Really SMART worms???

[iowapc]

Hi all,

There may be no definitive answer to this question, but even educated speculation will be welcome.

I just received an infected message (I suspect Netsky, but I can't say for sure--let alone which variety--since it was cleaned by my ISP's AV before I received it).

The message was addressed to my iowajazz@beethoven.com address.
Subject: Hello
Message: Here is the file
Attachment: details.vbs

... all pretty much standard so far, right?

But get THIS:
From: jazzman261@mchsi.com

Coincidence?

Or is Netsky smart enough to figure out I might open a message from jazzman261 (even tho I don't know who that is)???

My question: Was my iowajazz@beethoven address paired with jazzman261's address at random, or did Netsky spot "jazz" in both addresses and say 'Aha! Let's pair these two!"

Are worms getting that smart?

IA

 

[SESaskDFC]

Howdy:

They are getting smarter mainly thanks to email spoofing..

Odds are even jazzman261 isn't infected but someone that has both you and jazzman in their contacts folder.. The new virii pick an address from this folder at random, uses it in the "from" box and then sends itself out to everyone else in the the infected systems Address book.

Now, when your av program picks up the email and locks it out due to the virii, the "From" box has the spoofed email address NOT the address of the infected system.

Murray

 

[iowapc]

Thanks, SESaskDFC.

I am fully aware that the infected message almost certainly came, not from jazzman261, but from an infected system whose address book contains both his and my e-addresses. That is pretty much standard MO for worms these days.

But what intrigues me is the question of whether Netsky grabbed our addresses at random, or whether they were 'intelligently' paired because they both contained "jazz". It seems almost beyond coincidence that Netsky would put iowajazz in the "To" field and jazzman261 in the "From" field.

Anyone else have similar experiences? Any thoughts will be most welcome.

IA

 

[SESaskDFC]

It just didn't send to yours, it uses its own SMTP engine to send itself to all the email addresses that it finds.

Everyone got it not just those with "jazz" in there name !!

Murray

 

[xmsre]

Many of the recent worms/trojans read you contacts and use that information to spoof the from address.

 

[iowapc]

Thanks again, SESaskDFC.

I realize that everyone in the infected system's address book received an infected message courtesy of Netsky's SMTP engine.

My point is that, since Netsky spoofs the return address, it could have used ANY of the addresses it found in the infected system's address book to forge a return address -- it could have said it came from johnjacobjingleheimershmidt@msn.com.

What I'm pondering is this: Of all the addresses available to use as a spoofed return address, is it a coincidence that--to send to iowajazz--it picked jazzman to use as a From address.

IA

 

[SESaskDFC]

Just the luck of the draw.. As you said, it could have used mailto:johnjacobjingleheimershmidt@msn.com and sent it to a mailto:jacobjohnjingleheimershmidt@msn.com

Doesn't mean a thing..

Murray

 

[nlm9802]

interesting, but probably just coincidence. I guess it's possible the virus could look at outlook's dictionary file and try to match certain parts of email addresses if they have a definable word in them.. not sure if they are that smart yet though

 

[LawnBoy]

Then again, the first letters of iowajazz and jazzman are in alphabetical order...