Hello, Dave and the list,
the address [EMAIL PROTECTED] is from my sign. Have recived same
kind of failure notices from;
[EMAIL PROTECTED]
[EMAIL PROTECTED]
That doesn´t mean, the computers using these addresses are infected, Mydoom
just pics up random addresses from the WAB (Windows adress-book file) from
the infected computers and uses them as the sender.
It can also collect the fake sending addresses ´/ addresses to senddfrom the
following files in the infected computer;
Mail Propagation
The worm collects addresses where to send itself from Windows' Address Book and from files with extension:
pl
adb
tbb
dbx
asp
php
sht
htm
txt
Peer-to-Peer Spreading
The worm will look up form the Windows' Registry the value containing the users Kazaa shared folder, and it will copy itself to that location with a filename composed from the following list:
winamp5 icq2004-final activation_crack strip-girl-2.0bdcom_patches rootkitXP office_crack nuke2004
The summary and disinfection of Mydoom can be found from;
http://www.f-secure.com/v-descs/novarg.shtml
take care,
pekka s
DNAndrews wrote:
Hi Mark and list,
(Sorry Art I know we're not supposed to talk about this on the list). Looks like it's already made the list. I just got a returned message or failure notice for a message I never sent to a "[EMAIL PROTECTED]". The address was spoofed to make me look like the sender. The body.pif file was the intended payload. I traced the header information to the real sender:
Received: from sgrelayg1.core.theplanet.net (195.92.195.145)
by indium.smartgroups.com with SMTP; 27 Jan 2004 16:56:18 -0000
Received: from aputeaux-115-1-3-220.w193-251.abo.wanadoo.fr ([193.251.71.220]
Bruno Drouet is the owner of this domain. Not sure if he's the owner of the IP address though.
Beware out there and update your virus programs!
Dave
--
Pekka Savolainen Jokiharjuntie 4 FIN-71330 Rasala FINLAND + 358 400 818 912 Group Home Page: http://www.smartgroups.com/groups/eurocoin Group Email Address: [EMAIL PROTECTED]
