decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books
Your contributions keep Groklaw going.
To donate to Groklaw 2.0:

Groklaw Gear

Click here to send an email to the editor of this weblog.


To read comments to this article, go here
Someone is Sending Mail in Our Name
Monday, January 26 2004 @ 06:32 PM EST

Just letting everyone know that someone has sent out email as if from me and MathFox. I know because I got one, supposedly from me to me, saying Hello in the subject line. Duh. MathFox's says Hi. The IP addresses are not ours. There is an attachment. I haven't sent anyone any attachments. Do not open. The body of the message is not in English, so I don't know what it says. I probably don't want to know.

UPDATE: Windows users, if there are any here, please read this and take remedial action to prevent your computer being used: http://www.f-secure.com/v-descs/novarg.shtml


******************************

"A new worm known as Mydoom or Novarg is spreading quickly over email and Kazaa networks. In emails, it uses variable subjects, bodies and attachment names. The worm opens Notepad with garbage data in it. It also attacks SCO.COM with a DDoS-attack.

"Summary

"Novarg is a worm that spreads over email and Kazaa p2p network. When executed, the worm opens up Windows' Notepad with garbage data in it.

"The worm opens up a backdoor to infected computers by listening to TCP port 3176. This is done by planting a new SHIMGAPI.DLL file to system32 directory and launching it as a child process of EXPLORER.EXE."
***************************

I don't use a Windows computer for email, so this virus is definitively not from my account. If you do use a Windows computer, please follow the steps outlined in the F-Secure article to make sure you don't contribute to this problem.

MORE:
http://www.sfgate.com/cgi-bin/article.cgi?file=/news/
archive/2004/01/26/financial2102EST0374.DTL&type=printable

"The attack was first noticed Monday afternoon. Within hours, thousands of e-mails were clogging networks, said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team.

"Besides sending out e-mail, the program appears to open up a backdoor so that hackers can take over the computer later.

"'As far as I can tell right now, it's pretty much everywhere on the planet,' Gullotto said.

"Security software experts were scrambling to decrypt the details of the malicious program and were arriving at different conclusions.

"Symantec, an antivirus company, said the worm appeared to contain a program that logs keystrokes on infected machines. It could collect username and passwords of unsuspecting users and distribute them to strangers.

"Network Associates did not find the keylogging program.

"Symantec also found code that appeared to target The SCO Group Inc., which claims some of its intellectual property has ended up in the Linux operating system and is threatening lawsuits. SCO's Web site, which has been targeted in the past, was available but sluggish late Monday. Other firms, however, could not confirm that aspect of the attack."


******************************




Header on the one pretending to be from me:

From: pj@groklaw.com
Subject: hello
Date: January 26, 2004 3:59:37 PM EST
To: pj@groklaw.com
Received: (qmail 13805 invoked from network); 26 Jan 2004 21:14:23 -0000
Received: from smtpout-1-1a.secureserver.net ([64.202.166.20]) (envelope-sender <pj@groklaw.com>) by smtp-1-4a.secureserver.net (qmail-ldap-1.03) with SMTP for <pj@groklaw.com>; 26 Jan 2004 21:14:23 -0000
Received: (qmail 6183 invoked from network); 26 Jan 2004 20:58:28 -0000
Received: from d-128-95-244-216.dhcp4.washington.edu (HELO groklaw.com) (128.95.244.216) by smtpout-1-1a.secureserver.net with SMTP; 26 Jan 2004 20:58:28 -0000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0008_28287E38.B9CCF0F9"


Header from the one pretending to be from Mathfox:

From: mathfox@groklaw.net
Subject: Hi
Date: January 26, 2004 3:59:29 PM EST
To: pj@groklaw.com
Received: (qmail 29603 invoked from network); 26 Jan 2004 20:58:11 -0000
Received: from smtpout-1-1a.secureserver.net ([64.202.166.20]) (envelope-sender <mathfox@groklaw.net>) by smtp-1-2a.secureserver.net (qmail-ldap-1.03) with SMTP for <pj@groklaw.com>; 26 Jan 2004 20:58:11 -0000
Received: (qmail 5446 invoked from network); 26 Jan 2004 20:58:20 -0000
Received: from d-128-95-244-216.dhcp4.washington.edu (HELO groklaw.net) (128.95.244.216) by smtpout-1-1a.secureserver.net with SMTP; 26 Jan 2004 20:58:20 -0000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0008_BC28F045.C8A522B3"


*************************

CERT has this info on email with these headers:
http://www.cert.org/current/current_activity.html#mydoom

W32/Mydoom or W32/Novarg
added January 26

On January 26, 2004, the CERT/CC began receiving reports of a new mass-mailing virus now known as W32/Novarg.A, W32/Shimg, or W32/Mydoom. It arrives as an email message with a 22,528-byte attachment that has a random filename with a file extension of .cmd, .pif, .scr, .exe, or .bat. The attachment may also arrive as a ZIP archive. This malicious code has been reported to open a connection on port 3127/tcp or port 3176/tcp. In addition to email propagation, the virus attempts to spread through peer-to-peer file sharing networks by copying itself into the default folder used by KaZaA to share files.



"W32/Beagle or W32/Bagle
added January 20

"The CERT/CC has received reports of a new mass-emailing virus, referred to as "W32/Beagle" or "W32/Bagle". It arrives as an attachment to an email with the subject line of "Hi". The attachment is an executable file (.EXE) file with a file name consisting of a random sequence of characters. Upon opening the attachment, the virus scans certain files on the user's system collecting email addresses, then attempts to mail itself to all e-mail addresses it found. The FROM: address is spoofed to hide the identity of the sender. Additionally, the virus opens a port on the user's system (usually port 6777) which permits an attacker to gain access to the system.

"The CERT/CC strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment."

  View Printable Version


Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )