FYI: Avert Labs Dat Release Notification: 4915 Emergency Dat Files Release

[David H. Lipman]

The 4915 dat files have been released early as a precaution for
Exploit-MSWord.b,
http://vil.mcafeesecurity.com/vil/content/v_141056.htm

The various 4915 dat file packages can be found at
http://www.mcafee.com/apps/downloads/security_updates/dat.asp

Best Regards,

McAfee Avert Labs - Come visit our Blog -
http://www.avertlabs.com/research/blog/

 

[Art]

The 4915 dat files have been released early as a precaution for
Exploit-MSWord.b,
http://vil.mcafeesecurity.com/vil/content/v_141056.htm

The various 4915 dat file packages can be found at
http://www.mcafee.com/apps/downloads/security_updates/dat.asp

Best Regards,

McAfee Avert Labs - Come visit our Blog -
http://www.avertlabs.com/research/blog/

David, this is old news now but I happened to visit F-Secure's
blog the other day where I noticed their discussion of a
unpatched vulnerability in many MS Office apps which this
McAfee update may be related to:
http://www.f-secure.com/weblog/
I just checked, and the discussion and warning is still there
for anyone interested.

The real reason I post though is on a different subject.
Twice now in the past few days I've been bombarded
with emails from McAfee Avert Labs concerning malware
sample submissions that I haven't made How does this
happen, I wonder? They all look legit and "real" to me.
How is it that a "confusion of sender" situation arises
when someone submits samples? At least that's all I
can make out of it ... that someone is sending samples
and the responses from Avert are sent to me.

Is this a situation where a person infested with some
"confusion of sender" worm or other malware on his
machine is submitting samples? Anyone else ever seen
this particular kind of mis-mailings (from av vendors?)

Art
http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: "Art" <[email protected]>

|
| David, this is old news now but I happened to visit F-Secure's
| blog the other day where I noticed their discussion of a
| unpatched vulnerability in many MS Office apps which this
| McAfee update may be related to:
| http://www.f-secure.com/weblog/
| I just checked, and the discussion and warning is still there
| for anyone interested.
|
| The real reason I post though is on a different subject.
| Twice now in the past few days I've been bombarded
| with emails from McAfee Avert Labs concerning malware
| sample submissions that I haven't made How does this
| happen, I wonder? They all look legit and "real" to me.
| How is it that a "confusion of sender" situation arises
| when someone submits samples? At least that's all I
| can make out of it ... that someone is sending samples
| and the responses from Avert are sent to me.
|
| Is this a situation where a person infested with some
| "confusion of sender" worm or other malware on his
| machine is submitting samples? Anyone else ever seen
| this particular kind of mis-mailings (from av vendors?)
|
| Art
| http://home.epix.net/~artnpeg

Plaese send me one of those alleged emails from McAfee with Full Headers and Body.

 

[Art]

Plaese send me one of those alleged emails from McAfee with Full Headers and Body.

I forwarded four that I hadn't yet fully trashed. Let me know if you
receive them, and also if the headers and messages are all intact.
If not, I can probably do copy and paste of them. I use T-bird which
does allow me to view the headers, so I should be able to copy
them somehow if necessary.

Art
http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: "Art" <[email protected]>

| On Tue, 12 Dec 2006 21:49:30 GMT, "David H. Lipman"
|
| I forwarded four that I hadn't yet fully trashed. Let me know if you
| receive them, and also if the headers and messages are all intact.
| If not, I can probably do copy and paste of them. I use T-bird which
| does allow me to view the headers, so I should be able to copy
| them somehow if necessary.
|
| Art
| http://home.epix.net/~artnpeg

Received and replied to.

 

[Ant]

The real reason I post though is on a different subject.
Twice now in the past few days I've been bombarded
with emails from McAfee Avert Labs concerning malware
sample submissions that I haven't made How does this
happen, I wonder? They all look legit and "real" to me.
How is it that a "confusion of sender" situation arises
when someone submits samples? At least that's all I
can make out of it ... that someone is sending samples
and the responses from Avert are sent to me.

Probably a spammer forged your address in the "From", and spammed the
virus submission address.

Is this a situation where a person infested with some
"confusion of sender" worm or other malware on his
machine is submitting samples? Anyone else ever seen
this particular kind of mis-mailings (from av vendors?)

I get this "backscatter" every day as rejection messages from ISP's,
out of office replies, mailing list confirmations, etc. for mail I
never sent. In my case, it's always a spammer who has forged my
address as the sender. I've not yet had one from an AV company.

 

[Art]

Probably a spammer forged your address in the "From", and spammed the
virus submission address.

I don't get it. What's in it for the spammer?

I get this "backscatter" every day as rejection messages from ISP's,
out of office replies, mailing list confirmations, etc. for mail I
never sent. In my case, it's always a spammer who has forged my
address as the sender. I've not yet had one from an AV company.

I receive a relatively small amount of misdirected mailings. Of these,
a few seem to be due to my email addy being in a infested
machine. Other misdirected mailings are a mystery to me. Again, I
don't understand why you blame this on spammers. Is there
a type of "spammer" who just plays games for the helluvit with no
financial reward as the purpose? Doesn't make sense to me. What
am I missing?

Art
http://home.epix.net/~artnpeg

 

[Ant]

I don't get it. What's in it for the spammer?

Spammers don't use their own email address as the sender. They have
a "millions" CD full of addresses scraped from the Internet (or
guessed, using common, or not so common, "names@" combined with known
domains) to be used as spam targets; i.e. the "To" fields. Rather than
invent their own "From" fields, it's easier for them to use the ones
on their list as the bogus senders.

I receive a relatively small amount of misdirected mailings. Of these,
a few seem to be due to my email addy being in a infested
machine.

More likely a spammer or malware distributer is in control of that
machine, and your address is on his list (perhaps scraped from the
address book of the trojaned machine, and used in the spew as the
"From").

Other misdirected mailings are a mystery to me. Again, I
don't understand why you blame this on spammers. Is there
a type of "spammer" who just plays games for the helluvit with no
financial reward as the purpose? Doesn't make sense to me. What
am I missing?

It's staightforward and very common. A spammer spams an address (not
yours) for which mail is accepted during the SMTP transaction but
rejected or auto-responded to later, for whatever reason. Your address
has been used as the fake sender, so you get mail.