decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.


You won't find me on Facebook


Donate

Donate Paypal


No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.


What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments


Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
Someone is Sending Mail in Our Name
Monday, January 26 2004 @ 06:32 PM EST

Just letting everyone know that someone has sent out email as if from me and MathFox. I know because I got one, supposedly from me to me, saying Hello in the subject line. Duh. MathFox's says Hi. The IP addresses are not ours. There is an attachment. I haven't sent anyone any attachments. Do not open. The body of the message is not in English, so I don't know what it says. I probably don't want to know.

UPDATE: Windows users, if there are any here, please read this and take remedial action to prevent your computer being used: http://www.f-secure.com/v-descs/novarg.shtml


******************************

"A new worm known as Mydoom or Novarg is spreading quickly over email and Kazaa networks. In emails, it uses variable subjects, bodies and attachment names. The worm opens Notepad with garbage data in it. It also attacks SCO.COM with a DDoS-attack.

"Summary

"Novarg is a worm that spreads over email and Kazaa p2p network. When executed, the worm opens up Windows' Notepad with garbage data in it.

"The worm opens up a backdoor to infected computers by listening to TCP port 3176. This is done by planting a new SHIMGAPI.DLL file to system32 directory and launching it as a child process of EXPLORER.EXE."
***************************

I don't use a Windows computer for email, so this virus is definitively not from my account. If you do use a Windows computer, please follow the steps outlined in the F-Secure article to make sure you don't contribute to this problem.

MORE:
http://www.sfgate.com/cgi-bin/article.cgi?file=/news/
archive/2004/01/26/financial2102EST0374.DTL&type=printable

"The attack was first noticed Monday afternoon. Within hours, thousands of e-mails were clogging networks, said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team.

"Besides sending out e-mail, the program appears to open up a backdoor so that hackers can take over the computer later.

"'As far as I can tell right now, it's pretty much everywhere on the planet,' Gullotto said.

"Security software experts were scrambling to decrypt the details of the malicious program and were arriving at different conclusions.

"Symantec, an antivirus company, said the worm appeared to contain a program that logs keystrokes on infected machines. It could collect username and passwords of unsuspecting users and distribute them to strangers.

"Network Associates did not find the keylogging program.

"Symantec also found code that appeared to target The SCO Group Inc., which claims some of its intellectual property has ended up in the Linux operating system and is threatening lawsuits. SCO's Web site, which has been targeted in the past, was available but sluggish late Monday. Other firms, however, could not confirm that aspect of the attack."


******************************




Header on the one pretending to be from me:

From: pj@groklaw.com
Subject: hello
Date: January 26, 2004 3:59:37 PM EST
To: pj@groklaw.com
Received: (qmail 13805 invoked from network); 26 Jan 2004 21:14:23 -0000
Received: from smtpout-1-1a.secureserver.net ([64.202.166.20]) (envelope-sender <pj@groklaw.com>) by smtp-1-4a.secureserver.net (qmail-ldap-1.03) with SMTP for <pj@groklaw.com>; 26 Jan 2004 21:14:23 -0000
Received: (qmail 6183 invoked from network); 26 Jan 2004 20:58:28 -0000
Received: from d-128-95-244-216.dhcp4.washington.edu (HELO groklaw.com) (128.95.244.216) by smtpout-1-1a.secureserver.net with SMTP; 26 Jan 2004 20:58:28 -0000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0008_28287E38.B9CCF0F9"


Header from the one pretending to be from Mathfox:

From: mathfox@groklaw.net
Subject: Hi
Date: January 26, 2004 3:59:29 PM EST
To: pj@groklaw.com
Received: (qmail 29603 invoked from network); 26 Jan 2004 20:58:11 -0000
Received: from smtpout-1-1a.secureserver.net ([64.202.166.20]) (envelope-sender <mathfox@groklaw.net>) by smtp-1-2a.secureserver.net (qmail-ldap-1.03) with SMTP for <pj@groklaw.com>; 26 Jan 2004 20:58:11 -0000
Received: (qmail 5446 invoked from network); 26 Jan 2004 20:58:20 -0000
Received: from d-128-95-244-216.dhcp4.washington.edu (HELO groklaw.net) (128.95.244.216) by smtpout-1-1a.secureserver.net with SMTP; 26 Jan 2004 20:58:20 -0000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0008_BC28F045.C8A522B3"


*************************

CERT has this info on email with these headers:
http://www.cert.org/current/current_activity.html#mydoom

W32/Mydoom or W32/Novarg
added January 26

On January 26, 2004, the CERT/CC began receiving reports of a new mass-mailing virus now known as W32/Novarg.A, W32/Shimg, or W32/Mydoom. It arrives as an email message with a 22,528-byte attachment that has a random filename with a file extension of .cmd, .pif, .scr, .exe, or .bat. The attachment may also arrive as a ZIP archive. This malicious code has been reported to open a connection on port 3127/tcp or port 3176/tcp. In addition to email propagation, the virus attempts to spread through peer-to-peer file sharing networks by copying itself into the default folder used by KaZaA to share files.



"W32/Beagle or W32/Bagle
added January 20

"The CERT/CC has received reports of a new mass-emailing virus, referred to as "W32/Beagle" or "W32/Bagle". It arrives as an attachment to an email with the subject line of "Hi". The attachment is an executable file (.EXE) file with a file name consisting of a random sequence of characters. Upon opening the attachment, the virus scans certain files on the user's system collecting email addresses, then attempts to mail itself to all e-mail addresses it found. The FROM: address is spoofed to hide the identity of the sender. Additionally, the virus opens a port on the user's system (usually port 6777) which permits an attacker to gain access to the system.

"The CERT/CC strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment."

  


Someone is Sending Mail in Our Name | 462 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Someone is Sending Mail in Our Name
Authored by: midav on Monday, January 26 2004 @ 06:42 PM EST
PJ do not worry, it is just a virus.

I am getting bunch of this on my corporate e-mail address. It has Hi, Hello, Test subject and a ZIP attachment. Do not open it:)

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Jude on Monday, January 26 2004 @ 06:42 PM EST
It's probably one of the new viruses WS/Dumaru.y or W32/Dumaru.z

I just got an alert about them from my employer's security staff. And you're
right, you don't want to open the attachments.


[ Reply to This | # ]

Do not open
Authored by: overshoot on Monday, January 26 2004 @ 06:43 PM EST
Well, that depends on how you open it, now doesn't it?

Since I run the mailserver at home and have plenty of plain-text mail tools, I'll have a look when I get home tonight and let y'all know what I find. I'll be more than a bit surprised to find anything dangerous to a Linux system.

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: fidget on Monday, January 26 2004 @ 06:45 PM EST
Looking like the standard spammer spoofing technique (spoof the from address). If you want to hunt down the cause, use ARIN WHOIS to verify the ownership of the IP addresses. Looks like someone at the University of Washington has an infected computer. Forward the email to their abuse team.

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: brenda banks on Monday, January 26 2004 @ 06:46 PM EST
yep i am getting all kinds of email that i know prolly are viri but i just
delete
the fulldisclosure list was talking about a new worm


---
br3n

irc.fdfnet.net #groklaw

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Anonymous on Monday, January 26 2004 @ 06:47 PM EST

PJ, what they said. All it means it that someone who has your e-mail and
MathFox's in their Outlook address book got infected with a virus.

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Scriptwriter on Monday, January 26 2004 @ 06:49 PM EST
There are some Trojan horses going around that use subject names like
"Hello" and "Hi." Some of them will actually forge
themselves to pretend to be from the recipient. As if I wouldn't know if I were
sending myself mail. (I've gotten to where if the subject line just says
"Hi" the message goes in the trash unread. I think the chance of me
throwing out any mail from the girl I had a crush on in high school or something
is pretty remote.)

