[RC5] Virus alert !

waldo kitty wkitty42 at alltel.net
Fri Oct 11 01:04:07 EDT 2002

seems that folk need to go search out the details of what bugbear does
and how it operates... though i don't really like symantec, they do have
very informative data on most virus' and worms...

FWIW: bugbear can send original messages, forwarded messages, and even
replies to messages... however, the text within the message that bugbear
sends can be anything from an existing email to a document on the
infected machine... 

FWIW2: bugbear also can use complete existing email addresses as well as
take parts from several and put them together to create a "new" email

FWIW3: and lets not forget about the keystroke logger that sends the
intercepted keystrokes (passwords, credit card numbers, anything you
type!) to a dedicated machine

FWIW4: and there's also the backdoor it opens so that the hacker has
full access to your machine...

Dennis Lubert wrote:
> At 14:36 10.10.02 +0300, you wrote:
> > > ----- Original Message -----
> > > From: <PlasmaHH at gmx.net>
> > > To: <rc5 at lists.distributed.net>
> > > Sent: Thursday, October 10, 2002 3:45 AM
> > > Subject: [RC5] Virus alert !
> > >
> > >
> > > > this is important. I have just received an email with the New
> > > > Mail-Worm "Bugbear" attached. Someone (Probably Jeff Lawson) on
> > > > the list has been infected with this worm. So be carefull, keep
> > > > your virus-scanner up to date, and don't open attachments, the
> > > > attached file was an .xls.scr file...
> >
> >In my experience, the From: address of bugbear is meaningless. Being a
> >postmaster of medium-sized network, I have received messages from
> >various virus scanners around the world claiming that user
> >somebody at my.domain has sent them bugbear, when I know that no such user
> >exists in my domain.
> >
> >My hypotesis is that bugbear constructs its from: address using
> >addresses found on local machine, taking username part from one address
> >and domain part from another address.
> Well, thats true at least for the Klez worm, but the mail I got had this
> original text (So I suppose it is from one of the dnetlist):
> That behavior is done (by the proxy) when the client reports the default
> "rc5 at distributed.net" for its configured email address to the proxyper.
> On Fri, 22 Jun 2001, Andre Schulze wrote:
>  > Am Don den 21 Jun 2001 um 10:26:47 -0400 schrieb Quay, Jonathan (BHR):
>  > > We of Ars Technica Team Beef Roast are running a pproxy round robin
> for the
>  > > benefit of our team.  We have noticed on our pproxy stats, like here:
>  > > http://gti.2y.net/~nate/pproxy/byemail.html and here:
>  > > http://2
> --
> To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
> rc5-digest subscribers replace rc5 with rc5-digest

      (@@)                      Waldo Kitty, Waldo's Place USA
__ooO_( )_Ooo_____________________ telnet://bbs.wpusa.dynip.com
_|_____|_____|_____|_____|_____|_____ http://www.wpusa.dynip.com
____|_____|_____|_____|_____|_____|_____ ftp://ftp.wpusa.dynip.com
_|_Eat_SPAM_to_email_me!_YUM!__|_____|_____ wkitty42 (at) alltel.net

To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest

More information about the rc5 mailing list