On Wed, 4 Jun 2003 15:29:11 -0700, A Guy Called Tyketto <tyketto@xxxxxxxxxx> wrote: > It appears that someone (maybe on gimp-developer, maybe not) has been > socked with the W32/Sobig virus/worm. It's similar to the KLEZ worm, but is a > bit more picky. I've been getting a lot of messages like below, but since my > main machine is a linux box, I'm not getting infected. Spamassassin is helping > to find it, but thought everyone would want to know. From the NANOG mailing > list: [...] > http://vil.nai.com/vil/content/v_100343.htm (W32/Sobig.c@MM) which is klez [...] The page linked from the message that you quoted contains this note: * Note: This variant spoofs, or forges, the from address. Therefore the perceived sender is likely not a pointer to the infected user. It is also likely that the infected user is not a member of gimp-developer. As the worm scans the address books and all HTML and text files on the victim's computer, it is not hard to imagine that it could have found some GIMP-related addresses in the same file and sent a mail claiming to be from Adrian (or Adam, as in the last message) to the gimp-developer list. The victim can be any user of the Windows version of the GIMP (the worm would have found the addresses in the documentation) or any user of any version of the GIMP who was using a Windows PC for browsing some GIMP-related web pages (the worm would have found the addresses in the browser's cache). In any case, there is a rather low probability that this user is a member of this list. And by the way, there are relatively few of these worm-generated messages that made it through the gimp-developer list. I assume that most of the messages targeted at this list were bounced to our dear list maintainer. I have seen many more worms going through the address bugs@xxxxxxxx, for example (in the order of several dozens per day, although I did not count them). -Raphaël