To anyone for whom this is a problem, I highly recommend Spamassassin. The
amount of spam I have to deal with has dropped to a very manageable level since
I started using Spamassassin. (This recommendation is for the *n*x users in the
crowd. There's a product that implements Spamassassin for Windows, but I don't
anything about it. Sorry.)

---
He who sells / What isn't his'n / Is headed for / Some time / In prison /
Burma-Shave

irc.fdfnet.net #groklaw

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Anonymous on Monday, January 26 2004 @ 06:49 PM EST
Virus is Novarg.a (Symantec) and spreads via email as .zip, .pif, .scr, and
.exe.

Look for the DLL shimgapi.dll in System32 or System (sometimes both).

Also, if you've rebooted taskmon.exe will show up in your process list opening
ports 3127 and 3128.

It's a category 4 but so far doesn't appear to be destructive.

See your favorite AV vendor for an update.

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: lpletch on Monday, January 26 2004 @ 06:50 PM EST
I recieved one a few days ago it is a relatively harmless windows virus attachment. It used @groklaw.com so I knew it was not legit.

The profile is here

---
lpletch@adelphia.net

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Sunny Penguin on Monday, January 26 2004 @ 06:57 PM EST
I can never get these viruses to install.
Where is the "makefile" ?

<G>

---
Litigation is no sustituite for Innovation.
IMHO IANAL

[ Reply to This | # ]

Roach Motel XP
Authored by: Anonymous on Monday, January 26 2004 @ 07:06 PM EST
Another reason to run Linux or get a Mac: Windows is a roach motel.

[ Reply to This | # ]

For Immediate Release
Authored by: Alex on Monday, January 26 2004 @ 07:07 PM EST

This virus laden e-mail has gone out due to a DDOS attack against Groklaw's
unprotected servers by pro-Proprietary software zealots. The FBI, the Secret
Service, and every computer journalist on our copious mailing list have all been
informed of these crimes.

You can expect a press release from Steve Balmer shortly wherein he will
announce that an anonymous MCSE who's upset over Linux taking his job away is
responsible for these attacks.

Yeah Blake, it sounds just as stupid when you say it.

Alex

---
Hey Darl!! Did Ross Perot draw your chart?"

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: eric76 on Monday, January 26 2004 @ 07:09 PM EST

According to Mydoom worm spreading rapidly, the Mydoom/Novarg worm attacks sco.com. So it is quite possible that it is using the groklaw addresses intentionally.

Mydoom carries varying subjects such as "HELLO" or a blank subject, as well as a variety of messages and attachments. When loaded, it calls up Notepad and displays random characters, while creating a copy of itself and modifying the infected machine's Windows registry to run the code upon start-up. It may open a TCP port to listen for commands from a remote attacker, according to Dunham.

"It also attacks sco.com with a DDoS [denial-of-service] attack," said a statement from F-Secure.

It can spread by both e-mail and the Kazaa file-sharing system, several antivirus vendors said.

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Anonymous on Monday, January 26 2004 @ 07:10 PM EST
According to F-Secure this virus attacks sco.com with a DDOS attack. So, it is not completely unrelated to Groklaw. It runs only under Windows, of course. It's apparently spreading incredibly quickly. I've received half-a-dozen copies myself. Thad Beier

[ Reply to This | # ]

Novarg.a Virius is a SCO DDOS attack trojan
Authored by: mikeca on Monday, January 26 2004 @ 07:18 PM EST
According to Symantec's initial analysis, the Novarg.a virius "Can
perform a Denial of Service against www.sco.com"

See http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Anonymous on Monday, January 26 2004 @ 07:23 PM EST
My address is being forged too. I reported it to the
attacker's ISP. However I've received a bunch more since
so I suspect it's a new 'winders email trojan (or maybe a
worm but it seems to slow for that).

[ Reply to This | # ]

Yahoo Mail Servers Infected
Authored by: Anonymous on Monday, January 26 2004 @ 07:36 PM EST
Since about 3:30 PM EST (or EDT) I have noticed daemon notices in my Inbox at
Yahoo.com.
Here is an example (my name is not Marla Hamm):

-----Transcript of session follows -------
dlalonde@cpapronet.com
The user's email name is not found.
dlang@cpapronet.com
The user's email name is not found.
dknopf@cpapronet.com
The user's email name is not found.
dongle@cpapronet.com
The user's email name is not found.

Forwarded Message [ | Download File ]

From:
"Marla Hamm" <mogiljan@yahoo.com><<<<<<<
My name is not Marla Hamm>>>>>>>>.

To:
dongle@cpapronet.com
CC:
dlalonde@cpapronet.com, dlang@cpapronet.com, dknopf@cpapronet.com
Subject:
Why are you paying full price for your meds. Pnte.r.min, Va|l|ium, _XANAX_
available01ggnhMqz4eG
Date:
Mon, 26 Jan 2004 07:13:22 -0500

HTML Attachment [ Scan and Download ]
Our online shop is your source for locating many prescription drugs without a
prior prescription in compliance with FDA regulations.
We offer you a choice of original and generic medications.
Enjoy deep discount meds here.
-->

[ Reply to This | # ]

Can I Play, Too?
Authored by: DaGoodBoy on Monday, January 26 2004 @ 07:38 PM EST
Anyone have a packet trace of the traffic it sends to SCO? If it was available, somewhere, I'm sure that someone would write a simple traffic generator for Linux, so the Linux users could play too. Sometimes I feel so left out because I run Linux and all the Windows users get these big, dramatic computer problems to live through. My little linux laptop just runs and runs and nothing interesting ever happens to it... Oh well.

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Anonymous on Monday, January 26 2004 @ 07:41 PM EST
PJ, this happens all the time. It's either a virus or spam. From time to time
I get a whole string of rejection notices on email I didn't send, and some of
my customers complain of the same thing. Spam bots collect addresses from
websites and newsgroups and viruses collect them from received email, browser
caches, etc. When a spam engine or a virus/worm sends out email it uses one of
these as the originating address so as to get past filters that reject out of
hand any email without a valid sender hostname. Do a whois on the originating
IP address and if it comes up as originating in China or Korea it's probably
spam. If it comes up originating in the US, UK or Europe, it's probably a
virus.

And as others have said, Linux users need not worry about getting infected.

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Anonymous on Monday, January 26 2004 @ 07:58 PM EST
Apparently (according to other analyses) a number of
"well known" websites are used as the return address, so
groklaw is apparently not the only target.

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: RDH on Monday, January 26 2004 @ 08:01 PM EST
I was feeling all warm and special when I thought I was getting an email from
the Great Goddess herself. Turned out to be the virus email. My filters and
scanners caught it very quickly, so no harm was done.

I think, and this looks to be true, that a spambot was used to troll through the
posts harvesting email addresses; otherwise, how would one know the connection
between me and Groklaw? Granted it could be random, but the probablity would be
very low.

Keep your eyes posted, good people.

RDH

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Hygrocybe on Monday, January 26 2004 @ 08:08 PM EST
PJ, I have had letters to the editor published in both the Australian PC
Authority and the English Linux Format regarding spam, viruses and how to deal
with them. I find that usually these 'script kiddies' work in HTML, so my
filters now look in the message body for the 'off' symbol of '</' and
also (to stop encoding spammers) the text of: 'base64' or 'Base64'. I find
this catches 100% of html and thereby about 99% of spam and I divert this to a
separate folder for destruction. (This method also catches, without any
alteration, 100% of the new method of using strings of queer words: if the
spammer uses html, he/she is caught.) I also suggest that my correspondents
write to me in plain text, not html and if they want to send me attachments, let
me know in advance. In any event, as some above have implied: opening
attachments from unknown sources is akin to playing Russian Roulette with your
computer. So far my SuSE Linux 9 machine has had no problems in dealing with or
deleting any of the rubbish.

