Subject: Re: Please scan your computers for viruses
From: Dave Trapnell
Date: 26/09/2003, 07:49
Newsgroups: alt.sci.seti

Since my original post, the rate of arrival in my inbox has
diminished from about ten per hour to about one per two
hours. I doubt if there is any connection, but the
infestation seems to be blowing over. 

"D." <Dereka_k@NotSoHotmail.com> wrote:

I've received several hundred myself the last several days.  I have no idea
how much legitimate E-mail has been bounced off my account.

I was very glad to hear I was not the only one. I was
getting a little weirded out at first, especially because
these lengthy emails started coming in large numbers. That
was the day before Symantec added this virus to their
definitions. 

Since I live in the boonies, the phone lines are
multiplexed, so I only get a 26k connection. These things
were taking FOREVER to download. That's always a sure sign
of a virus' arrival in my situation. What was really amazing
was the QUANTITY. It forced me to learn to use the Earthlink
Webmail.

"John-James-Connellan" <usa@hotmail.net> wrote:

I got a new e-mail address and stopped the old e-mail address.
That solved the problem for me. :-))))))))))))))))))))))))))))
Side effects, I have yet to resubscribe to useful newsletters.

That's always an option, but I like the one I'm using. I
registered that name 28 years ago when the paint was still
wet on a very tall building that is no longer standing.
Someone else who actually MAKES something grabbed the dot
com, however.


AthlonRob <athlonrob@nodomainhere.ext> wrote:

I'm not sure on the Return-Paths - I've asked a few folks and none of 
them have had a real answer as to their real-ness.

I guess we have established later on that they need not be
real. I have sent polite emails to a SELECT FEW of the
Return-Path: addresses which do not assume they themselves
are the origination of the virus email, but merely suggest
the possibility and advise them that if they have not
scanned their computers lately, it might be prudent to do
so. This is similar to the emails I sent to my own
correspondants before I realized the virus appears to be
only Usenet related.  Since these did not come back, it
seems likely they are real addresses, but of course, not
necessarily the originating addresses. The one that did come
back was because their inbox was full, which means that it,
too, may be clogged with viruses.

Martin <ml_news@ddnospamddml1dd.co.uk.dd> wrote:

(Just in case you didn't get the hint. DO NOT REPLY TO VIRUS/WORM MAIL. 
It shouldn't take any intelligence to reason why.)

Replying to the Return-Path: is not quite the same as simply
replying to the email. The Return-Path: field is less
obviously bogus than the From: field. 

"Robi" <r_buecheler@remove.yahoo.com> wrote:

The following lines can be forged:
From:
Return-Path:
Reply-To:
You can only go by the
Received:
lines, and there you need to tread carefully, 
because they can be inserted by the sending mailer (spoofed), 
but the mail exchangers have to add a 
Received: line above the previous Received: line.
That way you can trace back from top down 
where the message probably came from.

Here's a typical sequence from an actual occurrance
in which the Return-Path domain matches that of the
Received: sequence:
Return-Path: <jpick@charter.net>
Received: from remt19.cluster1.charter.net ([209.225.8.29])
by sparrow (EarthLink SMTP Server) with ESMTP id
1a2If06CF3NZFjV0 for <dtresearch@earthlink.net>; 
Thu, 25 Sep 2003 19:21:53 -0700 (PDT)
Received: from [24.197.101.170] (HELO ovfr)
 by remt19.cluster1.charter.net (CommuniGate Pro SMTP 4.0.6)
with SMTP id 3264321; Thu, 25 Sep 2003 22:21:42 -0400

(slightly reformatted to fit on the page). If I'm
understanding you correctly, the e-mail enters the system
"at the bottom", and entries are appended upwards as the
document wends through the system?

Here's an example in which the Received: domain and the
Return-Path: domains do not appear to match:

Return-Path: <alecandmarylillie@tesco.net>
Received: from mta4-svc.business.ntl.com ([62.253.164.44])
by vulture (EarthLink SMTP Server) with ESMTP id
1a2BOI2Xj3NZFl50
Thu, 25 Sep 2003 12:30:20 -0700 (PDT)
Received: from mvlnsms ([62.252.177.51]) by
mta4-svc.business.ntl.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) 
with SMTP id
<20030925192453.IOQD8268.mta4-svc.business.ntl.com@mvlnsms>;
Thu, 25 Sep 2003 20:24:53 +0100 

Thus I suppose we can assume that
<alecandmarylillie@tesco.net> may be a perfectly valid
address that the virus has plucked from somewhere and
planted into this message.


That way you can trace back from top down 
where the message probably came from.

But does the bottom entry actually give us anything we can
actually use? 

Thanks, by the way, for the detailed explanation.

AthlonRob <athlonrob@nodomainhere.ext> wrote:

The virus, unfortunately, randomly scans 
newsgroups from a user's NNTP server.  That is, after it infects your 
system, it figures out what NNTP server you use, and scans random 
newsgroups on that server for email addresses

I'm wondering if it scans the reader rather than the server.
All the information it needs would already be there on the
local machine. Besides, some news servers require passwords,
which may not be accessible to the virus. Of course, you may
have studied the code, or read otherwise from a reliable
source, in which case I'm totally wrong. 

It's a nasty buggar

Thanks for the commiseration.

Anyway... you aren't using a munged FROM header, 
so the virus (and spammers, too, BTW) are easily 
able to pick up your email address.

Just keeping the Earthlink Spaminator on its toes.
I've been using my real address for about ten years.

Most news servers won't hold a single one of 
your posts for very long (a few weeks, max)... 

You haven't used Giganews (not a plug). 
They keep the non-binaries for about six months.

I'm sure this one's idea of scouring as
many usenet posts as possible for email addresses 
will catch on as time goes by.

Much as I hate the idea, you're probably right.

"Nic O'Demus" <me@privacy.net> wrote:

It appears that the current plague is capable of 
harvesting emails' addies from newsgroups 
and also is capable of stripping common munges 

>from email addresses 
I'm not convinced that it's going onto the news servers to
harvest addresses; I'm more inclined to think it's getting
them from the NEWS READERs. Perhaps that's what you meant.
I'm wondering if it's specific to Outlook Express only? I've
also observed that associates who still use real e-mail
addresses in their commercial websites (rather than
irritating forms) are not being hit by these hardly at all,
unlike, for example, the sobig, which hit them hard. I
wonder if it's just a Usenet-only thing? 

"Terry Groff" <terry@terrygroff.com> wrote:

I use a program called MailWasher which pre-reads my email on the
server and automatically cleans it out

I'm not sure that would be much easier than running
Earthlink Webmail to clean it out, which is what I've had to
resort to doing. Either way, you still have to BE THERE to
run the darn thing before the box fills up and the mail
starts bouncing.

"PG" <pg@gravko.net> wrote:

it is possible
"me" <an89765478@anon.penet.de> wrote in message
news:8a14nvkkf6tvshr5lmpdati89ccno5l45o@4ax.com...

Do you think it just be because you use a REAL email adress?!!!

I only discovered fairly recently one could use other than a
"real" email address. It has previously not been a problem.
This is the first Usenet-related virus I've had to deal
with. Mostly I've had to deal with friends who forward their
stupid email junk to dozens of their closest friends
(including me) with all the names and email addresses in the
CC field instead of the BCC like I've told them over and
over.