On Sat, Oct 12, 2002 at 07:04:09PM +0200, Hans Peter Verne wrote: > > $ sweep -s REG.exe > >>> Virus 'W95/CIH-1049' found in file REG.exe > > > YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST > > The address you post from MUST be your subscription address > > Ha-hum?
No doubt the worm is forging the return address of somebody who is subscribed. The return address is all most list software will check. Forged return address is standard behavior on the part of the Klez family of worms, of which at least one variant is reported to be carrying one of the Chernobyl family of viruses, as reported above. Again, I'd urge the list operators at minimum to screen for and sideline any multipart MIME containing base64 (or uuencode) attachments. This is easily done using, among others, a procmail front-end for the list. -- ----------------------------------------------------------------- Dan Wilder <[EMAIL PROTECTED]> Technical Manager SSC, Inc. P.O. Box 55549 Phone: 206-782-8808 Seattle, WA 98155-0549 URL http://www.linuxjournal.com/ ----------------------------------------------------------------- ----------------------------------------------------------------------------- YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST The address you post from MUST be your subscription address If you need help, send email to [EMAIL PROTECTED] (or lprng-requests or lprng-digest-requests) with the word 'help' in the body. For the impatient, to subscribe to a list with name LIST, send mail to [EMAIL PROTECTED] with: | example: subscribe LIST <mailaddr> | subscribe lprng-digest [EMAIL PROTECTED] unsubscribe LIST <mailaddr> | unsubscribe lprng [EMAIL PROTECTED] If you have major problems, send email to [EMAIL PROTECTED] with the word LPRNGLIST in the SUBJECT line. -----------------------------------------------------------------------------