That to one side, I suppose this sort of attack was inevitable given the
pre-natal mental age of these juveniles. But it does make you a little annoyed,
even if you are unaffected......I perceive this as a deliberate attempt to smear
your good names, and I don't like it.



---
Lamington Nat Park

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: maxhrk on Monday, January 26 2004 @ 08:08 PM EST
Look like i havent recieved from them yet pretty much on my cs mail. I am using
Mozilla too, so i guess i can be little safe on window 98 for time being. Oh
yeah i warned my mom about the virus so it seem allright now.

---

Sincerely,
Richard M.

[ Reply to This | # ]

For those of you just tuning in...
Authored by: Jude on Monday, January 26 2004 @ 08:19 PM EST
Tonight's SCOdown is brought to you by Microsoft:
"Who do you want to DDoS today?"

Ain't closed proprietary software wonderful?


[ Reply to This | # ]

Conspiracy
Authored by: converted on Monday, January 26 2004 @ 08:25 PM EST
Perhaps this the SCO Microsoft link we've been looking for! *smirk

These folks must be getting constipated with all this irony in their diets.

[ Reply to This | # ]

Got any from slashdot@ramestaylor.com?
Authored by: rjamestaylor on Monday, January 26 2004 @ 08:30 PM EST
If anyone gets one from slashdot@rjamestaylor.com, please let me know (but use a different account name than that to tell me -- that 's my /dev/null alias.

I made a decision not to obsfucate my email on /. long ago and am always the first on my block to get all the cool product announcements, Nigerian finance offers, auto-executing attachments and corpus maximus hints.

Oh, but I never send anything out using that alias.

---
SCO delenda est! Salt their fields!

[ Reply to This | # ]

Bad Day for Windows worms
Authored by: valdis on Monday, January 26 2004 @ 08:33 PM EST
OK guys.. Please note there are multiple things on the loose this day.

So far, I've had to send off things that were subsequently named Dumaru-Z and SCO-A, and another one that I've yet to have ID'ed. There's also a Mimail-Q that I've actually managed to not get a copy of yet.

And yes, they weren't named yet when I caught the inbounds. I'm obviously in waaaay too many people's e-mail folders. One of the joys of spending 15 years posting frequently to high-profile lists is the incredible amount of stuff you get when one of these address-scraping worms gets loose.

Fortunately, there's procmail. :)

[ Reply to This | # ]

According to Netcraft
Authored by: converted on Monday, January 26 2004 @ 08:39 PM EST


SCO's site is down

[ Reply to This | # ]

Not groklaw related
Authored by: Anonymous on Monday, January 26 2004 @ 08:43 PM EST

At least not directly. The description on McCafee's website (thanks for the link, lpletch) says that the virus harvests both the To and From address, and "the first message sent by the virus uses the same harvested address in the TO and FROM fields." So PJ probably just got sent the virus from the infected machine of someone who had her and mathfox in his address book.

[ Reply to This | # ]

PJ's Windows Warning
Authored by: Weeble on Monday, January 26 2004 @ 08:51 PM EST
" UPDATE: Windows users, if there are any here, please read this and take
remedial action to prevent your computer being used:
http://www.f-secure.com/v-descs/novarg.shtml "

PJ, I was one step ahead of you--I missed this the first time (yeah, whichever
Anonymous commented thus in another article, I have ADD too--though it's more
properly ADHD-Inattentive if you don't have the hyperactivity, and I don't),
but I did hit my update button in AVG AntiVirus right away as I read the story
and comments.

What's interesting is that when I *did* go to the page you suggested, I
recognized from the description that I'd only minutes before deleted one of
those messages (not with your or MathFox's addy) from those that I'd
downloaded from comp.unix.sco.misc! Guess someone wants to try to infect a few
SCO consultants' computers (and yes, some of them use Windows on their PCs).

---
"Every time I think I've heard it all from SCO, they come
up with a new howler." Steven Vaughan-Nichols, eWeek

[ Reply to This | # ]

The price of cyber fame
Authored by: Anonymous on Monday, January 26 2004 @ 08:52 PM EST
The price of cyber fame is having your address propagated to a myriad of
Microsoft based address books. The cyber paparazzi of Windows worms will track
you down and harass you and a million of your most intimate acquaintances.

No big deal, really. Just a monopoly at work :)

[ Reply to This | # ]

technology vitamin softball jabberwocky
Authored by: Anonymous on Monday, January 26 2004 @ 09:01 PM EST

Now for only $699 you can prevent your company from being sued for using Linux software with UNIX source code that was inappropriately included.

Click here for more information.



Click here if you wish to be removed from our mailing list.

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Mark_Edwards on Monday, January 26 2004 @ 09:02 PM EST
First of all I do not support the people that are doing
this !!!!

But you have to admit that Microsoft software doesn't
half get this virus around fast with the number of
people both on Groklaw and Yahoo Finance that have
recieved it...

so far I have only recieved one copy of the virus from
one of the mailing lists I am subscribed to. It has
come from wanadoo.nl so it seems it is not only
groklaw.com it is imitating..

Oh well. one day microsoft might wake up to email
viruses and write software that doesn't help spread
them so easily.

Mark.

[ Reply to This | # ]

SCO attack
Authored by: lpletch on Monday, January 26 2004 @ 09:08 PM EST
SCO is having a little trouble right now

http://uptime.netcraft.com/perf/graph?site=www.sco.com






---
lpletch@adelphia.net

[ Reply to This | # ]

Heh, Better get a lawyer.
Authored by: Anonymous on Monday, January 26 2004 @ 09:14 PM EST
PJ - What with SCO's remarkably selective recognition of reality, I'm sure
they feel this is clearly actionable against you.

What more could SCO need? They have an e-mail sending a DDoS attack out with the
word Groklaw as sender. Open and Shut. No?

Shame on you.

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Anonymous on Monday, January 26 2004 @ 09:14 PM EST
Yes there are a few windows users reading Groklaw. I am one , I just got hooked
into the story and agree SCO is trying to spread FUD.
Thanks for the warning , any windows user still opening emails with attachments
they were not expecting to get is a fool.
I know someone will call me a fool for using windows, but I cant get Linux to do
what I want it to do. I keep checking back though. Maybe one day I will know
enough to use it or it will get more user friendly.

[ Reply to This | # ]

Viruses are often opportunistic
Authored by: gvc on Monday, January 26 2004 @ 09:23 PM EST
This is not the first time that a virus writer has picked up on current events.

I suspect this is a copycat of the alleged DDOS attack on SCO, with the added
twist of forging addresses to cast suspicion on PJ et al.

It is much more consistent with a real DDOS - lots of ancillary evidence that
machines are being compromised using a known vector. Previous attacks were
major stealth efforts.

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: maxhrk on Monday, January 26 2004 @ 09:33 PM EST
i tries to access CNN.com, i dont know if it is ddos'ed or not. is it working
for anyone?

---

Sincerely,
Richard M.

[ Reply to This | # ]

Off topic and disgusting. . .
Authored by: Anonymous on Monday, January 26 2004 @ 09:35 PM EST
Check this link:

http://cnnfn.investor.reuters.com/ReportDetails.aspx?docid=31885918&sId=1

"SCO GROUP is currently rated A (highest rating)."

