lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <006f01c3ee61$7a8857e0$4802a8c0@Security>
From: joel at helgeson.com (Joel R. Helgeson)
Subject:  MyDoom virus sent is an earlier message with subject "Error"

Hell yeah, I just got BOMBARDED with a couple hundred bounce messages from
the MyDoom Virus, and I can say without question that I am not, nor have I
ever been infected with th e MyDoom Virus.

Joel R. Helgeson
Director of Networking & Security Services
SymetriQ Corporation

"Give a man fire, and he'll be warm for a day; set a man on fire, and he'll
be warm for the rest of his life."
----- Original Message ----- 
From: "Bill Royds" <full-disclosure@...ds.net>
To: <joel@...geson.com>; <full-disclosure@...ts.netsys.com>
Sent: Sunday, February 08, 2004 10:26 AM
Subject: RE: [Full-Disclosure] MyDoom virus sent is an earlier message with
subject "Error"


An earlier message sent to the Full Disclosure list was a copy of the Mydoom
virus (since FD is not moderated).

It shows a little how this virus is propagating and one reason for its fast
spread and persistence.

By using email addresses in files and saved email and also generating random
addresses to the domains it finds, it is finding many more delivery
addresses than previous viruses and using NDR responses to propagate to make
multiple copies of itself to forward.

Here is the email to FD with headers that I received with some annotation to
show deceptions that virus practises to help propagate.

The key header is the third Received: header
Received: from helgeson.com (80-235-33-127-dsl.mus.estpak.ee
[80.235.33.127])
by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i18EnoU08477
for <full-disclosure@...ts.netsys.com>; Sun, 8 Feb 2004 09:49:51 -0500 (EST)

The message claims to be from Joel@...geson.com, who is probably a member of
the FD list, but who had absolutely nothing to do with the sending of the
email. It was sent from host 80-235-33-127-dsl.mus.estpak.ee [80.235.33.127]
(in Estonia) which was running the virus's SMTP engine, which fakes the SMTP
HELO response to say it is helgeson.com.
  This seems to persuade some SMTP MTA's that it is not being forged, since
the domain of nominal sender and the HELO domain are the same.

If instead of reaching a valid recipient (such as
full-disclosure@...ts.netsys.com in this case), it had been sent to
susan@...ts.netsys.com (one of its made-up email addresses), the
lists.netsys.com NDR bounce message would send the message back to
Joel@...geson.com carrying the complete virus (as it doesn't analyse the
message, just returns it as attachment in bounce message).

Joel@...geson.com will be bombarded by the virus as if it were coming from
postmaster@...ts.netsys.com, which may be on a whitelist and let through. So
the virus manages to gain delivery through third parties as well as
directly.

AV programs that send warnings to the from address do even more harm to
Joel, who had nothing to do with the virus other than once posting in FD.

==================================================

Return-Path: <full-disclosure-admin@...ts.netsys.com>
Received: from netsys.com (NETSYS.COM [199.201.233.10])
by mail2.zoneedit.com (Postfix) with ESMTP id D7D662EA976
for <full-disclosure@...ds.net>; Sun,  8 Feb 2004 10:43:46 -0500 (EST)
Received: from NETSYS.COM (localhost [127.0.0.1])
by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i18EpXS09093;
Sun, 8 Feb 2004 09:51:34 -0500 (EST)
Received: from helgeson.com (80-235-33-127-dsl.mus.estpak.ee
[80.235.33.127])
by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i18EnoU08477
for <full-disclosure@...ts.netsys.com>; Sun, 8 Feb 2004 09:49:51 -0500 (EST)
Message-Id: <200402081449.i18EnoU08477@...sys.com>
From: joel@...geson.com
To: full-disclosure@...ts.netsys.com
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0004_830D6A05.0CE2EC43"
X-Priority: 3
X-MSMail-Priority: Normal
Subject: [Full-Disclosure] Error
Sender: full-disclosure-admin@...ts.netsys.com
Errors-To: full-disclosure-admin@...ts.netsys.com
X-BeenThere: full-disclosure@...ts.netsys.com
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe:
<http://lists.netsys.com/mailman/listinfo/full-disclosure>,
<mailto:full-disclosure-request@...ts.netsys.com?subject=unsubscribe>
List-Id: Discussion of security issues <full-disclosure.lists.netsys.com>
List-Post: <mailto:full-disclosure@...ts.netsys.com>
List-Help: <mailto:full-disclosure-request@...ts.netsys.com?subject=help>
List-Subscribe: <http://lists.netsys.com/mailman/listinfo/full-disclosure>,
<mailto:full-disclosure-request@...ts.netsys.com?subject=subscribe>
List-Archive: <http://lists.netsys.com/pipermail/full-disclosure/>
Date: Sun, 8 Feb 2004 16:49:34 +0200


AS4?
??t_1??.,8(?9??W8Es???_D?j?1?_???P??U]??5?? etc.

******************   McAfee VirusScan ************************
******* Alert generated at: Sun, 08 Feb 2004 10:57:21 -0500 *********
*********************************************************************

McAfee VirusScan has detected a potential threat in this e-mail
sent by joel@...geson.com.
The following actions were attempted on each suspicious part.
We strongly recommend that you report this virus-related activity
to joel@...geson.com.


 The attachment "doc.zip" is infected with the W32/Mydoom.a@MM Virus(es).
This attachment has been cleaned.




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