my copies (500 or so, before i filtered) are in a ~7MB gzip'd mailbox file
called http://sa.vix.com/~vixie/mailworm.mbox.gz (plz don't fetch that unless
you need it for comparison or analysis). there's a high degree of splay in
the smtp/tcp peer address, and the sender is prepared to try backup MX's if
the primary rejects it, though it appears to try the MX's in priority order.
Paul Vixie [1/27/2004 7:22 AM] :
my copies (500 or so, before i filtered) are in a ~7MB gzip'd mailbox file
called http://sa.vix.com/~vixie/mailworm.mbox.gz (plz don't fetch that unless
you need it for comparison or analysis). there's a high degree of splay in
the smtp/tcp peer address, and the sender is prepared to try backup MX's if
the primary rejects it, though it appears to try the MX's in priority order.
MyDoom / Novarg etc
We are seeing 2 wide spread worms right now, mydoom and dumaru.*
NAI has info at
http://vil.nai.com/vil/content/v_100983.htm
and
http://vil.nai.com/vil/content/v_100980.htm
They rate of it is quite surprising. By the description, the trick / method of infection does not seem all that different than past worms viri. Makes me wonder how many people in a room would reach into their purse/pocket on hearing, "Wallet inspector"
---Mike
The worm is being talked about on news.com and all the major virus vendors
already have advisories on their websites. The worm in my case masqueraded
as a Mailer Daemon bounce. Source email address appeared to be valid and
matching a domain of a website I visited recently (but have not for a long
time). Anyone know the worm generates the sending domain.
This lovely little worm will start beating on the door at www.sco.com come Feb 1/04. Interesting huh?
This lovely little worm will start beating on the door at www.sco.com come
Feb 1/04. Interesting huh?
Wonder if we should all be proactive to prevent the DoS attack,
and drop the A records for www.sco.com now? Just in case any
customers' clocks are set forward 
This virus, so far, has been the most prolific (in terms of copies
per hour) I've seen on a number of sites' (our own included) virus
scanning servers, not a good sign. It did slow down by around 10%
at COB AEDT but I wouldn't be surprised to see a big surge as the
US business day starts.
Even just my personal inbox is getting around 5/minute (direct
copies combined with bounces from forged messages). Interestingly,
the vast majority of the bounces are to an address that has never
been used to send mail, and is only rarely given over the phone,
david@<domain-of-isp-i-work-for>. One of the virus scanners here
is getting around 20/second.
David.
: They rate of it is quite surprising. By the description, the trick /
: method of infection does not seem all that different than past worms
: viri. Makes me wonder how many people in a room would reach into their
: purse/pocket on hearing, "Wallet inspector"
Every single person that still opens these damn attachments! 
scott
: They rate of it is quite surprising. By the description, the trick /
: method of infection does not seem all that different than past worms
: viri. Makes me wonder how many people in a room would reach into their
: purse/pocket on hearing, "Wallet inspector"Every single person that still opens these damn attachments!
IN WINDOWS!
I've been wondering lately, after about 10 years of email worms spreading in
exactly the same manner with every incarnation ... why do you think people
haven't learned not to open unexpected attachments yet? It would seem to me
that even the most clueless user would modify his/her behavior after, say,
the 25th time they've been infected and had to 1) call tech support or 2)
reinstall their OS (or more likely, have someone else reinstall their OS).
Worms today are exploiting the same fundamental flaws they were using 10
years ago, so maybe the question above has the wrong focus. Maybe we should
be asking why vendors haven't bothered to fix these problems - it's not like
they haven't had enough time or examples.
(Note: I really do not want this to degenerate into another rant against
vendor M; for once, I really am curious as to why we're still getting bit by
bugs using the same holes they were using with Windows 95 and NT 4. Worms
obviously pose a significant financial cost to business, and I heard this
latest one mentioned at least 3 times from various non-Internet media outlets
yesterday, so public awareness isn't the probem either.)
Several reasons,
1) in each of those 10 years there is one more years worth of human beings for whom this is their first email virus and they have no idea what it is they are clicking on.
2) some people's job legitimately involves getting lots of mail attachment and just as people reflexively click on the "Are you sure you want to do X? Yes, No" messages, these people reflexively open every attachment they get.
3) some people believe everything they read and will always fall for the "here is the response you requested" line du jour, just like there are people who believe that Elvis isn't dead but is living in an East Texas rest home (see www.bubbahotep.com 
4) some people never learn
face it, the following quote has always been true and will always be true
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning."
� Rich Cook.
jon bennett