Ok, Who's got the virus?

Somone on .chips has a virus and has been sending it out at a
prodigious rate. I just received a warning from someone (sans
virus) with an address list that looks like a who's who of
..chips.

I'm getting hit about once a minute. The virus is about 150K so
that's a lot of crap! ...and that's after setting up a picket of
filters on the server!

--
Keith

"Keith R. Williams" wrote in message
. ..
Somone on .chips has a virus and has been sending it out at a
prodigious rate. I just received a warning from someone (sans
virus) with an address list that looks like a who's who of
.chips.

I'm getting hit about once a minute. The virus is about 150K so
that's a lot of crap! ...and that's after setting up a picket of
filters on the server!

Yeah, my junk email account (Yahoo) has sent me a warning that my mail box
is getting close to its max because of all of wave of mail coming in, and
that after that I won't be able to receive emails. No big deal to me, I did
setup that account to filter out my spam mail, and if it shuts down
temporarily, then that simply means fewer viruses entering it. :-)

Most of the mails I seem to be getting are those fake Microsoft patch
emails. "Oh please install this attachment in this totally unsolicited but
very official looking Microsoft email, it's a patch that'll help you". :-)

Yousuf Khan

On Fri, 19 Sep 2003 16:24:11 GMT, Will Dormann
wrote:

snip

I guess one of the reasons that this one is so widely spread is that it
doesn't solely rely on user stupidity (opening attachment), but rather
it also incorporates an incorrect MIME header exploit so that it
automatically executes upon previewing the message in Microsoft Outlook
/ Outlook Express.

I am sure there are people with good business reasons for using
Microsoft Outlook / Outlook Express, like the company requires them
to. Other than that, I would include continuing use of that software
in the category of user stupidity, given what's out there right now.
I have what I regard as good business reasons for using Windows at
all, but I'm reevaluating.

RM

Keith R. Williams wrote:

Somone on .chips has a virus and has been sending it out at a
prodigious rate. I just received a warning from someone (sans
virus) with an address list that looks like a who's who of
.chips.

I'm getting hit about once a minute. The virus is about 150K so
that's a lot of crap! ...and that's after setting up a picket of
filters on the server!


Once a minute... If I were only so lucky. I'm getting them at a rate
of about one per 5-10 seconds.

The sender's address is forged, so it's hard to tell where exactly they
come from. (Unless you go by the IP address in the header).


I guess one of the reasons that this one is so widely spread is that it
doesn't solely rely on user stupidity (opening attachment), but rather
it also incorporates an incorrect MIME header exploit so that it
automatically executes upon previewing the message in Microsoft Outlook
/ Outlook Express.

-WD

In article ,
says...
On Fri, 19 Sep 2003 16:24:11 GMT, Will Dormann
wrote:

snip

I guess one of the reasons that this one is so widely spread is that it
doesn't solely rely on user stupidity (opening attachment), but rather
it also incorporates an incorrect MIME header exploit so that it
automatically executes upon previewing the message in Microsoft Outlook
/ Outlook Express.

I am sure there are people with good business reasons for using
Microsoft Outlook / Outlook Express, like the company requires them
to. Other than that, I would include continuing use of that software
in the category of user stupidity, given what's out there right now.
I have what I regard as good business reasons for using Windows at
all, but I'm reevaluating.

In this case, the problem is not so much what you're running, but
what everyone else is. You could be running PalmOS and this
thing would still be an effective DoS attack.

--
Keith

In article ,
says...
Keith R. Williams wrote:

Somone on .chips has a virus and has been sending it out at a
prodigious rate. I just received a warning from someone (sans
virus) with an address list that looks like a who's who of
.chips.

I'm getting hit about once a minute. The virus is about 150K so
that's a lot of crap! ...and that's after setting up a picket of
filters on the server!


Once a minute... If I were only so lucky. I'm getting them at a rate
of about one per 5-10 seconds.

That's once per minute *after* adding fourteen filters on the
server. The ones getting through don't seem to have a decent
handle I can grab that wouldn't also cause others to be filtered.

--

The sender's address is forged, so it's hard to tell where exactly they
come from. (Unless you go by the IP address in the header).


I guess one of the reasons that this one is so widely spread is that it
doesn't solely rely on user stupidity (opening attachment), but rather
it also incorporates an incorrect MIME header exploit so that it
automatically executes upon previewing the message in Microsoft Outlook
/ Outlook Express.

-WD

Keith R. Williams wrote:

Somone on .chips has a virus and has been sending it out at a
prodigious rate. I just received a warning from someone (sans
virus) with an address list that looks like a who's who of
.chips.

I'm getting hit about once a minute. The virus is about 150K so
that's a lot of crap! ...and that's after setting up a picket of
filters on the server!


Anybody who has posted to a newsgroup with a non-munged address (such as
myself) is a prime target for this worm.

According to SARC, the worm gets the target email addresses by:
Searches .html, .asp, .eml, .dbx, .wab, .mbx files on the hard disk for
email addresses.

If a victim of the worm uses Outlook Express (ugh!) to read newsgroups,
the newsgroup headers are stored in a .dbx file.



-WD

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article ,
Robert Myers wrote:
I am sure there are people with good business reasons for using
Microsoft Outlook / Outlook Express, like the company requires them
to.

Whoever at a company insists on such a suicidal course should be tossed out
into the street and replaced with someone with a clue. I've received well
over 1000 infected messages in the past 24 hours...my mailer is bouncing
some of them now, based on subject and IP address, but some are still
leaking through.

_/_ Scott Alfter
/ v \
(IIGS( http://alfter.us Top-posting!
\_^_/ pkill -9 /bin/laden What is the most annoying thing on Usenet?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/azoqVgTKos01OwkRArbRAKCYt/yn3U7G5+a4xXf7ZpiF9emQsgCg0qOG
ca9WoaJOIc3Cm7cUXqzH+1M=
=vk8F
-----END PGP SIGNATURE-----

Keith R. Williams wrote in
:


Once a minute... If I were only so lucky. I'm getting them at a rate
of about one per 5-10 seconds.

That's once per minute *after* adding fourteen filters on the
server. The ones getting through don't seem to have a decent
handle I can grab that wouldn't also cause others to be filtered.


I finally gave up and installed mimedefang -- now i ****can all attachments
through our mail system. If people need to send a file they can ftp

life is much better now

-z

On Fri, 19 Sep 2003 09:48:23 -0400, Keith R. Williams
wrote:

Somone on .chips has a virus and has been sending it out at a
prodigious rate. I just received a warning from someone (sans
virus) with an address list that looks like a who's who of
.chips.

Hai, I'm confirmed in my position as the village idiot, the virus
didn't even show up. Ppp

Though thanks to this, I went to check this particular email account
and realized I missed an email from an actual life person (Robert)
about 2 months back *embarrassed grin*
--
L.Angel: I'm looking for web design work.
If you need basic to med complexity webpages at affordable rates, email me
Standard HTML, SHTML, MySQL + PHP or ASP, Javascript.
If you really want, FrontPage & DreamWeaver too.
But keep in mind you pay extra bandwidth for their bloated code