This is something that I recently addressed on the Online Exchange.
This worm has the ability to spoof, or forge, the 'From:' field. (Often set to an address found on the victim's machine). Additionally the virus can use a fabricated from address, by taking the name before the "@" sign of one address, and the domain name after the "@" sign of another address. (ie.
name1@domain1.com +
name2@domain2.com =
name1@domain2.com) I received several of this particular "digest" message and the from address was different every time. One was addressed
hitchhikers@verizon.net. In the "Hitsman" message you may not have noticed that only the "user" portion of the e-mail address was his, the domain portion being something totaly different.
Because of this, the only thing you can determine about the origin of the email is the originating SMTP server from the headers of the email. With the Online Exchange I am sometimes able to narrow down who might be infected. This, I am hoping, is so with this particular message because the subject means that it is someone that is or was subscribed to the Online Exchange. I have sent a message to the person that I think it may be.
This virus affects systems running the Windows operating system. It does not affect MacOS or Linux environments. It spreads via network shares and by emailing itself. It also contains a back door trojan component that contains key logging functionality.
This worm emails itself to addresses found on the local system. And the addresses it uses do not just have to be in the address book. They can come from any stored file on the system. The virus code contains email subject strings and attachment names. However, the majority of samples received contain information not present in the virus. Suggesting that there is a higher probability of the virus using words and filenames contained on the infected system
For those on the Online Exchange, no attachment is ever sent by the list. And any attachment sent to the list is stripped or rejected completely.