Re: Hi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jan 19, 2004 at 10:53:18AM -0500, Noel Chiappa wrote:
>     > From: John Stracke <jstracke@xxxxxxxxxxx>
> 
>     > I didn't write that; the return address was faked.
> 
> So much for mailing list "security" by only allowing posts from subscribers.

Security is not a binary condition.  

> This virus/worm is actually mildly interested in the way it operates. I'm
> seeing lots of email from people with whom I would have corresponded long ago.
> So it's probably mining web pages for old email, and using the addresses it
> finds in the headers as source/dest pairs.

Perhaps, but that would be pretty impressive for a 16K executable --
maybe it downloads a second stage  -- there are a bunch of builtin urls,
eg:

http://www.elrasshop.de/1.php
http://www.it-msc.de/1.php
http://www.getyourfree.net/1.php
http://www.dmdesign.de/1.php
http://64.176.228.13/1.php
http://www.leonzernitsky.com/1.php
http://216.98.136.248/1.php
http://216.98.134.247/1.php
http://www.cdromca.com/1.php
http://www.kunst-in-templin.de/1.php
http://vipweb.ru/1.php
http://antol-co.ru/1.php
http://www.bags-dostavka.mags.ru/1.php
http://www.5x12.ru/1.php
http://bose-audio.net/1.php
http://www.sttngdata.de/1.php
http://wh9.tu-dresden.de/1.php
http://www.micronuke.net/1.php
http://www.stadthagen.org/1.php
etc


-- 
Kent Crispin 
kent@xxxxxxxxx    p: +1 310 823 9358  f: +1 310 823 8649
kent@xxxxxxxxxxxx SIP: 81202@xxxxxxxxxxxxxx



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]