To read comments to this article, go here
|Someone is Sending Mail in Our Name
Monday, January 26 2004 @ 06:32 PM EST
Just letting everyone know that someone has sent out email as if from me and MathFox. I know because I got one, supposedly from me to me, saying Hello in the subject line. Duh. MathFox's says Hi. The IP addresses are not ours. There is an attachment. I haven't sent anyone any attachments. Do not open. The body of the message is not in English, so I don't know what it says. I probably don't want to know.
UPDATE: Windows users, if there are any here, please read this and take remedial action to prevent your computer being used: http://www.f-secure.com/v-descs/novarg.shtml
"A new worm known as Mydoom or Novarg is spreading quickly over email and Kazaa networks. In emails, it uses variable subjects, bodies and attachment names. The worm opens Notepad with garbage data in it. It also attacks SCO.COM with a DDoS-attack.
"Novarg is a worm that spreads over email and Kazaa p2p network. When executed, the worm opens up Windows' Notepad with garbage data in it.
"The worm opens up a backdoor to infected computers by listening to TCP port 3176. This is done by planting a new SHIMGAPI.DLL file to system32 directory and launching it as a child process of EXPLORER.EXE."
I don't use a Windows computer for email, so this virus is definitively not from my account. If you do use a Windows computer, please follow the steps outlined in the F-Secure article to make sure you don't contribute to this problem.
"The attack was first noticed Monday afternoon. Within hours, thousands of e-mails were clogging networks, said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team.
"Besides sending out e-mail, the program appears to open up a backdoor so that hackers can take over the computer later.
"'As far as I can tell right now, it's pretty much everywhere on the planet,' Gullotto said.
"Security software experts were scrambling to decrypt the details of the malicious program and were arriving at different conclusions.
"Symantec, an antivirus company, said the worm appeared to contain a program that logs keystrokes on infected machines. It could collect username and passwords of unsuspecting users and distribute them to strangers.
"Network Associates did not find the keylogging program.
"Symantec also found code that appeared to target The SCO Group Inc., which claims some of its intellectual property has ended up in the Linux operating system and is threatening lawsuits. SCO's Web site, which has been targeted in the past, was available but sluggish late Monday. Other firms, however, could not confirm that aspect of the attack."
Header on the one pretending to be from me:
Date: January 26, 2004 3:59:37 PM EST
Received: (qmail 13805 invoked from network); 26 Jan 2004 21:14:23 -0000
Received: from smtpout-1-1a.secureserver.net ([18.104.22.168]) (envelope-sender <firstname.lastname@example.org>) by smtp-1-4a.secureserver.net (qmail-ldap-1.03) with SMTP for <email@example.com>; 26 Jan 2004 21:14:23 -0000
Received: (qmail 6183 invoked from network); 26 Jan 2004 20:58:28 -0000
Received: from d-128-95-244-216.dhcp4.washington.edu (HELO groklaw.com) (22.214.171.124) by smtpout-1-1a.secureserver.net with SMTP; 26 Jan 2004 20:58:28 -0000
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0008_28287E38.B9CCF0F9"
Header from the one pretending to be from Mathfox:
Date: January 26, 2004 3:59:29 PM EST
Received: (qmail 29603 invoked from network); 26 Jan 2004 20:58:11 -0000
Received: from smtpout-1-1a.secureserver.net ([126.96.36.199]) (envelope-sender <firstname.lastname@example.org>) by smtp-1-2a.secureserver.net (qmail-ldap-1.03) with SMTP for <email@example.com>; 26 Jan 2004 20:58:11 -0000
Received: (qmail 5446 invoked from network); 26 Jan 2004 20:58:20 -0000
Received: from d-128-95-244-216.dhcp4.washington.edu (HELO groklaw.net) (188.8.131.52) by smtpout-1-1a.secureserver.net with SMTP; 26 Jan 2004 20:58:20 -0000
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0008_BC28F045.C8A522B3"
CERT has this info on email with these headers:
W32/Mydoom or W32/Novarg
added January 26
On January 26, 2004, the CERT/CC began receiving reports of a new mass-mailing virus now known as W32/Novarg.A, W32/Shimg, or W32/Mydoom. It arrives as an email message with a 22,528-byte attachment that has a random filename with a file extension of .cmd, .pif, .scr, .exe, or .bat. The attachment may also arrive as a ZIP archive. This malicious code has been reported to open a connection on port 3127/tcp or port 3176/tcp. In addition to email propagation, the virus attempts to spread through peer-to-peer file sharing networks by copying itself into the default folder used by KaZaA to share files.
"W32/Beagle or W32/Bagle
added January 20
"The CERT/CC has received reports of a new mass-emailing virus, referred to as "W32/Beagle" or "W32/Bagle". It arrives as an attachment to an email with the subject line of "Hi". The attachment is an executable file (.EXE) file with a file name consisting of a random sequence of characters. Upon opening the attachment, the virus scans certain files on the user's system collecting email addresses, then attempts to mail itself to all e-mail addresses it found. The FROM: address is spoofed to hide the identity of the sender. Additionally, the virus opens a port on the user's system (usually port 6777) which permits an attacker to gain access to the system.
"The CERT/CC strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment."