[RC5] Virus alert !

Scott Dodson sdodson at eagle4.cc.gasou.edu
Fri Oct 11 11:13:54 EDT 2002

On 10-Oct-2002, waldo kitty wrote:
> you can rely on the TOPmost received line to tell where the mail came
> from to your mail server... i didn't say anything about the originating
> machine or user... sorry, yes, maybe "sender" might imply that but that
> is not what i was attempting to imply... in any case, with bugbear, it
> uses its own SMTP engine and since it is located on the infected user's
> machine, guess what info you do have at hand <<wink>>
> BTW: i surprised one of my old clients yesterday when i called them 5
> minutes after they deleted a "wierd" email... i called them because
> their machine had just sent me bugbear... i recognised the name of the
> machine and the ip number... let's just say that they were very shocked
> and surprised that i was able to tell that from the email headers...
> they admitted that their machine was behaving strangly in those last few
> minutes and i was able to pick up a quick clean up job since they were
> unable to do anything much with bugbear running...

Be sure to tell them to make sure none of the passwords associated with
that machine are valid anymore.  Bugbear captures passwords.  Rather nasty.


Scott Dodson  		PGP KEY id 0x5F9A9E5E 
sdodson at sdodson.com	sdodson at distributed.net	
To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest

More information about the rc5 mailing list