Under attack by worms

face covered with worms


The emails just keep coming. I'm talking here of the kind with an attachment harboring a worm, a nefarious specious of program that hijacks your address book to send itself on to everyone you know.

I suppose I shouldn't complain too much. After all, I haven't received too many of these, and my Norton Anti-Virus program (Symantec) has always detected the intruder and quarantined the offending attachment before it could do harm. Nevertheless, I find these attacks infuriating, partly because some of them are camouflaged as messages from harmless friends.

Take last week. I got one ostensibly from my friend Jim. Suspiciously the "From" that appeared in my intray was not his name but Jim's actual email address at work. Since Norton Anti-Virus had rendered the message harmless by removing the attachment, I took a look at the message. It contained only an image that displayed as "Password - 24877." I understand that it is this image that would have triggered off the worm in the attachment, if it had still been attached.

The internet headers for the message — by which one is supposed to be able to trace the path of a message from sender to recipient — were as follows:

Delivery-date: Mon, 19 Apr 2004 21:45:35 -0700
Received: from [] (helo=russell.org)
	by ns4.atjeu.com with smtp (Exim 4.24)
	id 1BFn8X-0005ml-Dz
	for MY-REAL-EMAIL-ADDRESS; Mon, 19 Apr 2004 21:45:33 -0700
Date: Mon, 19 Apr 2004 21:45:26 -0800
Subject: Incoming message
Message-ID: <nomwuiydwprawvbylbr@williamsonpsp.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-NortonAV-TimeoutProtection: 0

Since there was a lot here that I didn't understand — most of it, to be honest — I went searching for a tutorial on how to read these, and found one I could understand at Visualware.com, along with a tool that automates the interpretation. I quickly learned that the key to tracing the route is to pay attention to all the lines that begin "Received:" and that there may be more than one of them if the message hops around the internet a bit. Next I learned that about the only thing that can't be spoofed in that line is the IP address [nnn.nnn.nnn.nnn], but fake additional "Received" lines can be inserted before a server passes the message on to the next one.

Case in point. This message came from IP address, but that doesn't belong to russell.org, as it identified itself spoofingly, but actually belongs to Verizon. Since there was only one Received in these headers, the IP address had to be real. I fired off a message to abuse@verizon.net and got an automatic "we-received-your-message-but-we-get-so-many-such-messages-that-we-can't-respond-individually-to-them" reply in return. Verizon should be able to figure out who was using that IP address at the time the message was sent.

With my newfound expertise in interpreting internet headers — OK, with my newfound software tool — I thought to look back at other worm-bearing messages I had received and saved. On March 27, I received a flurry of them, and I still had three of them.

Aha! All three arrived within a half-hour period, all three had a variation of the W32.Beagle worm, and all three came from the same address that happens to be a Road Runner subscriber here in the desert. I fired off a detailed message to abuse@rr.com and received the expected "we-received-your-message-but-we-get-so-many-such-messages-that-we-can't-respond-individually-to-them" reply in return. Again, Road Runner should be able to figure out who was using that IP address when the messages were sent. I'm a Road Runner user, and my IP address hasn't changed in the six months I've been tracking it.

From Subject Received
staff@williamsonpsp.com Email account utilization warning. Sat 3/27/2004 10:36 AM
Comment: C'mon now, I'm not going to fall for this. I am the staff!
REAL-ADDRESS@yahoo.com Re: Thank you! Sat 3/27/2004 11:35 AM
Comment: REAL-ADDRESS is a friend of mine, but who had no reason to thank me at that time and who would have even less reason to thank me if I didn't delete his real email address from the page.
noreply@williamsonpsp.com Notify about your e-mail account utilization. Sat 3/27/2004 11:51 AM
Comment: Another bogus address at my own site. And I hate to see poor grammar disseminated so widely.

The worst of it is, the person who sends the infected email may not even be aware of it. That's what makes these worms so insidious — they can hijack your computer without your knowledge. That's why I always keep my virus definitions up to date.

I also automatically move any email from msn.com or hotmail.com into a junk suspects folder, for I have found that those two addresses account for the majority of spam that arrives in my intray. Isn't it ironic that Microsoft, responsible for those two domains, wants to lead a crusade against spam?