[Mailman-Developers] New emerging virus/worm. Grr.

Chuq Von Rospach chuqui@plaidworks.com
Tue, 23 Apr 2002 10:07:31 -0700 

Passing this along, because this has implications to list owners.

A new emerging worm is out there in windows land. That's bad enough, but
this one has the hack that instead of repropogating via email using the
owners email address, it repropogates using a random address in the infected
machine's address book as the From, while sending to other random addresses
in the book. 

Last night, I started getting email from a friend (who happens to be a top
computer security guy in the country) from an address he hasn't used in
three years, and he doesn't use windows. Other people started getting email
from ME that was infected.

This morning, the complaints started coming in that my mailman system was
sending out infected emails, or that it was sending people admin messages
because some infected machine was sending TO my mailman system as someone
else, so they were getting the return notice.

Here's what I'm currently sending out to people that complain about these
bogus mailman messages....

---

Someone out there has both your address and our address in their address
book, and is infected with this virus:

<http://www.symantec.com/avcenter/venc/data/w32.klez.h@mm.html>

One of the side effects is that when it tries to reinfect, it takes an
address from the address book at random, and uses it as the "from" in
sending to someone else. So there's some third party that's hijacked your
email address and using it to forward infected messages. And there's not a
thing either of us can do about it, because neither of us are infected (or
at least, we aren't) or control the machine doing it.

This is an emerging worm, and it looks pretty ugly. It has hit Hong Kong and
Great Britain worst so far, but it's spreading rapidly accordind to people
I've talked to.


---

This one has the possibility to get really ugly and nasty, folks, because
it's hijacking addresses. Users can't depend on being yelled at by friends
for being infected, because this new worm hides behind random return
addresses. Which means the only thing you know is that the "person" sending
you the email isn't the one infected, but someone who knows both of you
is... 

At least, as far as I can tell so far. The experts still seem to be trying
to get a handle on it...



-- 
Chuq Von Rospach, Architech
chuqui@plaidworks.com -- http://www.chuqui.com/

The Cliff's Notes Cliff's Notes on Hamlet:
    And they all died happily ever after