On Mon, Jan 19, 2004 at 10:53:18AM -0500, Noel Chiappa wrote:
> From: John Stracke <jstracke(_at_)centive(_dot_)com>
> I didn't write that; the return address was faked.
So much for mailing list "security" by only allowing posts from subscribers.
Security is not a binary condition.
This virus/worm is actually mildly interested in the way it operates. I'm
seeing lots of email from people with whom I would have corresponded long ago.
So it's probably mining web pages for old email, and using the addresses it
finds in the headers as source/dest pairs.
Perhaps, but that would be pretty impressive for a 16K executable --
maybe it downloads a second stage -- there are a bunch of builtin urls,
eg:
http://www.elrasshop.de/1.php
http://www.it-msc.de/1.php
http://www.getyourfree.net/1.php
http://www.dmdesign.de/1.php
http://64.176.228.13/1.php
http://www.leonzernitsky.com/1.php
http://216.98.136.248/1.php
http://216.98.134.247/1.php
http://www.cdromca.com/1.php
http://www.kunst-in-templin.de/1.php
http://vipweb.ru/1.php
http://antol-co.ru/1.php
http://www.bags-dostavka.mags.ru/1.php
http://www.5x12.ru/1.php
http://bose-audio.net/1.php
http://www.sttngdata.de/1.php
http://wh9.tu-dresden.de/1.php
http://www.micronuke.net/1.php
http://www.stadthagen.org/1.php
etc
--
Kent Crispin
kent(_at_)icann(_dot_)org p: +1 310 823 9358 f: +1 310 823 8649
kent(_at_)songbird(_dot_)com SIP: 81202(_at_)fwd(_dot_)pulver(_dot_)com