized by a strong desire to gain and possess. 2. Tending to acquire and retain ideas or information

 

[DonalMcLoughlin]

Thanks for all your contributions.
I think I am getting somewhere with this one.

I found a bit more on this. The following is an extract from:

http://admin.do.tn.tudelft.nl/nimda/virorig.html

&quot;When you receive an email containing a virus, probably you will want to inform the sender of the virus-email that his or her PC is infected. However, both Nimda and BadTrans MAY manipulate email headerlines in such a way that the message only seems to originate from the person in the From: field&quot;

I still am unclear how the virus changes the &quot;email sender&quot; field.

I do know there is a bit of email traffic between the two addresses. Address books may be involved on both ends.

What I want to find out is how high is the possibility that the &quot;Email Sender&quot; field (the person in my company being blamed for sending the virus) and the Real Sender (the person who is innocently, ignorantly or deliberately sending the virus) are different people. I also want to find out if it has happened in this case.
So far I believe it to the possible.

I will try and look at the email header.
I will let you know how I get on.

 

[paulwood]

If you open the email source header, depends on the email client as to how you do this, and look right at the top there should be Received with a whole bunch of stuff after it relating to the email server it came from. If that is either not there, or is different from the normal server, then there is a good chance it has been tampered with. There may also be an IP address you can check. It is the From field in this source header that gets changed. BTW if it does look normal, this doesn't necessarily prove anything.

 

[DonalMcLoughlin]

Paulwood

Thanks for the info.

How do you go about opening the email header?
I presume this has to be done by the receiver.

Your last sentence (BTW if it does look normal, this doesn't necessarily prove anything) is worrying but I think I'll have to get used to this sort of thing.

Regards

Donalmcloughlin

 

[paulwood]

Yes the receiver would have to do this, in Outlook Express highlight the email then goto File > Properties > Details. In Outlook you have to open the email and goto View > Options. Don't know about other clients, sorry.
My point about things looking normal just means that it depends to what lengths the virus/spoofer has gone to cover up the original sender, whether they have spoofed more than just the From field.