delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2002/10/13/19:50:21

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-Id: <5.1.0.14.2.20021013163732.01fd7c40@pop3.cris.com>
X-Sender: rrschulz AT pop3 DOT cris DOT com
Date: Sun, 13 Oct 2002 16:50:54 -0700
To: "Elfyn McBratney" <emcb_exposure AT hotmail DOT com>
From: Randall R Schulz <rrschulz AT cris DOT com>
Subject: Re: Viruses being transported with Cygwin messages
Cc: cygwin AT cygwin DOT com
In-Reply-To: <OE45D300IGrnzJkrs470001133b@hotmail.com>
References: <1034541363 DOT 5133 DOT 13 DOT camel AT lifelesswks>
<006601c272eb$5750f680$855a580c AT who>
<1034541363 DOT 5133 DOT 13 DOT camel AT lifelesswks>
<5 DOT 1 DOT 0 DOT 14 DOT 2 DOT 20021013145544 DOT 02c86668 AT pop3 DOT cris DOT com>
Mime-Version: 1.0 

Elfyn,

Let me be clear that I'm not accusing you (or Gareth or Chris F.) of 
anything here. As others have pointed out, these worms are clever about 
coming up with addresses both for the apparent "From:" address and the next 
ply of intended victim recipients.

Here are the routing headers from the message _ostensibly_ from you:

Return-Path: <elfyn AT mail DOT utexas DOT edu>
Received: from mail18.svr.pol.co.uk (mail18.svr.pol.co.uk [195.92.67.23])
         by morse.concentric.net [Concentric SMTP MX 1.0]
         id g9DJ7ih10880; Sun, 13 Oct 2002 15:07:44 -0400 (EDT)
         [1-800-745-2747 The Concentric Network]
Errors-To: <elfyn AT mail DOT utexas DOT edu>
Received: from modem-2289.chimpanzee.dialup.pol.co.uk ([217.134.120.241] 
helo=mcb-home)
         by mail18.svr.pol.co.uk with smtp (Exim 3.35 #1)
         id 180nmm-0007hQ-00; Sun, 13 Oct 2002 19:48:20 +0100
From: "Elfyn McBratney" <elfyn AT mail DOT utexas DOT edu>


As you can see, although it claims (suggests? "From:" headers are 
distinctly non-authoritative) you're at UT Austin, the message itself did 
not originate or traverse any servers there. Nor does Hotmail appear in the 
SMTP server-supplied forwarding header. (Concentric is my ISP.)

As I understand these worms, they use other user's address books (are they 
called "Contact Lists" in Outlook and Outlook Express?) to come up with 
both fraudulent "From:" addresses and recipients. Win32 DOT Bugbear AT mm uses 
registry data to propagate, too.

Randall Schulz
Mountain View, CA USA


Here's the full text of the message I receive (attachment graciously 
elided--in fact, I delete them as soon as I confirm my hunch that they're 
worms):

-==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-
Return-Path: <elfyn AT mail DOT utexas DOT edu>
Received: from mail18.svr.pol.co.uk (mail18.svr.pol.co.uk [195.92.67.23])
         by morse.concentric.net [Concentric SMTP MX 1.0]
         id g9DJ7ih10880; Sun, 13 Oct 2002 15:07:44 -0400 (EDT)
         [1-800-745-2747 The Concentric Network]
Errors-To: <elfyn AT mail DOT utexas DOT edu>
Received: from modem-2289.chimpanzee.dialup.pol.co.uk ([217.134.120.241] 
helo=mcb-home)
         by mail18.svr.pol.co.uk with smtp (Exim 3.35 #1)
         id 180nmm-0007hQ-00; Sun, 13 Oct 2002 19:48:20 +0100
From: "Elfyn McBratney" <elfyn AT mail DOT utexas DOT edu>
Subject:  Re: Need your Mac OS 8 support plan...
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----------ISQROT15KBZQSTO"
Message-Id: <E180nmm-0007hQ-00 DOT 2002-10-13-19-48-20 AT mail18 DOT svr DOT pol DOT co DOT uk>
Bcc:
Date: Sun, 13 Oct 2002 19:48:20 +0100

Content-Type: text/html;

That is really not fare :(

Do you know when we'll get a time-indexed beta-sp ???

----- Original Message -----
From: Michael Aumeerally
To:
Sent: Sunday, August 25, 2002 9:52 PM
Subject: Re: Need your Mac OS 8 support plan...


 > > Just wanted to beg you to bring in Mac OS 8 if your on your travels
 > towards the office :)...
 >
 > I may come in Wednesday evening, depending on how the week unfolds...
 >
<file://D:\Attachments\connexionscard-pass.txt.scr>[] 
connexionscard-pass.txt.scr
-==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-


At 16:33 2002-10-13, Elfyn McBratney wrote:
>I for one would like to know how that happend. If its from hotmail then fare
>do's, sorry. If it was from elfyn AT exposure DOT org DOT uk thats impossible because
>all I can send through my mailgate is .txt or tars/gz's files...even then
>all archives are extracted/scanned.
>
>What month???
>
>Elfyn
>
>----- Original Message -----
>From: Randall R Schulz <rrschulz AT cris DOT com>
>To: <cygwin AT cygwin DOT com>
>Sent: Sunday, October 13, 2002 11:03 PM
>Subject: Re: Viruses being transported with Cygwin messages
>
>
> > Hi,
> >
> > I might help to know this is the "W32 DOT Bugbear AT mm" worm. It has been
> > spreading a lot lately. In today's batch I received 3 copies under
> > different names (supposedly from Christopher Faylor, Gareth Pearce and
> > Elfyn McBratney), each with different contents and different attachment
>names.
> >
> > Here's what Symantec has to say about this worm:
> > <http://www.sarc.com/avcenter/venc/data/w32 DOT bugbear AT mm DOT html>
> >
> > Randall Schulz
> > Mountain View, CA USA


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019