MyDoom, which is pretty popular right now, tries to read whatever address books it can find on the victim's computer to harvest email addresses. It also crawls through a lot of different files--everything with .txt, .htm and several other extensions, for anything that looks like an email address. (One of the file extensions is searchs is .dbx, so if you use Outlook Express, it will find every passing reference to an email address in any message you still have.) It then picks a harvested address at random to be the lucky From person, and starts sending mail to all the others. MyDoom also includes a nifty little mail server in case it can't use your ISP's mail server. It sends messages with attachments with different extensions, including .ZIP. It tries to fool you into opening the attachments by using names like this: whatever.doc<hundred spaces>.exe
So you think it's a .doc or .txt or .zip file, and it's really an executable program. It also does a limited dictionary attack, with a list of several dozen common names, sending a message to each of these names on each domain in its list. So it doesn't just send to email addresses it got from you, it also tries to guess email address names for all the domains it found anywhere on your computer. This is very rude, and means that the big domains are having to send tons of non-delivery reports for all the bogus email coming at them. And if you're the poor From guy, then you start getting all those NDRs delivered to your mailbox too. Along with all the bitch mail from antivirus programs telling you that you sent them a virus. (This is why these programs should quit notifying senders of viruses--forged From is getting to be so common that they just end up panicking or annoying someone innocent.) It also copies itself to your Kazaa share directory, so you start offering it to other unwary Kazaa users as one of several different file names. As for why it ended up being in the body of a message, who knows (or really cares)? There are new strains of the same old viruses released every day, each one more incompetent and buggy than the last. Or some kind of filter munged it up, or something. It could have gotten corrupted or truncated en route in such a way that the MIME blob became interpreted as plain text. Bottom line: if you get a virus via email, it's more likely than not these days that it didn't come from the From: person. You don't even need to inform them just to be safe. Someone else who's less educated (lots of someone else's, most likely) will have already done it. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Erik Reuter > Sent: Friday, April 02, 2004 6:08 PM > To: Killer Bs Discussion > Subject: Re: Virus infection alert ! > > On Fri, Apr 02, 2004 at 06:03:32PM -0800, Nick Arnett wrote: > > > But if anyone figures to play games thus, they'd better also figure > > out how to do some sort of IP spoofing... > > Or write a virus that gets other people to send the email for > you, or find an open relay, or take over someone's insecure > computer on a cable modem or DSL network... > > > -- > Erik Reuter http://www.erikreuter.net/ > _______________________________________________ > http://www.mccmedia.com/mailman/listinfo/brin-l > _______________________________________________ http://www.mccmedia.com/mailman/listinfo/brin-l
