[meteorite-list] Virus warning!!
From: Pekka Savolainen <pekka.savolainen_at_meteoritecentral.com>
Date: Thu Apr 22 10:32:10 2004 Message-ID: <40176A9C.1020607_at_dlc.fi> --------------000004040506020307080408 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Hello, Dave and the list, the address eurocoin_at_smartgoups.com is from my sign. Have recived same kind of failure notices from; brian_at_virgilio.it mike_at_aol.com That doesn´t mean, the computers using these addresses are infected, Mydoom just pics up random addresses from the WAB (Windows adress-book file) from the infected computers and uses them as the sender. It can also collect the fake sending addresses ´/ addresses to senddfrom the following files in the infected computer; Mail Propagation The worm collects addresses where to send itself from Windows' Address Book and from files with extension: pl adb tbb dbx asp php sht htm txt Peer-to-Peer Spreading The worm will look up form the Windows' Registry the value containing the users Kazaa shared folder, and it will copy itself to that location with a filename composed from the following list: winamp5 icq2004-final activation_crack strip-girl-2.0bdcom_patches rootkitXP office_crack nuke2004 The summary and disinfection of Mydoom can be found from; http://www.f-secure.com/v-descs/novarg.shtml take care, pekka s DNAndrews wrote: > Hi Mark and list, > (Sorry Art I know we're not supposed to talk about this on the list). > Looks like it's already made the list. I just got a returned message > or failure notice for a message I never sent to a > "eurocoin_at_smartgroups.com". The address was spoofed to make me look > like the sender. The body.pif file was the intended payload. I > traced the header information to the real sender: > > Received: from sgrelayg1.core.theplanet.net (195.92.195.145) > by indium.smartgroups.com with SMTP; 27 Jan 2004 16:56:18 -0000 > Received: from aputeaux-115-1-3-220.w193-251.abo.wanadoo.fr > ([193.251.71.220] > > Bruno Drouet is the owner of this domain. Not sure if he's the owner > of the IP address though. > > Beware out there and update your virus programs! > > Dave > > > > > -- Pekka Savolainen Jokiharjuntie 4 FIN-71330 Rasala FINLAND + 358 400 818 912 Group Home Page: http://www.smartgroups.com/groups/eurocoin Group Email Address: eurocoin_at_smartgroups.com --------------000004040506020307080408 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit <html> <head> </head> <body> <br> Hello, Dave and the list,<br> <br> the address <a class="moz-txt-link-abbreviated" href="mailto:eurocoin_at_smartgoups.com">eurocoin@smartgoups.com</a> is from my sign. Have recived same<br> kind of failure notices from;<br> <br> <a class="moz-txt-link-abbreviated" href="mailto:brian_at_virgilio.it">brian@virgilio.it</a><br> <br> <a class="moz-txt-link-abbreviated" href="mailto:mike_at_aol.com">mike@aol.com</a><br> <br> That doesn´t mean, the computers using these addresses are infected, Mydoom<br> just pics up random addresses from the WAB (Windows adress-book file) from<br> the infected computers and uses them as the sender. <br> It can also collect the fake sending addresses ´/ addresses to senddfrom the <br> following files in the infected computer;<br> <br> Mail Propagation<br> <br> The worm collects addresses where to send itself from Windows' Address Book and from files with extension:<br> <br> pl<br> adb<br> tbb<br> dbx<br> asp<br> php<br> sht<br> htm<br> txt<br> <br> <p><font face="Arial, sans-serif" size="-1" color="#000040"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><b> Peer-to-Peer Spreading </b></font></font></font></font></font></font></font></font></font></font></font></font></font></p> <p><font face="Arial, sans-serif" size="-1" color="#000040"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"> The worm will look up form the Windows' Registry the value containing the users Kazaa shared folder, and it will copy itself to that location with a filename composed from the following list: </font></font></font></font></font></font></font></font></font></font></font></font></font></font></p> <pre style="color: rgb(0,0,128); font-size: 8pt; "><font face="Arial, sans-serif" size="-1" color="#000040"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"><font face="Arial, sans-serif" color="#000040" size="2"> winamp5 icq2004-final activation_crack strip-girl-2.0bdcom_patches rootkitXP office_crack nuke2004 </font></font></font></font></font></font></font></font></font></font></font></font></pre> <br> <br> The summary and disinfection of Mydoom can be found from;<br> <br> <a class="moz-txt-link-freetext" href="http://www.f-secure.com/v-descs/novarg.shtml">http://www.f-secure.com/v-descs/novarg.shtml</a><br> <br> take care,<br> <br> pekka s<br> <br> <br> <br> DNAndrews wrote:<br> <blockquote type="cite" cite="mid:4016A075.3070300_at_frontiernet.net">Hi Mark and list, <br> (Sorry Art I know we're not supposed to talk about this on the list). Looks like it's already made the list. I just got a returned message or failure notice for a message I never sent to a <a class="moz-txt-link-rfc2396E" href="mailto:eurocoin_at_smartgroups.com">"eurocoin@smartgroups.com"</a>. The address was spoofed to make me look like the sender. The body.pif file was the intended payload. I traced the header information to the real sender: <br> <br> Received: from sgrelayg1.core.theplanet.net (195.92.195.145) <br> by indium.smartgroups.com with SMTP; 27 Jan 2004 16:56:18 -0000 <br> Received: from aputeaux-115-1-3-220.w193-251.abo.wanadoo.fr ([193.251.71.220] <br> <br> Bruno Drouet is the owner of this domain. Not sure if he's the owner of the IP address though. <br> <br> Beware out there and update your virus programs! <br> <br> Dave <br> <br> <br> <br> <br> <br> </blockquote> <br> <pre class="moz-signature" cols="$mailwrapcol">-- Pekka Savolainen Jokiharjuntie 4 FIN-71330 Rasala FINLAND + 358 400 818 912 Group Home Page: <a class="moz-txt-link-freetext" href="http://www.smartgroups.com/groups/eurocoin">http://www.smartgroups.com/groups/eurocoin</a> Group Email Address: <a class="moz-txt-link-abbreviated" href="mailto:eurocoin_at_smartgroups.com">eurocoin@smartgroups.com</a> </pre> <br> </body> </html> --------------000004040506020307080408--Received on Wed 28 Jan 2004 02:54:04 AM PST |
 StumbleUpon del.icio.us reddit Yahoo MyWeb
|