more on the mass mailing

WOW! Whoever/whatever is really pounding out those MS looking messages. I
got about 200 yesterday, and that many in just a few hours this morning.
Today, I noted a few variants of the purported sender, and the subject topic
lines. It's like the sender figured after awhile, with enough people
getting those, they would start to put filter rules into place. So,
changing those parameters would defeat the filter rules.

What are the mechanics of this thing? What kind of setup does it take to
reach out to millions of email addresses with repeat messages with munged
originator addresses on them?

Also, the creator of this attack is no amateur. Whoever's behind this one
has the ability to make the message presented appear professional. Matter
of fact, it is a complex one in that it has options you can choose,
reinforcing its realistic look.

RB

"RB" <> wrote in news:bkf7rb$hjh$:

>
> What are the mechanics of this thing? What kind of setup does it take to
> reach out to millions of email addresses with repeat messages with munged
> originator addresses on them?

Why don't you learn something about viruses before you pop off in a
newsgroup like this and show everybody just how ignorant you are?

donut

"RB" <> wrote before:


>What are the mechanics of this thing? What kind of setup does it take to
>reach out to millions of email addresses with repeat messages with munged
>originator addresses on them?

It's rather simple:
http://www.trendmicro.com/vinfo/viru...SWEN.A&VSect=T

The worm just scans files on the infected system which may contain
e-mail addresses and also your browsers cache (since nearly every web
document nowadays contains at least one valid address).
That way it gathers some 200 to 300 addresses on one system.
Also it propagates through your LAN using network shares and through
mIRC. And it scans some 150 or so newsservers for e-mail adresses (we
seem to have figured out that it ignores addresses containing the
string "spam").
Well now it has some 500 addresses or so to send a copy of itself to.
Let's just calculate:
|1System->500Mails->(500x500)25,000Mails->(25,000x500)1,250,000Mails
Well let's say it only gathers 200 addresses and is only able to
infect 25% of the addressed systems:
|1System->200Mails->(50x200)10,000Mails->(2,500x200)50,000Mails
Previous worms only scanned the addressbooks and/or brought an own
(static/dynamic) database. If we do assume that only 25% get infected
thats rather ineffective.
Addressbooks:
|1System->10Mails->(2x10)20Mails->(5x10)50Mails
Static DB of 300 adresses:
|1System->300Mails->(75x300)22,500Mails->(75x300)22,500Mails
/
/
From that point on the number of hosts spreading the worm is
decreasing, since the users will notice the infection and remove it,
while the still uninfected hosts stay protected. No new adresses are
added to the static DB and no new hosts will be infected.
That's why the programmer of worms always used a combination aof
addressbook scans and a dynamic DB, but it kept being ineffective due
to the small number of addresses gathered on each infected system.

regards
André

=?ISO-8859-1?Q?Andr=E9_Franke?=