Maker Pro
Maker Pro

Worm and Virus attack

A

Active8

Jan 1, 1970
0
I have received almost 700 copies of worm or virus mail to this
account in the past 24 hours.

This has been the GIBE virus, the new "returned mail" item.

Anyone else?
you'd think that third world, outsourced, jerk at earthlink live chat
support could take the fact that these executables are sent under a
bogus MIME type to someone who could incorporate that into the filter.
no, just pawn it off on MS and do nothing. anyone know what MIME type an
exe or scr *should* be sent with? i can't remember.

mike

out goes the hurricane, in comes the flood. what timing.
 
J

Jim Thompson

Jan 1, 1970
0
will-get-you.com says... [snip]
Those of us running Eudora got NONE ;-)

...Jim Thompson
too bad the free Eudora is spyware. not sure about the not free one, if
there is such a thing.

mike

Those of us aged obstinate ones (otherwise known as old farts) are
still using original flavor Eudora Pro v3.0.5... no pop-ups, no
spyware, no nothing but a plain simple-minded mailer. Works just fine
on Win2K, and is supported by Spamnix.

...Jim Thompson
 
G

Guest

Jan 1, 1970
0
quoting Winfield
1000+ at home this morning. Strangely, I got almost none at my work email.

the worm gathers addresses from USEnet posts, so if you don't
use your work email address to post...

the more you post, the more likely it is that the worm "talks to
you"...

check out news.admin.net-abuse.email for more details, hints and
insights.
 
S

Spehro Pefhany

Jan 1, 1970
0
too bad the free Eudora is spyware. not sure about the not free one, if
there is such a thing.

Yes, there's a paid version, which we have bought. I don't think the
free version is spyware, just adware. One time I accidentally deleted
the ad window and it stopped working until I figured out how to bring
it back. 8-(

Best regards,
Spehro Pefhany
 
N

Nico Coesel

Jan 1, 1970
0
Jim Thompson said:
On 19 Sep 2003 12:02:11 -0700, Winfield Hill <[email protected]>
wrote:

Don Pearce wrote...

On 19 Sep 2003 10:51:14 -0700, Aubrey >McIntosh wrote:

I have received almost 700 copies of worm or virus mail
to this account [snipped] in the past 24 hours.

This has been the GIBE virus, the new "returned mail" item.

Anyone else?

Everyone. At 700 you have come off lightly.

I got over 1000 at home this morning, over 450 of them
arriving in a single 5 minute period at about 0640 EST.
Strangely, I got almost none at my work email.

Thanks,
- Win

Those of us running Eudora got NONE ;-)

...Jim Thompson

Netscape, none, but I don't see how one's email client affects this.
At least with Netscape, unopened mail doesn't execute.

What do the virus messages look like?

John

Eudora's address book isn't hijackable as Outhouse Excuse's is.

Although I suppose I could get listed in someone's Outhouse address
book... it's not likely... I have no friends ;-)

It's not the friends that cause the trouble, it's the no-no's who
don't make the effort to remember your e-mail address.
 
M

Michael A. Terrell

Jan 1, 1970
0
Active8 said:
i see linux systems weren't affected nor DOS or, suprisingly, MS IIS. i
swear these attacks only happen *after* ms posts a security bulletin.
then the script kiddies go to work figuring that people don't check for
updates and apply them.

for the past week, i've only had two e-mail spams sitting on the ISPs
server. i didn't download them, i just saw them in mailwasher -
www.mailwasher.net

i just got in and there were an additional 55 on the server. one of them
came from someone i know who most likely has me in her address book
which will be outhouse excuse as Jim calls it - i like that.

i'll use mailwasher to bounce them as invalid address. i see one money
making spam *may* have been harvested from usenet assuming it stripped
the "invalid" off the end of my posting addy. that would have happened
(and it's dated a week or so ago) before i further obfuscated my addy.
it has an opt out.

the flood:

i see one has gekjau.exe attached. it's from

"Internet Message System" <[email protected]>

an undeliverable message. i didn't send jack so nothing can be returned.

another "undeliverable" with

Content-Type: audio/x-wav; name="gsfoego.exe" i can see the MIME type
causing that to get run, but not here. i'm covered.

both are 800 lines - see the pattern?

another one with

Content-Type: audio/x-wav; name="ccihsep.scr"

an executable screensaver

there's more "returned" mails but i also have a slew of those ms
security updates and other ms crap. i usually don't get so many of
those. maybe 1 a month (cause i bounce, not delete.) no exe files
attached but the ones i checked are all 800 lines. hmmm... what's with
800 lines?

i see a lot of "MS" crap which is *not* the update ruse, but returned
mail with exe files.

i think i'll leave the stuff on the ISPs server and let them examine it,
unless they tell me to go ahead and bounce it. nice feature - they have
online chat support.

well earthlink doesn't care. so much for trying to help them. they said
to contact MS. f MS. i'm not infected. sarc will find the bastard,
maybe.

looks like i got off easy on this flood, so far. sorry to hear others
got hammered.

mike

Those *****.exe are garbage names to hide the worm.automat.abh, or
another variation of the worm.