No product, no nothing. Caldera is a fraud and yet has a buy rating.

krp

[ Reply to This | # ]

  • A paid shill - Authored by: Anonymous on Monday, January 26 2004 @ 09:45 PM EST
    • A paid shill - Authored by: DB on Tuesday, January 27 2004 @ 11:13 PM EST
Total Cost of Ownership
Authored by: Anonymous on Monday, January 26 2004 @ 09:40 PM EST
Viruses are one of things that make Microsoft's claims so laughable. In a
deperate attempt to keep the world from upgrading to Linux, MS claims that
Windows has a lower total cost of ownership than Linux. None of the MS claims
has any basis in fact.

A study published online estimates that viruses cost MS users about $55 billion
last year alone. In all of the studies that MS commissions, though, somehow
nobody ever adds in this cost or even considers Windows' weakness in this area.

[ Reply to This | # ]

OT--Australia Says No to SCO
Authored by: lpletch on Monday, January 26 2004 @ 09:50 PM EST
Australian IT has an article about the Australian government rejecting SCOs license offer.
SCO Australia-New Zealand manager Keiran O'Shaugnessy said he had received a dozen queries about the licences that day.

None of the companies had confirmed they would purchase a SCO licence, he said.

Government Linux users contacted by The Australian IT said they were not planning to purchase the licences.

Department of Veterans Affairs infrastructure and services manager Tony Ablong said the department used Linux extensively on servers and desktops.

"They have to take it up with IBM or Red Hat, not with us," he said.

"We bought a service from IBM."

---
lpletch@adelphia.net

[ Reply to This | # ]

Corporate E-mail networks - a word of warning
Authored by: valdis on Monday, January 26 2004 @ 09:50 PM EST
Don't be all smug that you think you're totally protected just because you have a nice A/V solution on your e-mail hub. Such things are nice, and a very helpful tool (our site loves our Mirapoint boxes ;).

However, there's 3 problems:

  • You're still a sitting duck between when a burn starts and when your vendor gets an update out and you get it to your scanner and in production. Even with hourly updates at our site, we still got some 82 boxes that got whacked by Dumaru-Z (which out of a 60K user community isn't too bad, I guess).
  • You're still a sitting duck for laptop users who bring something to work with them on Monday morning.
  • You're still a sitting duck for things like the current MyDoom/Novarg that's targeting SCO - it is able to spread both via e-mail and via Kazaa.

Of course, if your local site has taken action to deal with those 3 points, you're allowed to be smug. :)

[ Reply to This | # ]

Worm.SCO.A
Authored by: homebrew on Monday, January 26 2004 @ 09:58 PM EST
I had to check after I seen this thread. Wouldn't you know, there were a few
emails with the Worm.SCO.A that were stopped by amavisd-new.

On the other systems I use a different scanner and have been getting alot of
infected: I-Worm.Novarg since turning on the option to send the messages to a
virus notification mailbox (22 in a few minutes). I guess it is the same virus
but clamav recognizes it differently.

It's easier and cheaper to use a Linux box to protect Windows users from
Microsofts lack of security concern.

Time to pull out those old pentium 100's.


550 5.7.1 Message content rejected, id=16526-04-2 -
VIRUS: Worm.SCO.A
Virus scanner output:
/var/lib/amavis/amavis-20040126T170733-16526/parts/part-00008: Worm.SCO.A
FOU
ND

The message has been quarantined as:
/var/lib/amavis/virusmails/virus-20040126-185039-16526-04-2

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: kberrien on Monday, January 26 2004 @ 10:04 PM EST
PJ, hunger strike! Stop the cyber violence!

- anyone remember Ghandi?

The whole SCO website crash fiasco of months ago left a bad taste in my mouth,
and now this.

This does make me think of an interesting mind experiment for us legal amateurs,
however. To say it mindly, SCO has an interesting way of litigation, and picks
very "interesting" cases to bring to court. Would something like
this stand up? Makes about as much, or maybe more sense than some of their
other cases?

SCO.com gets attacked from the worm. Website goes down for days, SCO looses
money. SCO sues Microsoft for damages, for negligence in its software. In the
discovery process they go on a fishing expedition for proof Microsoft knows of
its vulnerabilities, but does not fix them.

Does SCO have a case?

[ Reply to This | # ]

The IP numbers ...
Authored by: Anonymous on Monday, January 26 2004 @ 10:18 PM EST
are from all over the map and apparently spoofed. Just for grins, as long as
the system is Linux, you can save any attachments and look for strings. If
there are calls to the Win32.dll, or other identifiable windows dlls, well,
don't forward to any Windows using friends.

[ Reply to This | # ]

Virus set to attack SCO
Authored by: Bill The Cat on Monday, January 26 2004 @ 10:18 PM EST
There are many reports like this one and the security sites (CERT, etc.) as well as anti-virus program home sites that are reporting that a virus is aimed to attack SCO. The files look legitimate but have E-Mail addresses from "Known" users and even your self. The virus can have multiple subjects too. Check the web for more info.

---
Bill Catz

[ Reply to This | # ]

Me too
Authored by: Captain on Monday, January 26 2004 @ 10:27 PM EST

Someone is sending them in my name too, since around sunday. Obviously scraped from my website. Very annoying.

In other news: There seems to be a new e-mail virus that aims to DDOS SCO again. Stupid kids are at it again.

link

[ Reply to This | # ]

DDoS not till Feb 1st?
Authored by: gdeinsta on Monday, January 26 2004 @ 10:28 PM EST

Someone else posted a link to an article on news.com.com. I have reposted top-level to draw attention to this statement in the article:

Once the virus infects a Windows-running PC, it installs a program that allows the computer to be controlled remotely. The program primes the PC to send data to the SCO Group's Web server, starting Feb. 1, a virus researcher said on the condition of anonymity.

So don't expect to see a DDoS attack just yet. Assuming the word of an "anonymous virus researcher", that the virus is primed to attack sco.com, is credible to begin with. I don't know why a legitimate virus researcher would need to remain anonymous.

[ Reply to This | # ]

SCO mentioned on CNN
Authored by: kberrien on Monday, January 26 2004 @ 10:34 PM EST
>At the same time, MyDoom appeared to launch a Denial of
>Service attack on the site for SCO Group, a California
>company which recently sued IBM, challenging that firm's
>intellectual property in parts of Linux. SCO.com was
>inaccessible for some time Monday afternoon.

http://www.cnn.com/2004/TECH/internet/01/26/mydoom.worm/index.html

It would appear SCO has finally made it to CNN, at least in-directly. Perhaps
more main-stream attention will be drawn to SCO (good/bad) due to this worm, at
least for a little while.

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Dave Lozier on Monday, January 26 2004 @ 10:34 PM EST
I'm getting a few returned emails that are purportedly from me to others but I
never sent them. I'm on SuSE so I feel fairly safe from that windows feature.

It does drive me nuts knowing that someone may be cussing my name when the
recieve this stuff. *sigh*

---
~Dave

[ Reply to This | # ]

Vague allegation alert - New worm allegedly targets SCO
Authored by: Tim Ransom on Monday, January 26 2004 @ 11:38 PM EST
From here:

'Symantec also found code that appeared to target The SCO Group Inc., which claims some of its intellectual property has ended up in the Linux operating system and is threatening lawsuits. SCO's Web site, which has been targeted in the past, was available but sluggish late Monday. Other firms, however, could not confirm that aspect of the attack.'

Thanks again,

[ Reply to This | # ]

OT: FUD alert
Authored by: Tim Ransom on Monday, January 26 2004 @ 11:49 PM EST
An article called Maybe SCO has a point

Some guy named Paul Krill. A sample:

'However, if the trend of giving away software continues to gather momentum, how do developers and software companies put bread on the table? Work a second job? This question is something I've pondered before, and now SCO seems to be backing me up.'

