You’re probably getting confusing messages in your inbox. They’re a side-effect of the MyDoom virus, but they’re not directly generated by the virus at all. Instead, they’re “nondelivery” reports advising you that a message from you couldn’t be delivered. Or they’re responses from another computer’s antivirus program warning you that you sent a virus.

Don’t be confused: the original message didn’t really come from your computer.

Here’s an article that explains what happens, and criticizes the antivirus companies for allowing their products to send messages to the wrong people.

For roughly three years, the Internet has seen worms that spread via e-mail, often taking addresses out of the infected machine’s web cache, user addressbook or other sources. Some of these worms will also forge/spoof the “From:” line so the mail appears to be from someone else, in an attempt to make the mail more ‘trusted’. To be clear, here is a sample timeline of how these work:

– EvilGuy 01 writes and releases a new worm.

– Fred is a moron and clicks on an attachment from a stranger, infecting his machine.

– The worm mails a copy of itself to everyone in Fred’s addressbook.

-The mail sent out spoofs the headers of the mail so it may be “From: George” or “From: Sally”.

– Tom gets a copy of the mail “From: Sally” and clicks on the attachment, infecting himself.

– Tom sends mail to Sally complaining about her evil shenanigans.

– Sally replies to Tom with “d00d WTF?! lol” since she never sent the mail.

The concept is very simple, and extremely effective. Anti-Virus companies are well aware of this trait present in many “mm” (Mass Mailing) worms. Reading through their descriptions, they document each worm that spreads itself in this fashion. Looking at one example on the McAfee site:

“W32/Mydoom@MM generates emails with a spoofed From: field, so incoming messages may appear to be from people you know. Furthermore, the subject line and message body are both randomly generated by the worm.”

Each of these Anti-Virus or mail gateway companies tend to configure their products to do the same thing. If a piece of mail comes in with a known virus, trojan, worm or taboo attachment, it will stop the mail from reaching the intended recipient, notify the administrator, and either quarantine or delete the hostile content. Simple and effective. However, each of these companies also has their product mail the person who sent in the hostile content saying “You are infected” in so many words.

While such intentions are noble, think about the reality of what is happening. For over three years, these worms that forge the “From:” address have been sending out millions of mail attempting to propogate themselves. For each of these mails that reach an Anti-Virus product or gateway, they get blocked and replied to, based on that forged “From:” line. Result? Millions more e-mails are sent out to innocent people that never sent the mail in the first place.

Share This