So, I just got an e-mail from mandrake - it came from mandrakesoft, and it came to my tagged address that is only used for that mailing list. The headers seemed to indicate that it really came from there. I think that the assertion made in the headers is that it really was from a poster to the mailing list.
The actual origin was a machine in Italy. I don't have another piece of mail to see if the origin actually matches the origin of the real mail in received lines, but the headers sure looked reasonable. The type is multipart/mixed. There is a plain text section which is empty, a details.doc.scr, and a plain text section called "message.footer" that actually looks like a message footer from the mandrakesoft security list. I have no idea if it was created by the mailing list software or if it was plugged in by the malware. The other content was an attachment with the name "details.doc.scr" of a type application/octet-stream. Of course, this is a virus. I doubt that ppp-62-10-51-103.dialup.tiscali.it is making these postings by hand to get around mailing list origin filters. I also suspect that the people at Mandrake are likely not running infected Windows boxes - they would be running infected Linux boxes, were there viruses handy, I guess. What is more likely is that our friends the virus writers are starting to look at the mail that they send out and maybe they are duplicating old combinations that they see in the mail files saved on disk, which will result in more of this - mailing lists which check origins and which have been virus resistant because of that will be getting hit. Makes me glad that I am running demime on all my mailing lists. It was amusing that it came on a security mailing list. They should probably make this a moderated mailing list. Of course :-), this week, anyway, I am reading this on Linux, so I am not worried about this worm-thing. But many people like Windows for console interaction. And they will be infectable. -- Blog: http://majordomo.squawk.com/njs/blog/blogger.html Atom: http://majordomo.squawk.com/njs/blog/atom.xml RSS: http://majordomo.squawk.com/njs/blog/atom.rdf