Thanks again

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Anonymous on Tuesday, January 27 2004 @ 12:27 AM EST
Got a dozen of that spam/virus.
No need for conspiracy theories.

[ Reply to This | # ]

Great news for SCO...
Authored by: belzecue on Tuesday, January 27 2004 @ 12:30 AM EST
What could be better?

A worm built to attack SCO.com, but discovered days in advance of its scheduled
attack so that SCO have plenty of time to avoid it...

... guaranteed widespread publicity that buries the recent bad press by (once
again) making SCO look like the poor victims in all this.

... more 'linux and FOSS are evil because they are terrorists' FUD for press
and the court.

Materially harmed by these attacks (which we do not condone)? On the contrary,
Mr Stowell. Conspiracy theories or not, methinks SCO is materially benefiting
from these actions.

[ Reply to This | # ]

A compliment I'd rather be without
Authored by: Kristoffer on Tuesday, January 27 2004 @ 01:05 AM EST
This virus/worm is completely idiotic and I hope it had never surfaced. It is
very frustrating and annoying.

Looking at the bright side of life, I think that the fact that someone would
write a virus/worm (that seems to launch a DoS against SCO) purely to miscredit
PJ, MathFox and Groklaw in general is a sign that Groklaw brings to light a
truth that is ill heard.

So, PJ, however frustrating this might be to you, don't be discouraged. It's
not your fault that someone is trying to mud the waters.

./ Kristoffer

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Graywing on Tuesday, January 27 2004 @ 01:15 AM EST
<conspiracy>
The virus was written by the wacks at sco to use the groklaw.com
domain to create a DDOS at there web site so that they can see look at
those even open source hippies attacking our site again. How I know
that its the wack jobs SCO? its groklaw.NET not groklaw.COM
</conspiracy>

Personaly I think it is similar to the Klez were it grabs an address from
the infected machine and spoofs the from address. But of couse I'm
probably wrong, I frequantly am.

---
Ahh!! The mind what a wonderful trap.

[ Reply to This | # ]

Slightly OT --> Spam
Authored by: Anonymous on Tuesday, January 27 2004 @ 01:23 AM EST
Well, our KBE to be Bill Gates has pronounced some ways of how to stop spam in 2 years.

Have a look here

I especially think it's interesting Bill thinks, that the prevailing solution will be to have to pay for emailing someone...

I wonder who is going to collect that money... and if it will be an open standard... any bets ?

JAN

[ Reply to This | # ]

Safer Windows
Authored by: davcefai on Tuesday, January 27 2004 @ 01:43 AM EST
For the Windows users out there:

At the risk of upsetting fanatics (although I have come across very few on this
site) I agree that sometimes one has to use Windows. One can however be
reasonably safe.

For the cost of a hard disc you can set up a dual boot system with Windows on
one disc and Linux on the other. (Yes you can do it all on one disc but this
feels safer.) You will then find yourself spending less and less time in
Windows.

For the time when you have to use Windows:

1. Dump Outlook Express. You cannot set it not to open a message. When you go to
delete a message it opens it as soon as you highlight it. I use Calypso 3.1.
Free and very good. (Calypso 4 is a paid for prog). There are lots of other
email clients you can use.

2. If you use a web server, dump IIS and us an open source one. I use Savant
which is open source. If you need more functionality use Apache.

3. Do you really need MS Office? OpenOffice works very well and as yet there do
not seem to be any poisonous macros for it. Otherwise StarOffice is very cheap
and is essentially the same software.

4. AVG antivirus works superbly and does not hog your resources or crash while
loading.

Note that, from Linux, you can access most of your Windows documents (but not
vice versa) so save from Linux into your Windows Documents folders and you'll
always be able to get at them.

I hope this helps even one person migrate to Linux.

[ Reply to This | # ]

Non-Windows users have no reason being too smug about this worm
Authored by: Anonymous on Tuesday, January 27 2004 @ 01:55 AM EST
Predictably many comments here have expressed schadenfreude about buggy Windows
being hit by yet another worm. In many cases this wuld be warranted, but not in
this, since this is one of the worms that apparently does not really rely on any
flaw in Windows, other than the ease with which attachments can be executed, +
"social engineering" applied to users.

The _only_ reason Linux and its cousins does not suffer from this is that mail
programs in it normally require an attached file to be saved and the execute bit
to be set before it can be run.

One of these days some overly enthusiastic open-source programmer will add an
easy click-to-execute feature to a popular Linux mail client, and then similar
worms become possible... (maybe he will try to add restrictions and checks to
the feature, but these inevitably will have bugs). This appears to be a
convenience feature that cannot be safely added to software. Programs that
interact with files from external sources should always be written to assume by
default that such files are malicious, until proven otherwise.

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: belzecue on Tuesday, January 27 2004 @ 02:46 AM EST
Still no press release about this from SCO.

I guess they are waiting til closer to market opening time to maximize their FUD
ROI.

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Anonymous on Tuesday, January 27 2004 @ 03:53 AM EST
<blockquote>
The program primes the PC to send data to the SCO Group's Web server, starting
Feb. 1
</blockquote>
http://news.com.com/2100-7349_3-5147605.html?tag=nefd_lede

This is too obvious (but who am I to speculate)?
An SCO authored virus created possibly by SCO engineers (or friends) staged to
incriminate theopen source community and at the same time use it as leveradge to
further postone the hearings (due to calamity).

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Anonymous on Tuesday, January 27 2004 @ 04:30 AM EST
This is very true. My home and work networks both sit behind Smoothwall
firewalls, have current AV software, use Pegasus as the mail cleint and I'm
careful about email use. XP on both has seen little spam and no virus problems,
yet. 'Touch wood' that is how it will stay. Oh and the ISPs at long last are
starting to do something about spam filtering and virus checking in all three
cases; not that that is any excuse to not take proper precautions yourself. One
of these days I will find time to stop playing with Linux and make it the
primary machine at home :), no chance at work :(

[ Reply to This | # ]

Mail not deliverable
Authored by: Anonymous on Tuesday, January 27 2004 @ 06:53 AM EST
i was getting a bunch of emails that i did not send returned undeliverable. i
suspect they were viri.

btw, why is it that i keep getting logged out?

phrostie

[ Reply to This | # ]

Advantage to Poly-culture
Authored by: snorpus on Tuesday, January 27 2004 @ 07:15 AM EST
This worm/virus/trojan is a perfect example of why a software mono-culture is a bad thing.

The virus is spreading largely because the vast majority of users are running Windows, and Outlook or OE.

If half the recipients of the virus were running non-Windows, the spread would be much slower (since half the attachments could not be executed).

Slowing the rate of spread would give the AV vendors more time to update their virus definitions... I noticed that NAV updated my Windows box around 6pm yesterday.

Having 3 or 4 popular OSes would slow the spread even more. Then we could focus on the cross-platform virii, such as Java and JavaScript.

---
73/88 de KQ3T

[ Reply to This | # ]

The one who is to blame...
Authored by: thiegroe on Tuesday, January 27 2004 @ 08:35 AM EST
... gets knighted in the UK!!

Marc

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Anonymous on Tuesday, January 27 2004 @ 08:42 AM EST
A new worm is currently widespread and will begin a DOS attack on SCO's website
on Feb 1.

http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

Also reported by The Register.

http://www.theregister.com/content/56/35127.html

Is this the same as the one mentioned above?

This represents the greatest opportunity ever presented to the 'Open Source
Community'. If the same people who created and maintain Linux and Apache can
organize a worldwide effort to eradicate the effects of this worm before it
strikes, the attendant publicity will be priceless.