I have received over 2200 in the past 24 hours. (1857 in the last 12
hours) I use Mailwasher to delete them, but they were coming in so fast
I couldn't dump the mailbox before the Earthlink mail server would time
out.
 
W

Winfield Hill

Jan 1, 1970
0
Nico Coesel wrote...
It's not the friends that cause the trouble, it's the no-no's
who don't make the effort to remember your e-mail address.

You're suggesting folks ahould memorize your email address,
rather than put it in their address book? Instead, how about
suggesting that the authors and software-engineering managers
of Microsoft's email programs and address book should check
their work before forceably installing it on our computers, no
choice allowed, by the repeatedly-convicted monopoly company?

p.s. I've hand-inspected and erased more than 2300 virus emails
in my non-microsoft mailbox in the last 16 hours. This was made
necessary in order to read the 35 legitimate emails I received.
I'm beginning to get really angry now.

Thanks,
- Win
 
K

Keith R. Williams

Jan 1, 1970
0
Nico Coesel wrote...

You're suggesting folks ahould memorize your email address,
rather than put it in their address book?

How about folks simply saying *NO* to OE? ...then WinBlows (I've
never used OE and am on my way to being M$ free).
Instead, how about
suggesting that the authors and software-engineering managers
of Microsoft's email programs and address book should check
their work before forceably installing it on our computers, no
choice allowed, by the repeatedly-convicted monopoly company?

Simply say "no". It's about time people dumped M$, though I'll
admit that I'm not quite ready (WIn2K has been my only and last M
$ OS).
p.s. I've hand-inspected and erased more than 2300 virus emails
in my non-microsoft mailbox in the last 16 hours. This was made
necessary in order to read the 35 legitimate emails I received.
I'm beginning to get really angry now.

I can understand that. I spent a couple of hours this morning
installing filters. However, as long as the world runs on M$
trash, we're going to have these problems. ...or were you
thinking about a Tobacc^h^h^h^h^h^hclass-action suit?
 
M

Mike

Jan 1, 1970
0
I suspect that here Cox Communications is stopping it all... I note
that outbound E-mail is posting *very* slowly.

...Jim Thompson

I suspect that's why I didn't receive a single one of the emails. Cox on
one account, Yahoo on another (lots of my Yahoo email is related to my
manhood and my mortgage, but none is related to Microsoft security), and
work (where we have active spam filters) on another.

-- Mike --
 
M

Mike

Jan 1, 1970
0
On 19 Sep 2003 12:02:11 -0700, Winfield Hill <[email protected]>
wrote:

Don Pearce wrote...

On 19 Sep 2003 10:51:14 -0700, Aubrey >McIntosh wrote:

I have received almost 700 copies of worm or virus mail
to this account [snipped] in the past 24 hours.

This has been the GIBE virus, the new "returned mail" item.

Anyone else?

Everyone. At 700 you have come off lightly.

I got over 1000 at home this morning, over 450 of them
arriving in a single 5 minute period at about 0640 EST.
Strangely, I got almost none at my work email.

Thanks,
- Win

Those of us running Eudora got NONE ;-)

...Jim Thompson

Netscape, none, but I don't see how one's email client affects this.
At least with Netscape, unopened mail doesn't execute.

What do the virus messages look like?

John

Eudora's address book isn't hijackable as Outhouse Excuse's is.

Although I suppose I could get listed in someone's Outhouse address
book... it's not likely... I have no friends ;-)

...Jim Thompson

I feel so bad I'm going to add you to my address book. Twice.

-- Mike (Oh, sure, you can thank me later) --
 
G

GPE

Jan 1, 1970
0
My guess is that you hadn't posted your cox email to the world -- as cox was
passing that stinking virus to me at nearly 200 per hour! Around 4 this
afternoon - the virus emails suddenly dropped off to near zero. My guess is
that Cox finally implemented a filter at that time.

-- Ed
 
W

Walter Harley

Jan 1, 1970
0
Keith R. Williams said:
[...] as long as the world runs on M$
trash, we're going to have these problems.

We'll have these problems for longer than that. Indeed, we'll have these
problems for as long as email does more than convey plain text and the
Internet supports sending of nonsecure messages. May I remind folks that
MSFT didn't invent the bug, and that the first worms were not on Windows?
Virus writers target whatever platform is dominant and powerful enough to
propagate the virus. *All* nontrivial platforms have bugs that can be
exploited given enough interest.

If you want to not catch viruses, you have two choices: adopt a non-dominant
platform (and accept that many programs will not be available to you) or
adopt the dominant program, keep it aggressively up to date, and take
precautions. If you want to not receive virus-related mail, you have two
choices: don't let anyone know your email (and accept that many people won't
be able to reach you easily) or install effective filtering mechanisms,
ideally upstream from your inbox.
 
C

Colin Bloch

Jan 1, 1970
0
Active8 said:
you'd think that third world, outsourced, jerk at earthlink live chat
support could take the fact that these executables are sent under a
bogus MIME type to someone who could incorporate that into the filter.
no, just pawn it off on MS and do nothing. anyone know what MIME type an
exe or scr *should* be sent with? i can't remember.

