fetchmail-friends
[Top] [All Lists]

Re: [fetchmail]Hi

2004-01-19 16:32:41
On Mon, 19 Jan 2004, Rashkae wrote:
Wayyy too paranoid, man.  This virus more or less resembles SoBig in
how it spreads, so spoofed From is par for the course.  Also, it's
hardly surprising that large mailing lists would see this before it
makes it on the media.  And besides, I know virus writers aren't
renown for intelligence, but if you were deliberately releasing a new
windows virus to the wild, would a Unix sysadmin mailing list be your
first target???

I plead guilty the paranoid charge.  I don't know how this virus
propogates, but my thought was merely this: how did the virus get Jakob's
mail name to use?  I think we agree that it didn't come from his machine,
so how did the virus pick up his name?

I guess a little background research is needed first: just how does this
virus propogate?

Here is the bugtraq announcement for this virus (which seems to be called
Bagle):
        http://www.securityfocus.com/archive/1/350223/2004-01-16/2004-01-22/0

We're told this about propogation:


The worm searches disk drives for files with the following extensions:
        wab, txt, htm, html, r1
and scans them for email-like text strings, then sends infected messages
to the email addresses found.


Tells us how it could have found fetchmail-friends, but not how it might
have chosen to send to this list as jh(_at_)plonk(_dot_)de, but maybe it also
permutes From addresses from the same list of e-mails.  It seems to be a
very new virus.

I guess I'm thinking about this too much.  Forgive me my computer security
paranoia.  I'll go to bed.


<Prev in Thread] Current Thread [Next in Thread>