-AIB.

[ Reply to This | # ]

BBC noticed, too. Too bad they got SCO wrong
Authored by: Anonymous on Tuesday, January 27 2004 @ 09:11 AM EST
See http://news.bbc.co.uk /2/low/technology/3432639.stm (this is the fas-loading lo-graphics edition I prefere to read).

Too bad they mis-characterize SCO, after telling the virus intends to DDoS it:

SCO is one of the largest Unix open-source vendors in the world. It has been in the news recently because it has claimed that key parts of the open-source operating system, Linux, are under SCO's copyright.

[ Reply to This | # ]

To head off the consipracy theorists:
Authored by: Anonymous on Tuesday, January 27 2004 @ 09:32 AM EST
It's probably spammers behind this. They attacked spamhaus with a virus, and then used the compromised machines as spam relays.

This virus does the same thing, except that now everyone thinks there's a frothing linux fanatic behind it instead. Very convenient for the spammer.

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Graywing on Tuesday, January 27 2004 @ 09:39 AM EST
That was not the point of the post, I was only makling a joke, like time
to put on your tin foil hats.

---
Ahh!! The mind what a wonderful trap.

[ Reply to This | # ]

Windows on GrokLaw
Authored by: Anonymous on Tuesday, January 27 2004 @ 09:51 AM EST
I hope to see more using Linux for their desktops this year.
To think I've made a living at disinfecting Windows boxes makes my stomach turn
these days.

Linux for viewing GrokLaw.... No winboxes attached to the net please. None
here... You too can achieve this.

Think anyone will listen?

[ Reply to This | # ]

the SCO.com angle is smokescreen for spammers
Authored by: Anonymous on Tuesday, January 27 2004 @ 09:53 AM EST
I suspect this is actually a spammer's worm, and the attack on www.sco.com is
just a smokescreen to cover the worm-writer's real intentions.

Highly unlikely the worm originates from a Linux user, since it is a Windows
worm. The author is a Windows user.

[ Reply to This | # ]

Press release time!
Authored by: TwinDX on Tuesday, January 27 2004 @ 09:55 AM EST
Is anybody willing to give me odds on the fact that, despite SCO being aware
that this virus' payload is going to attempt to DDoS them on a known day,
they'll deliberately let the site be taken down (or more likely, turn off the
server again) and then immediately issue a press release to say that a Linux
activist deliberately planted the virus, and that this just goes to show that
you can't trust Open Source developers and should stick to proprietary
operating systems?

And when somebody attempts to point out that it was the use of a proprietary OS
that caused it, it won't get reported by any of the knee-jerk press that we've
come to know and loathe...

[ Reply to This | # ]

Who?
Authored by: Anonymous on Tuesday, January 27 2004 @ 10:35 AM EST
If it is a linux user , it is proberly a verry stupid one. The reason why
someone starts such dos attack could be because someone hates some company,
but I think that in most cases someone wants some attention. They know when
SCO is involved they get much attention. When it get much press coverage, it
gives much satifaction when you started this. Also it is a fact that most
other high profile companies like Microsoft,IBM and so have proberly protected
them selves for DDOS attack.

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Graywing on Tuesday, January 27 2004 @ 10:53 AM EST
That was not the intetion of this post. It was ment to be funny as in
"time to put on the tin foil hats" kinda funny, and as a side note,
who
ever said that you need proof to start a conspiracy theory. The theory
comes first then you start twisting the facts or start making up facts to
suppport it. Look at all the UFO consprisacies out there.

---
Ahh!! The mind what a wonderful trap.

[ Reply to This | # ]

Hold Up There a Moment Sparky!!!
Authored by: Anonymous on Tuesday, January 27 2004 @ 10:55 AM EST
By all accounts, the virus is supposed to launch a DDOS
attack on Feb 1. If so, why are there reports of SCO's site going down now?

Darl, here's how it works. You take the servers down and scream bloody murder
NEXT week. Doing it now just looks fishy.

[ Reply to This | # ]

Microsoft takes this opportunity to atack SCO
Authored by: Anonymous on Tuesday, January 27 2004 @ 11:33 AM EST
From CNET:
"As the latest mass-mailing worm spread across the Internet on Monday,
hitting Windows PCs with a program designed to attack the servers of Unix vendor
SCO Group on Feb. 1, Gates stressed the importance of security to his company's
products, but said that companies such as SCO were courting danger by sitting
back."

I wonder why Gates is attacking SCO? Does he think they are a threat to Windows?


The full article can be found here:
http://news.com.com/2100-1002_3-5148058.html?tag=nefd_top

[ Reply to This | # ]

Curious to note
Authored by: Anonymous on Tuesday, January 27 2004 @ 11:53 AM EST
This is a Windows virus, and SCO is obviously in bed with Windows; that alone
makes you wonder. Don't see how they're going to blame this on Linux (though
somebody at SCO certainly could lie and say so) but first, a question:

During some contacts with SCO and some other Canopy "Linux" folks
(like the old Lineo sales team), I noticed that most of them use - WINDOWS. No
kidding. I even razzed a few of them about it.

So, could this be like their alleged DDoS attacks, that is, could it be
self-inflicted to try to get pity from the Forbes and Salt Lake Tribunes of the
world?

[ Reply to This | # ]

Tin-foil hat alert
Authored by: Captain on Tuesday, January 27 2004 @ 12:29 PM EST
This attack had nothing to do with Groklaw. Other people have been sent e-mails,
which seem to come from people they know. I have had my share, but not from
Groklaw. It is a common fallacy of the open nature of e-mail. It's very, very
easy to spoof the sender's address, even in MS tools.

The worm has a higher chance of succeeding when the sender's address is one
that's found on the infected computer, so that's what it does: look for e-mail
addresses on the users' hard-disks. I think this site has been visited by a
considerable amount of Windows users, and is cached on a lot of hard-disks, so
the likelyhood of the worm finding a groklaw e-mail address increases.

Spoofing of senders' addresses is not a Windows flaw. It's a flaw in e-mail
itself. In a way, spoofing sender's addresses is built in the e-mail system.
You can blame Windows for making it too easy to execute system commands, or
making it too easy to hide files from their true intentions, but not to allow
for spoofing. It is built into the protocol. Please stop thinking it was a
conspiracy against Groklaw.

[ Reply to This | # ]

Someone is Sending Mail in Our Name
Authored by: Anonymous on Tuesday, January 27 2004 @ 12:37 PM EST
"I'm a Windows user, though a lot more educated than the average Windows
user."

I'm a certified tech with many years of experience. No harm meant but I've
always failed to see how anyone can use the term educated and windows in a
single sentence. But I will say that if you have administration experience with
other operating systems, the above would make more sense to me. Please bear in
mind that I am not directing this at a personality or you, but rather the
statements made.

"Windows is aimed at the lowest common denominator."

Yes. I agree with this to a point. But what you fail to realize is that the MS
code producers intend to keep you in the dark. Most that use windows can be
considered the lowest common denominator even when comparing to a Unix beginner.
Worst yet, MicroSoft has full intention of seeing to it that most remain as
such. There are no provisions within MicroSoft or their ways to make their
operating systems geared towards any other than what you classify as
"lowest common denominator".

"That means the majority of users simply doesn't know how a computer or
the Internet works. They cannot spot risks."

The easiest way to fix a technical issue is to do what any knowledgable
professor will teach you. "Replace with known good"

To the very chips that run the wonderful world of Windows, this is what you do
in the computer world for technical fixes. No more soldering piggy back ram
here. Just slap in a
new shiny mushkin DDR chip. Same with software.