Typically executables of any kind are application/octet-stream.

However, filtering on a "bogus" MIME type would require you to:
- Cycle through MIME messages. For each Content-Type header:
- Parse out the type
- Parse the extension out of the file="foo.ext" part
- Find [type] in system mime.types file or equivalent
- Check that [ext] appears in RHS of [type] line

The problem is even if you were willing to write something to do
all this, there are several places it will fail:

- There is no official mime-type for .scr and .pif (and whatever
other Mickeysoft-centric executables.. I don't know them all) so
these will always be considered bogus, virus or not. [*]
- Mail clients will use a "catchall" extension for attachments
whose mime-types cannot be determined (ie. because the extensions
are unrecognized for one) so you will find that many of these
fall into the valid 'octet-stream' type anyway, and will pass
your filter.
- Some clients (automated mailers, Webmail clients, etc.) are
lazy or crippled and just pack any/all attachments with a
fabricated or default type (application/x-unknown for instance)
and these messages are no less valid than any others, but will
get kit-shanned by your proposed filter.
- And finally, there is no law anywhere that says a file has
to have an extension at all. So if I send /bin/rm to my buddy
who has accidentally rm'd his own copy [**] it flunks this
filter too.

Much better (and less work for both mail server and sysadmin)
is 3rd party virus-filtering software on the mail server with
daily (or more) automated definition updates.

That doesn't entirely preclude third world Earthlink chat droid
from being a jerk, however I'd say it exonerates him in this
instance.

CAB

[*] Yeah, big loss, I know.
[**] Yeah, big stretch, I know.
 
T

Tony Williams

Jan 1, 1970
0
Winfield Hill said:
p.s. I've hand-inspected and erased more than 2300 virus emails
in my non-microsoft mailbox in the last 16 hours. This was made
necessary in order to read the 35 legitimate emails I received.
I'm beginning to get really angry now.

I've given in.... there's a prog running here atm that
is deleting *all* my email on my ISP's mailserver. This
action has had to be taken because there is too much of
it to handle, the rate got up to 4x 200k emails/minute
some time yesterday afternoon. :(

The prediction is that things should not get worse over
the weekend, with next Monday being the biggie.
 
A

Active8

Jan 1, 1970
0
[snip]
Those *****.exe are garbage names to hide the worm.automat.abh, or
another variation of the worm.

i know. many worms generate a new random filename each time they
propagate.
I have received over 2200 in the past 24 hours. (1857 in the last 12
hours) I use Mailwasher to delete them, but they were coming in so fast
I couldn't dump the mailbox before the Earthlink mail server would time
out.

wow. i'm only at 83. that's around 30 more since the last time i posted,
which was the post you replied to. if you really mean that you deleted
them rather than bounced them, ouch. you may or may not have confirmed a
valid e-mail addy.

mike
 
A

Active8

Jan 1, 1970
0
Typically executables of any kind are application/octet-stream.

that's what i was thinking.
[snip]
- And finally, there is no law anywhere that says a file has
to have an extension at all. So if I send /bin/rm to my buddy
who has accidentally rm'd his own copy [**] it flunks this
filter too.

yikes. i never thought of the possibility of a command like rm -r *.*
getting executed by a mail program. they don't run as root do they? i'm
not even sure if an attach can be sent like that - with args, that is.

brs,
mike
Much better (and less work for both mail server and sysadmin)
is 3rd party virus-filtering software on the mail server with
daily (or more) automated definition updates.

That doesn't entirely preclude third world Earthlink chat droid
from being a jerk, however I'd say it exonerates him in this
instance.

CAB

[*] Yeah, big loss, I know.
[**] Yeah, big stretch, I know.
 
A

Active8

Jan 1, 1970
0
Yes, there's a paid version, which we have bought. I don't think the
free version is spyware, just adware. One time I accidentally deleted
the ad window and it stopped working until I figured out how to bring
it back. 8-(

Best regards,
Spehro Pefhany
ok, i will (and you might) check the grc.com security ng to double check
the ad/spy-ware question.

tnx,
mike
 
W

Winfield Hill

Jan 1, 1970
0
Active8 wrote...
wow. i'm only at 83. that's around 30 more since the last time i posted,
which was the post you replied to. if you really mean that you deleted
them rather than bounced them, ouch. you may or may not have confirmed
a valid e-mail addy.

I've now received over 3000 of these, each of which has a 106k
bytes-long worm. That's 320MB of downloads from my mail server
in Pittsburgh in the last 24 hours. My Comcast cable modem has
a slow upload speed of about 150k bits/sec, so if I were to have
bounced these messages, that would have taken about 5 hours of
full upload traffic. It's hard to see how folks with ordinary
POTS modems could survive such an attack.

They're coming in at the rate of about four a minute right now.
I spent some time trying to set filters, but the quasi-random
nature of the Swen email headings makes that impractical with
my The Bat! email client. I'm ready to change programs again.

Thanks,
- Win
 
Top