Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] New emerging virus/worm. Grr. (fwd)

From: Richard Guy Briggs (rgb_at_conscoop.ottawa.on.ca)
Date: Thu Apr 25 2002 - 00:04:44 CEST

Next message: John A. Sullivan III: "Re: [Users] PIX 515 <--> FreeSWAN 1.97 x509 (long post)"
Previous message: Telex_Notes_Blm_1_at_telex.com: "[Users] Report to Recipient(s)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Oh, this is precious....

I get this warning yesterday and today I get blamed for sending a virus
to the users_at_lists.freeswan.org mailing list. This is completely
laughable considering I have none of Bill Gates' crud to start with...
Anyone who knows me would have already suspected something fishy...

In this case, my only transgression is to have someone with a Winblows
box list my email address in their address book.

I appologise to the list on behalf of the poor sod who got suckered into
using a Winblows system, didn't protect it properly, and got infected.

A careful look at the offending message headers helps narrow down the
offending system:

    Received: from jwchina.com ([61.129.77.67])
        by mail.freeswan.org (8.11.6/8.11.0) with ESMTP id g3O9kwN08652
        for <users_at_lists.freeswan.org>; Wed, 24 Apr 2002 11:46:59 +0200
    Received: from Cwf [61.151.239.39] by jwchina.com
      (SMTPD32-5.08) id A5908DE20328; Wed, 24 Apr 2002 16:53:52 +0800

Please clean up your system, and close your O/S holes. I just got
several dozen automatic complaints blaming me for this mess. I have
better things to do with bandwidth...

----- Forwarded message from Russell McOrmond <russell_at_flora.ca> -----
Date: Tue, 23 Apr 2002 15:04:56 -0400 (EDT)
From: Russell McOrmond <russell_at_flora.ca>
To: Brett Delmage <brett_at_twobikes.ottawa.on.ca>
cc: Richard Guy Briggs <rgb_at_conscoop.ottawa.on.ca>,
Russell McOrmond <Russell_at_flora.org>
Subject: Re: [Mailman-Developers] New emerging virus/worm. Grr. (fwd)

Aren't you glad we don't allow file attachments in mailing lists?

;-)

On Tue, 23 Apr 2002, Brett Delmage wrote:

> ---------- Forwarded message ----------
> Date: Tue, 23 Apr 2002 10:07:31 -0700
> From: Chuq Von Rospach <chuqui_at_plaidworks.com>
> To: mailman-developers_at_python.org, list-managers_at_greatcircle.com
> Subject: [Mailman-Developers] New emerging virus/worm. Grr.
>
>
> Passing this along, because this has implications to list owners.
>
> A new emerging worm is out there in windows land. That's bad enough, but
> this one has the hack that instead of repropogating via email using the
> owners email address, it repropogates using a random address in the infected
> machine's address book as the From, while sending to other random addresses
> in the book.
>
> Last night, I started getting email from a friend (who happens to be a top
> computer security guy in the country) from an address he hasn't used in
> three years, and he doesn't use windows. Other people started getting email
> from ME that was infected.
>
> This morning, the complaints started coming in that my mailman system was
> sending out infected emails, or that it was sending people admin messages
> because some infected machine was sending TO my mailman system as someone
> else, so they were getting the return notice.
>
> Here's what I'm currently sending out to people that complain about these
> bogus mailman messages....
>
> ---
>
> Someone out there has both your address and our address in their address
> book, and is infected with this virus:
>
> <http://www.symantec.com/avcenter/venc/data/w32.klez.h_at_mm.html>
>
> One of the side effects is that when it tries to reinfect, it takes an
> address from the address book at random, and uses it as the "from" in
> sending to someone else. So there's some third party that's hijacked your
> email address and using it to forward infected messages. And there's not a
> thing either of us can do about it, because neither of us are infected (or
> at least, we aren't) or control the machine doing it.
>
> This is an emerging worm, and it looks pretty ugly. It has hit Hong Kong and
> Great Britain worst so far, but it's spreading rapidly accordind to people
> I've talked to.
>
>
> ---
>
> This one has the possibility to get really ugly and nasty, folks, because
> it's hijacking addresses. Users can't depend on being yelled at by friends
> for being infected, because this new worm hides behind random return
> addresses. Which means the only thing you know is that the "person" sending
> you the email isn't the one infected, but someone who knows both of you
> is...
>
> At least, as far as I can tell so far. The experts still seem to be trying
> to get a handle on it...

-- 
 Russell McOrmond, Internet Consultant: <http://www.flora.ca/>
 See http://weblog.flora.org/ for announcements, activities, and opinions
 Get Legal - become Free! http://weblog.flora.ca/article.php3?story_id=126
 Anti-Copyright Crusader  http://weblog.flora.ca/article.php3?story_id=133
----- End forwarded message -----
	slainte mhath, RGB
-- 
Richard Guy Briggs           --    ~\                 Auto-Free Ottawa! Canada
<www.TriColour.net>            --    \@       @           <www.flora.org/afo/>
No Internet Wiretapping!        --   _\\/\%___\\/\%        Vote! -- <Green.ca>
<www.FreeSWAN.org>_______GTVS6#790__(*)_______(*)(*)_______<www.Marillion.com>
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: John A. Sullivan III: "Re: [Users] PIX 515 <--> FreeSWAN 1.97 x509 (long post)"
Previous message: Telex_Notes_Blm_1_at_telex.com: "[Users] Report to Recipient(s)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:53 CEST