In this case, you are stating that the "lowest common denominator"
cannot spot risks. My assessment to you would be that if it has a windows logo
in it, it most likely belongs to a company called Microsoft. This company has a
track record that lingers from the middle ages that spells out "RISK and
FLAW". Underlying both dos and NT based operating systems is a world of
flaw. In so much as I dare state that windows as you know it runs on errors.

Observation and recomendation: "Replace with known good"

In this case you might try a BSD varient or maybe even Linux. The code is open
and the risks are reduced. It's not perfect in any way, but the benefits when
compared to the alternatives might bring one to the conclusion that at this
point, the alternatives to microsoft are "known good".

That and no one in the world will view your operating system as geard towards
the "lowest common denominator" and you to will view ms operating
systems as a bad part of your computing history. Better history than another 20
plus more years of the past.

[ Reply to This | # ]

    Someone is Sending Mail in Our Name
    Authored by: svyerkgeniiy on Tuesday, January 27 2004 @ 01:15 PM EST
    That someone who was truly sympathetic to Linux would do this seems doubtful to
    me. People have jokingly, and not so jokingly, credited this virus to SCO, and
    this seems more plausible to me-- remember the reports that they sent internal
    employees into a pro-Linux protest crowd and then acted like total rabid
    crazies. It would add fuel to their argument that the Linux community is a
    bunch of cracker-renegades that aren't mature enough to respond with decorum.

    Does anyone have the tools to dissect the virus, follow its trail, and find out
    its source? I don't get the impression that the FBI are devoting resources to
    this, considering how common virus attacks are nowadays.

    I just can't believe that a cracker would not expect his handiwork to be found
    out. In addition, no one benefits by having the SCO site downed (or 0wn3d),
    except for one of a very small ego.

    If the FBI won't trace it, can we? Can we find a smoking gun in the hand of
    some SCO exec or employee? They are the only ones who benefit by this tactic.

    --dv

    [ Reply to This | # ]

    Any other news?
    Authored by: Anonymous on Tuesday, January 27 2004 @ 01:56 PM EST
    1. Viruses bad
    2. Virus authors bad
    3. DoS attacks bad
    4. Viruses/DoS attacks can never be justified, regardless of the target
    5. Users/Admins should take precautions to prevent virus infection.

    I shouldn't need to say the above (but I will anyway because I don't want some
    journalist (like this guy
    http://www.extremetech.com/article2/0,3973,1464429,00.asp
    ) assuming that failure to explicity state a dislike for viruses, somehow
    implies even an iota of sympathy for them. I have none. I hate ALL viruses).

    6. Although I am firm in my belief in 1 thru 5, I don't find viruses a
    particularly interesting topic to read about or discuss.


    So, my main point -- is there any other news? Like legal news?

    [ Reply to This | # ]

    DDOS coincides with the court dates?
    Authored by: Anonymous on Tuesday, January 27 2004 @ 02:11 PM EST
    I noticed that the DDOS payload of this worm hits smack
    dab around the time of SCO's next court appearance
    (February 6th I believe). The conspiracy nerd in me
    wonders if this was an intentional way to both cover up
    any dour news on that day with DDOS headlines and / or as
    a way to fenagle more delays out of the judge ("we could
    not perform our research because we were under attack your
    honour").

    [ Reply to This | # ]

    OT-FSF hassling Cisco?
    Authored by: wvhillbilly on Tuesday, January 27 2004 @ 02:34 PM EST
    I know this is old news, but this story claims Free Software Foundation hassled Cisco about open source code used in a Linksys wireless router. Is there any truth to this and if so what is the truth? I know Forbes is no friend of F/OSS, and this article is not very complimentary of the same.

    I know it is not allowed to mix proprietary code and GPL'd code in the same program unless the whole is GPL'd, but what of using proprietary code in a separate program running with Linux strictly as the OS? And if the code is in firmware (embedded device) what is the requirement on providing source code? As I understand the GPL an offer to make the source code available on request is as good as actually providing it with the binary, but the way Forbes was talking that wasn't good enough for FSF.

    ---
    What goes around comes around, and it grows as it goes.

    [ Reply to This | # ]

    OT This is getting real old, real fast
    Authored by: pfusco on Tuesday, January 27 2004 @ 02:47 PM EST
    "Security Experts state that this is a weapon in the linux wars"

    Whoever is doing this needs some jail time, and if ANYONE out there knows who it is, they should turn the b*st*rd in right now.

    This is just what SCO wants as a follow up to their letter to Congress. Perfect timing as a matter of fact.

    ---
    only the soul matters in the end

    [ Reply to This | # ]

    What's all this?
    Authored by: grouch on Tuesday, January 27 2004 @ 02:47 PM EST
    I really don't understand the uproar.

    MS Windows users placidly agree to allow Microsoft to surreptitiously alter
    anything on their computers. MS Windows users have steadfastly indicated their
    acceptance of a complete lack of security, the lowest quality software,
    intrusion into their computers by everyone from dysfunctional pre-pubescent VB
    script-writers to Bill Gates, and the illegal destruction of companies that dare
    to try to produce anything that interferes with MS's schemes for profit.

    MS Windows users mindlessly click "Accept" and willingly turn their
    computers over to Bill so that he can rent them the use of those computers, and
    then they whine and cry that Bill isn't taking good care of them. How anyone
    could ignore the history of MS and expect such a predatory, anti-user,
    anti-capitalism organization to consider people anything except
    revenue-generation units is incomprehensible to me. MS does NOT produce
    software; MS purchases software (or steals it, see the many lawsuits) that is
    then re-tooled into weapons against "consumers" using anything
    non-MS.

    As those weapons are deployed by Bill, with the explicit agreement by his
    revenue-generation units, they attack global protocol standards of computing
    such as those for email and the web. It may come as a shock, but there are
    people in the world who don't use MS Windows PCs, who don't like the attacks
    by those who do use MS Windows PCs, and who do not restrain from retaliation.

    This whole thing is nothing more than a report on collateral damage from a
    stupid war. MS perpetuates that war. MS refuses to fix the problems they create
    for everyone else because the fix would require them to compete on merit instead
    of market domination by lock-in, lock-out, and deliberate bastardization of
    standards.

    Instead of preventing some unknown vandal from making use of MS Windows users'
    collections of addresses and the "feature-rich Windows environment",
    Bill's solution is to get more control of each MS Windows PC, each MS Windows
    PC user, and offer bounties on the vandals. Bill will stop that nasty spam and
    those annoying worms/viruses/macros if you will just let him decide exactly
    which files you are allowed to read, write, or execute. In short, he wants, and
    MS Windows users have granted him, root power. The problem is that the whole
    world also has root power on each MS Windows box.

    As my grandmother used to say, "You made your nest, now lie in it."
    My own personal defense, which has worked quite well, has been to just say no to
    the MS drug pusher.

    [ Reply to This | # ]

    Perens comment
    Authored by: Anonymous on Tuesday, January 27 2004 @ 03:16 PM EST
    Perens on latest SCO Dos Attack

    I think we all agree with him.

    H@ns

    [ Reply to This | # ]

    OT: Gates says Windows is secure
    Authored by: Anonymous on Tuesday, January 27 2004 @ 03:29 PM EST
    "A high-volume system like (Windows) that has been
    thoroughly tested will be by far the most secure," Gates
    told the audience.
    (http://news.com.com/2100-1002_3-5148058.html?type=pt&part=inv&tag=feed&
    amp;subj=news)

    Does he seriously think that Windows is the most secure
    operating system? He has to be joking.

