This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Viruses being transported with Cygwin messages


Elfyn,

Let me be clear that I'm not accusing you (or Gareth or Chris F.) of anything here. As others have pointed out, these worms are clever about coming up with addresses both for the apparent "From:" address and the next ply of intended victim recipients.

Here are the routing headers from the message _ostensibly_ from you:

Return-Path: <elfyn@mail.utexas.edu>
Received: from mail18.svr.pol.co.uk (mail18.svr.pol.co.uk [195.92.67.23])
by morse.concentric.net [Concentric SMTP MX 1.0]
id g9DJ7ih10880; Sun, 13 Oct 2002 15:07:44 -0400 (EDT)
[1-800-745-2747 The Concentric Network]
Errors-To: <elfyn@mail.utexas.edu>
Received: from modem-2289.chimpanzee.dialup.pol.co.uk ([217.134.120.241] helo=mcb-home)
by mail18.svr.pol.co.uk with smtp (Exim 3.35 #1)
id 180nmm-0007hQ-00; Sun, 13 Oct 2002 19:48:20 +0100
From: "Elfyn McBratney" <elfyn@mail.utexas.edu>


As you can see, although it claims (suggests? "From:" headers are distinctly non-authoritative) you're at UT Austin, the message itself did not originate or traverse any servers there. Nor does Hotmail appear in the SMTP server-supplied forwarding header. (Concentric is my ISP.)

As I understand these worms, they use other user's address books (are they called "Contact Lists" in Outlook and Outlook Express?) to come up with both fraudulent "From:" addresses and recipients. Win32.Bugbear@mm uses registry data to propagate, too.

Randall Schulz
Mountain View, CA USA


Here's the full text of the message I receive (attachment graciously elided--in fact, I delete them as soon as I confirm my hunch that they're worms):

-==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-
Return-Path: <elfyn@mail.utexas.edu>
Received: from mail18.svr.pol.co.uk (mail18.svr.pol.co.uk [195.92.67.23])
by morse.concentric.net [Concentric SMTP MX 1.0]
id g9DJ7ih10880; Sun, 13 Oct 2002 15:07:44 -0400 (EDT)
[1-800-745-2747 The Concentric Network]
Errors-To: <elfyn@mail.utexas.edu>
Received: from modem-2289.chimpanzee.dialup.pol.co.uk ([217.134.120.241] helo=mcb-home)
by mail18.svr.pol.co.uk with smtp (Exim 3.35 #1)
id 180nmm-0007hQ-00; Sun, 13 Oct 2002 19:48:20 +0100
From: "Elfyn McBratney" <elfyn@mail.utexas.edu>
Subject: Re: Need your Mac OS 8 support plan...
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----------ISQROT15KBZQSTO"
Message-Id: <E180nmm-0007hQ-00.2002-10-13-19-48-20@mail18.svr.pol.co.uk>
Bcc:
Date: Sun, 13 Oct 2002 19:48:20 +0100

Content-Type: text/html;

That is really not fare :(

Do you know when we'll get a time-indexed beta-sp ???

----- Original Message -----
From: Michael Aumeerally
To:
Sent: Sunday, August 25, 2002 9:52 PM
Subject: Re: Need your Mac OS 8 support plan...


> > Just wanted to beg you to bring in Mac OS 8 if your on your travels
> towards the office :)...
>
> I may come in Wednesday evening, depending on how the week unfolds...
>
<file://D:\Attachments\connexionscard-pass.txt.scr>[] connexionscard-pass.txt.scr
-==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-


At 16:33 2002-10-13, Elfyn McBratney wrote:
I for one would like to know how that happend. If its from hotmail then fare
do's, sorry. If it was from elfyn@exposure.org.uk thats impossible because
all I can send through my mailgate is .txt or tars/gz's files...even then
all archives are extracted/scanned.

What month???

Elfyn

----- Original Message -----
From: Randall R Schulz <rrschulz@cris.com>
To: <cygwin@cygwin.com>
Sent: Sunday, October 13, 2002 11:03 PM
Subject: Re: Viruses being transported with Cygwin messages


> Hi,
>
> I might help to know this is the "W32.Bugbear@mm" worm. It has been
> spreading a lot lately. In today's batch I received 3 copies under
> different names (supposedly from Christopher Faylor, Gareth Pearce and
> Elfyn McBratney), each with different contents and different attachment
names.
>
> Here's what Symantec has to say about this worm:
> <http://www.sarc.com/avcenter/venc/data/w32.bugbear@mm.html>
>
> Randall Schulz
> Mountain View, CA USA

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]