Passing this along, because this has implications to list owners.
A new emerging worm is out there in windows land. That's bad enough, but this one has the hack that instead of repropogating via email using the owners email address, it repropogates using a random address in the infected machine's address book as the From, while sending to other random addresses in the book.
Last night, I started getting email from a friend (who happens to be a top computer security guy in the country) from an address he hasn't used in three years, and he doesn't use windows. Other people started getting email from ME that was infected.
This morning, the complaints started coming in that my mailman system was sending out infected emails, or that it was sending people admin messages because some infected machine was sending TO my mailman system as someone else, so they were getting the return notice.
Here's what I'm currently sending out to people that complain about these bogus mailman messages....
Someone out there has both your address and our address in their address book, and is infected with this virus:
<http://www.symantec.com/avcenter/venc/data/w32.klez.h@mm.html>
One of the side effects is that when it tries to reinfect, it takes an address from the address book at random, and uses it as the "from" in sending to someone else. So there's some third party that's hijacked your email address and using it to forward infected messages. And there's not a thing either of us can do about it, because neither of us are infected (or at least, we aren't) or control the machine doing it.
This is an emerging worm, and it looks pretty ugly. It has hit Hong Kong and Great Britain worst so far, but it's spreading rapidly accordind to people I've talked to.
This one has the possibility to get really ugly and nasty, folks, because it's hijacking addresses. Users can't depend on being yelled at by friends for being infected, because this new worm hides behind random return addresses. Which means the only thing you know is that the "person" sending you the email isn't the one infected, but someone who knows both of you is...
At least, as far as I can tell so far. The experts still seem to be trying to get a handle on it...
-- Chuq Von Rospach, Architech chuqui@plaidworks.com -- http://www.chuqui.com/
The Cliff's Notes Cliff's Notes on Hamlet: And they all died happily ever after
At 10:07 AM 23/04/02 -0700, Chuq Von Rospach wrote:
This is an emerging worm, and it looks pretty ugly. It has hit Hong Kong and Great Britain worst so far, but it's spreading rapidly accordind to people I've talked to.
I have to say, I've seen it already quite a bit on some of the linuxchix mailing lists. Mostly it's getting caught by our "posters-only" rules, but we're also getting sent "You have a virus" auto-messages to the lists, the admins, and probably random posters as well. I haven't seen any make it through to the lists I'm on yet, but it's probably only a matter of time before someone's copy chooses a valid From: address.
I hadn't gone to look up the details on it yet, but I figured it was forging From:'s when I saw a mail purportedly from an older address belonging to our coordinator, who lives in Australia, coming from an ISP which is local to me, halfway around the world in Canada. I haven't been tracing ISPs, but I'm guessing it's spread over the US by now.
Thanks for the extra info, Chuq. I should probably make a similar notice available before I start getting complaints.
Terri
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 Apr 2002, Chuq Von Rospach wrote:
This one has the possibility to get really ugly and nasty, folks, because it's hijacking addresses. Users can't depend on being yelled at by friends for being infected, because this new worm hides behind random return addresses. Which means the only thing you know is that the "person" sending you the email isn't the one infected, but someone who knows both of you is...
The return-path header however seems to be 'correct'. I was able to use that to track back the actual infected user, even when it masqueraded as being from one of the lists I am on. Hopefully this helps other people track this back as well and at least inform the correct person that they are infected.
- --JT
[-------------------------------------------------------------------------] [ Practice random kindness and senseless acts of beauty. ] [ It's hard to seize the day when you must first grapple with the morning ] [-------------------------------------------------------------------------] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org
iD8DBQE8xaC1lZQYYI16LJQRAvoDAJ9OJXJR6CO/PhaZ/QJuv/r0zUuxJwCfYVbh ld7T9CZ90dShV4JNHzyPxQ4= =Y/i2 -----END PGP SIGNATURE-----
At 10:07 AM 4/23/02 -0700, Chuq Von Rospach wrote:
Passing this along, because this has implications to list owners.
A new emerging worm is out there in windows land. That's bad enough, but
Jeez, chuq, where have you been? I've been dealing with klez for *months*. Our central scanners nail about 1,400 of them *a day*.
A spam generating company's mailer got infected recently, and started spamming people all over the world with the addresses on their "to spam" list. The only new development in klez, which in itself is a variant of sircam (which I get about 2400 a day of) is that a new variant came out with a new message, and slipped past a lot of virus scanners for a day, (re)infecting a lot of people who *still* don't know not to click things.
I swear, I could send them a mail messages that said "Click here to destroy your hard drive totally!" and they would.
A new emerging worm is out there in windows land. That's bad enough, but
Jeez, chuq, where have you been? I've been dealing with klez for *months*. Our central scanners nail about 1,400 of them *a day*.
This is a new variant, not the old Klez. And it's getting worse.
-- Chuq Von Rospach, Architech chuqui@plaidworks.com -- http://www.chuqui.com/
He doesn't have ulcers, but he's a carrier.
At 03:02 PM 4/23/02 -0700, Chuq Von Rospach wrote:
A new emerging worm is out there in windows land. That's bad enough, but
Jeez, chuq, where have you been? I've been dealing with klez for *months*. Our central scanners nail about 1,400 of them *a day*.
This is a new variant, not the old Klez. And it's getting worse.
Yea, I know; that's total across the variant. About 900 of them are the new one. But still, it's been out for a while to.
Of course, given that I manged the cluster of virus scanners that strip all our incoming mail, and get the nightly report, maybe I'm just sensitive to it. But our postmaster team has been backtracking origins of these things for a while now, and getting them fixed when we can. Some sites are really helpful and appreciative, and some sites are real pricks. Strangely, it seems to match the "will help stop spam" vs. "Go screw yourself" camps almost perfectly :-).
On Tuesday 23 April 2002 06:02 pm, you wrote:
A new emerging worm is out there in windows land. That's bad enough, but
Jeez, chuq, where have you been? I've been dealing with klez for *months*. Our central scanners nail about 1,400 of them *a day*.
This is a new variant, not the old Klez. And it's getting worse.
This is what I have in my "Hold posts with header value matching a specified regexp" field.
I decided about a month ago that I will no longer tolerate attachments going through automatically. It does require me to be more vigilant, but it has stopped everything so far. As you can see, some of these are quite specific from repeat offenders that spam in plain text. But the generic ones are great for stopping virus attachments from going anywhere. I got two of my list regulars, one from Europe and one from the Far East to help me admin the list to let legitimate attachments through in a reasonable period of time. Generally, the delay is less than 30 minutes from the time one is posted until it is released.
I stopped four viruses these from going out today, which means that 300 list members were spared virus attacks 4 times. So, I stopped Klez 1200 times today by having to moderate 4 messages. Pretty good trade, if you ask me.
# Lines that *start* with a '#' are comments. to: friend@public.com message-id: relay.comanche.denmark.eu from: list@listme.com from: .*@uplinkpro.com from: .*@lithesoft.com from: .*@paid4survey.net from: .*@freegift4u.com.* subject: .*@Podtal.* from: .*etoyshop.* from: .*bdavisa.* subject: .*new photos from my party.* Content-type: text/html Content-type: text/enriched Content-type: text/x-vcard Content-type: multipart/alternative Content-type: multipart/related Content-type: multipart/mixed Content-type: application/octet-stream Content-Disposition: attachment from: .*@lehugo.com.br.*
participants (5)
-
Chuq Von Rospach -
JT -
Phil Barnett -
Ron Jarrell -
Terri Oda