    [ Reply to This | # ]

    Quote from Perens
    Authored by: Anonymous on Tuesday, January 27 2004 @ 03:45 PM EST
    " Continue to fight SCO, using all legal means at your disposal. Show
    others the analysis of SCO's ongoing fraud at Groklaw.net and elsewhere, and
    explain to them your own experience as a participant in the Free Software
    community."

    [ Reply to This | # ]

    Press Release on virus
    Authored by: Anonymous on Tuesday, January 27 2004 @ 04:05 PM EST
    http://biz.yahoo.com/prnews/040127/latu096_1.html

    [ Reply to This | # ]

    Someone is Sending Mail in Our Name
    Authored by: photocrimes on Tuesday, January 27 2004 @ 04:11 PM EST
    Now this didn't take long

    Who called this earlier? Wish I could give you a prize. Anyway, looks like the "dog ate my homework" plan is well under way. And when can we get them to stop this crap? They claim Novell is slandering them?

    Choice clips:

    The SCO Group, Inc. (Nasdaq: SCOX - News), the owner of the UNIX® operating system and a leading provider of UNIX-based solutions, today confirmed that it is experiencing a distributed Denial-of-Service (DDOS) attack. SCO announced that it is offering a reward of up to a total of $250,000 for information leading to the arrest and conviction of the individual or individuals responsible for creating the Mydoom virus.

    Owner of what? Leading what? Come on now.

    The perpetrator of this virus is attacking SCO, but hurting many others at the same time. We do not know the origins or reasons for this attack, although we have our suspicions.

    Gee Darl, who might that be? Last I checked this trojan doesn't work with Linux. Don't let Microsoft hear you start "slandering" their customers like that.

    To this end, SCO is offering a total of $250,000 reward for information leading to the arrest and conviction of those responsible for this crime

    Microsoft would be so prowd of their little Darl.

    Does anyone else find this timing a bit odd? I mean not just the fact that it targets Feb 1st - 16th for the DDOS, but the Microsoft press blurb from Bill, the reward, Darl with his PR-Newswire on the same day, etc....

    ---
    //A picture is worth a thousand words//

    [ Reply to This | # ]

    W32.Novarg.A@mm
    Authored by: Clay on Tuesday, January 27 2004 @ 04:34 PM EST

    This virus is directed to payload SCO according to the register and has been identified, but is doing signifigant damage.

    here is symantic's profile.

    ---
    ---------------------------
    newObjectivity, Inc. supports the destruction
    of all software patents.

    [ Reply to This | # ]

    SCO in bed with MSFT?
    Authored by: tz on Tuesday, January 27 2004 @ 04:50 PM EST
    Apparently someone didn't use a condom.

    The worst part is a few people have me in their address books so I have hundreds
    of mail bounces telling me that I sent a virus. How, from the web based
    interface, or from my Mac running fetchmail and mutt?

    [ Reply to This | # ]

    How it's Perceived, unfortunately
    Authored by: Anonymous on Tuesday, January 27 2004 @ 05:33 PM EST
    "Now, it would appear, Linux supporters are exacting revenge via Mydoom,
    also known as Shimgapi, Novarg and W32/Mydoom.A@mm"

    http://p2pnet.net/story/642

    [ Reply to This | # ]

    Someone is Sending Mail in Our Name
    Authored by: Anonymous on Tuesday, January 27 2004 @ 05:42 PM EST
    I like Linux, really, but I still use OS/2 for surfing and email. Thus I feel
    very secure. Still, one fellow OS/2 user has had the same problem: emails were
    sent on his behalf, many people complaining he has a virus. He can't, he only
    runs eComStation (the OS/2 sibling from Serenity Systems Inc.), same as I do.
    So, PJ, don't worry, even Systems that are practically virus free (and
    remember, Linux itself has it's vulnerabilities, even though they're harder to
    exploit) because nobody cares about trying to write a virus for them can be made
    to look like sending such spam around.
    So, even if you don't use Windows for email, you can be hit by the Wintendo
    plague (as that eCs guy was, too).

    It's time for a global change, isn't it?

    [ Reply to This | # ]

    PJ: Offer BOUNTY for arrest
    Authored by: miss_cleo_psy4u on Tuesday, January 27 2004 @ 05:57 PM EST
    The email impersonators should be arrested due to damage done to your names as well as illegal attack on SCO web site. Groklaw should consider ways to distinguish itself from SCO in this matter.

    If the FLOSS community could band together to offer a reward for information leading to arrest of the perpetrator (SCO offers $250,000 for arrest and convication) I think FLOSS would create PR for the press affirming we are not the criminals McBride paints us to be, and emphasize our efforts to abide by IP and computer access laws.

    Second, we'd steal the thunder from SCO by setting the reward up to be payable before SCO's (Darl's reward waits for conviction). Having Groklaw host the bounty collection and blog the efforts made to catch the perps might show that we can use our abilities for more than the sport of impaling SCO legally. Having Linus or PJ present the bounty check might be fun PR to invite Darl to see.

    SCO may cynically believe they'll never catch the authors. I believe the OSS community may have the tools and know how to chase it down. Call it "Bounty for bounty hunters".

    Well, PJ, can we set up a PayPal button here that would kick this Bounty account off?

    SCO Reward story here: SCO Offers Reward for Arrest and Conviction of Mydoom Virus Author

    [ Reply to This | # ]

    Someone is Sending Mail in Our Name
    Authored by: leeway00 on Tuesday, January 27 2004 @ 06:56 PM EST

    "The worm doesn't exploit any flaws in Windows, but rather is designed to entice the recipient of an e-mail to open an attached file and run programs contained in the attachment."

    Reuters article entitled: MyDoom Worm Aimed for SCO Web Site contains the above quote.

    This virus contains many similar features that many previous virii contain & spreads in a similar manner, yet the author of this article claims that it does not exploit any flaws in Windows. I would certainly consider any operating system that sends out unwanted & unathorized requests on my behalf to either be inherently flawed &/or insecure.

    I just have to wonder whether the author is a Windows expert or the MS PR department gave a helping hand.

    I am also wondering if the virus has www.sco.com hardcoded or if they are just using the .12 IP address of the server. As much as I detest the authors, they are clever in cloaking the keylogger/updater in the fog of SCO vs. OSS.

    Leeway

    [ Reply to This | # ]

    O/T Is It All Linux Peeps Here?
    Authored by: TAZ6416 on Wednesday, January 28 2004 @ 04:29 AM EST
    I found PJ's "UPDATE: Windows users, if there are any here"
    statement interesting, I actually use Windows XP Professional at work as we are
    a 99% Microsoft site (much to my disgust ;) ) and while I used to run Debian at
    home, I use Windows XP there too as it came with my new PC and I havn't got
    round to putting Linux onto it again (I think I'll try Mandrake).

    Saying that, I'm posting this on a OpenVMS Workstation as I'm in the computer
    room doing a restore :)

    I wonder how many Windows users actually read Groklaw and support the fight
    against SCO, even if they have never used Linux in their life.

    Jonathan
    --------
    Team IFG Racing - http://www.car-care-centre.co.uk/racing.htm

    [ Reply to This | # ]

    Someone is Sending Mail in Our Name
    Authored by: TAZ6416 on Wednesday, January 28 2004 @ 06:22 PM EST
    I think in hindsight that was a joke on PJ's part and I didn't spot it, and
    took it a bit to seriously.

    Jonathan
    ~~~~~~~~
    Team IFG Racing - http://www.car-care-centre.co.uk/racing.htm

    [ Reply to This | # ]

    Groklaw © Copyright 2003-2013 Pamela Jones.
    All trademarks and copyrights on this page are owned by their respective owners.
    Comments are owned by the individual posters.

    PJ's articles are licensed under a Creative Commons License. ( Details )