Conservation DistList Archives [Date] [Subject] [Author] [SEARCH]

Subject: Administrivia

Administrivia

From: Walter Henry <consdist-request>
Date: Monday, October 7, 2002
Many of you have received a mailing that *looks* like a DistList
mailing but which--as DistList mailings *never* do--contains an
attachment. And, as you've probably already guessed, this attachment
contains a virus. Obviously, you should not open it. I'd prefer that
you not bother letting me know about receiving the files, as I
already know and there's nothing I can do about it.

As you probably already know, there are a number of viruses that not
only send themselves to everyone in the infected machines address
book, but disguise themselves as someone in that address book, so
that it appears that the first victim is in fact the source of the
contaminated file.  It does not mean that anyone intentionally--or
even knowingly--sent you a file with that attachment.  Nor does the
mail message give us any way to identify the sender (the message
transmission path is faked).

Just to make it quite clear: the message you reported did *not* come
from the DistList nor can any DistList mailing sent from my system
ever carry a virus.

>From what I can tell, this virus appear to one known as
W32.Bugbear@mm. For more information about how this virus works, see

    http://securityresponse.symantec.com/
        avcenter/venc/data/w32.bugbear [at] mm__html
from which the following is excerpted:

    It retrieves the current user's email address and SMTP server
    from the registry key
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account
    Manager\Accounts

    It then uses its own SMTP engine to send itself to all email
    addresses that it finds. The worm also can construct addresses
    for the "From:" field using information that it harvests from
    the infected computer. For example, the worm may find the
    addresses a [at] a__com, b [at] b__com and c [at] c__com. The worm could create an
    email message addressed to a [at] a__com and spoof the "From:"
    address, so that it appears to come from c [at] b__com. The spoofed
    address can also be a valid email address that the worm finds on
    the system.

    In addition to the following list of subjects, the worm can
    create a new message as a reply to or forward of an existing
    message on the infected system. ...

    **** Moderator's comments: The above URL has been wrapped for
    email. There should be no newline

Naturally, I strongly advise all of you to keep your virus checkers
up-to-date and not to open attachments without due caution. You will
never receive an attachment from the DistList.


                                  ***
                  Conservation DistList Instance 16:26
                Distributed: Wednesday, October 9, 2002
                       Message Id: cdl-16-26-002
                                  ***
Received on Monday, 7 October, 2002

[Search all CoOL documents]