A note to virus authors
Eric Murray
ericm at lne.com
Fri Dec 7 09:58:36 PST 2001
On Fri, Dec 07, 2001 at 02:09:31PM +0000, Will Morton wrote:
>
> I always thought that the best strategy would be to look through all
> mail folders, find the last email received from the target, and use the
> subject from that, adding 'Re: ' at the start. Delete the body of the
> mail and replace it with one of several variations along the lines of 'I
> thought this might be helpful: <Insert macro-trojaned .doc> Just click
> 'OK' when the dialog box pops up.'
>
> That would get most PHBs I know...
One of the recent worms did exactly this. I can't remember which one,
but it also set the From_ line to _victim at host.com, i.e. it added a
leading '_' character. I'm still getting them (but on linux
they don't do anything).
This is the same worm that installed a keyboard sniffer. The
log was emailed to an account somewhere and of course that account
was quickly shut down.
The worm author should have encrypted the logs and posted
them to alt.anonymous.messages or some other newsfroup instead.
That would have been truly dangerous, especially if the worm
was stealthy.
> I'm not a VB programmer, but I assume that sort of functionality is
> available from the Outlook COM object (or ActiveX object, or .NET Web
> Service, or whatever the hell it's called now :>)
It's properly called the Email Worm Author's Toolkit.
Eric
More information about the cypherpunks-legacy
mailing list