I have a question regarding email viruses. I know that some viruses can access Outlook Express and use the address book to send copies of itself out. Can viruses also access email addresses contained in other files as well? For example, could a virus pull email addresses contained in MS Word documents which are saved on an infected computer?
There’s no reason they couldn’t - all they really need to do is search for anything with an @ in the middle. But it’s hardly worth the effort - an address book provides enough emails for the virus to proliferate, so there seems little reason the writers would bother having the program search a variety of other files as well.
Some viruses do indeed prowl around your system for any address they can find, in pretty much any file.
The webcache, for example, is an environment rich with e-mail addresses for the virus to forge as the from: address and/or send copies of itself to.
Check out some of the virus descriptions published on sites like Symantec.
The recent Netsky worm has this listed as Technical Detail #9:
These types of viruses can be particularly difficult to deal with, because of the misconception that only the e-mail client address book is searched.
I’ve gone back and forth many times with many virus infected end users who flat out deny that they are virus infected, even though the sample mail (with full headers) clearly matches up with authentication logs, linking their login with the IP used to send the virus at the time the virus was sent.
These end users alway tell me that their machine couldn’t possibly have sent the virus infected mail, because none of the e-mail addresses within the headers are in their address book.
My response is always the same: “The logs don’t lie nearly as often as people do. Please humor me (and all of your virus victims) and virus-scan your system.”
Right now all mass mailing viruses pull e-mail addresses from all over your hard drive. Basically, if they see something with an “@” in it, they take the characters on either side an use it as an address. If they’re wrong, the bounce goes to another address they’ve pulled.
In addition, they have their own SMTP server, so they send e-mail without going through any other server. We’ve actually shut down all SMTP traffic out* so that anyone on the network who gets infected won’t be able to spread the traffic.
*For the technically minded, we use a web-based e-mail. Those who use e-mail clients can only send SMTP through a server that requires authentication.