[RC5] Virus alert !

Dennis Lubert plasmahh at gmx.net
Thu Oct 10 19:36:43 EDT 2002


At 14:36 10.10.02 +0300, you wrote:
> > ----- Original Message -----
> > From: <PlasmaHH at gmx.net>
> > To: <rc5 at lists.distributed.net>
> > Sent: Thursday, October 10, 2002 3:45 AM
> > Subject: [RC5] Virus alert !
> >
> >
> > > this is important. I have just received an email with the New
> > > Mail-Worm "Bugbear" attached. Someone (Probably Jeff Lawson) on
> > > the list has been infected with this worm. So be carefull, keep
> > > your virus-scanner up to date, and don't open attachments, the
> > > attached file was an .xls.scr file...
>
>In my experience, the From: address of bugbear is meaningless. Being a
>postmaster of medium-sized network, I have received messages from
>various virus scanners around the world claiming that user
>somebody at my.domain has sent them bugbear, when I know that no such user
>exists in my domain.
>
>My hypotesis is that bugbear constructs its from: address using
>addresses found on local machine, taking username part from one address
>and domain part from another address.

Well, thats true at least for the Klez worm, but the mail I got had this 
original text (So I suppose it is from one of the dnetlist):

That behavior is done (by the proxy) when the client reports the default
"rc5 at distributed.net" for its configured email address to the proxyper.


On Fri, 22 Jun 2001, Andre Schulze wrote:

 > Am Don den 21 Jun 2001 um 10:26:47 -0400 schrieb Quay, Jonathan (BHR):
 > > We of Ars Technica Team Beef Roast are running a pproxy round robin 
for the
 > > benefit of our team.  We have noticed on our pproxy stats, like here:
 > > http://gti.2y.net/~nate/pproxy/byemail.html and here:
 > > http://2

--
To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest



More information about the rc5 mailing list