On Mon, Jan 19, 2004 at 10:53:18AM -0500, Noel Chiappa wrote: > > From: John Stracke <jstracke@xxxxxxxxxxx> > > > I didn't write that; the return address was faked. > > So much for mailing list "security" by only allowing posts from subscribers. Security is not a binary condition. > This virus/worm is actually mildly interested in the way it operates. I'm > seeing lots of email from people with whom I would have corresponded long ago. > So it's probably mining web pages for old email, and using the addresses it > finds in the headers as source/dest pairs. Perhaps, but that would be pretty impressive for a 16K executable -- maybe it downloads a second stage -- there are a bunch of builtin urls, eg: http://www.elrasshop.de/1.php http://www.it-msc.de/1.php http://www.getyourfree.net/1.php http://www.dmdesign.de/1.php http://64.176.228.13/1.php http://www.leonzernitsky.com/1.php http://216.98.136.248/1.php http://216.98.134.247/1.php http://www.cdromca.com/1.php http://www.kunst-in-templin.de/1.php http://vipweb.ru/1.php http://antol-co.ru/1.php http://www.bags-dostavka.mags.ru/1.php http://www.5x12.ru/1.php http://bose-audio.net/1.php http://www.sttngdata.de/1.php http://wh9.tu-dresden.de/1.php http://www.micronuke.net/1.php http://www.stadthagen.org/1.php etc -- Kent Crispin kent@xxxxxxxxx p: +1 310 823 9358 f: +1 310 823 8649 kent@xxxxxxxxxxxx SIP: 81202@xxxxxxxxxxxxxx