Re: WARNING: Worm (?) sending from root@microsoft.com to *@anon.lcs.mit.ed
On or about 06:18 PM 2/8/01 -0700, Sean Reifschneider was caught in a dark alley speaking these words: >On Thu, Feb 08, 2001 at 05:02:06PM -0800, Aaron L. Meehan wrote: >>I'm pretty sure this is the work of the W95.Hybrid email worm (the >>sexyfun.net one), sending copies of itself to the mail2news gateway > >What triggered the sudden hit then? sexyfun has been around for >quite a while and the mail servers have kept up pretty well. This >one is really pounding it though. I think part of it's ability to download updates makes changes to the worm, to the point where you may be seeing a new variant of it. I've seen *2* variants of this so far - one from "sexyfun" and the badly misspelled story, and one with no story or faked sender - only an empty sender, but otherwise the same virus. This critter hasn't taken down our qmail server (mark 1 for the good guys) despite it's being an antique (relatively speaking) - Cyrix P166(ish) / 4G IDE / 128M RAM, altho I was receiving nearly 1000 double-bounces per day from the damnable thing. Tracking who has it isn't exactly easy, either... however if there are any dial-up sysadmins out there who could use a tip, this has helped me out considerably: In Win9x, under the network control panel, setting the "Host:" setting under DNS to the username of the person, will make that username show up in the (HELO x) string in qmail's main Received: header. We had our customers set this since day 1, and this has helped me immensely in tracking the infected person. That and if you have separate qmail & authentication servers, make sure they're both updated at least once per day to an atomic time clock. Servers that are 5 min. off are a real bugger to figure out who was online when... Anywho, I hope this helps someone out there -- it's the least I can do to try to repay the help I've received on this list over the last 6 years... :-) Thanks, Roger "Merch" Merchberger = Roger "Merch" Merchberger -- [EMAIL PROTECTED] SysAdmin - Iceberg Computers = Merch's Wild Wisdom of the Moment: = Sometimes you know, you just don't know sometimes, you know?
Re: WARNING: Worm (?) sending from root@microsoft.com to *@anon.lcs.mit.ed
On Thu, Feb 08, 2001 at 05:02:06PM -0800, Aaron L. Meehan wrote: >I'm pretty sure this is the work of the W95.Hybrid email worm (the >sexyfun.net one), sending copies of itself to the mail2news gateway What triggered the sudden hit then? sexyfun has been around for quite a while and the mail servers have kept up pretty well. This one is really pounding it though. Sean -- Blaming the software quality on the tool is like saying "I can't pick up chicks because my car isn't cool enough." -- Sean Reifschneider, 1998 Sean Reifschneider, Inimitably Superfluous <[EMAIL PROTECTED]> tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
Re: WARNING: Worm (?) sending from root@microsoft.com to *@anon.lcs.mit.ed
On Thu, Feb 08, 2001 at 05:51:40PM -0700, Sean Reifschneider wrote: > Anyone else seeing thousands of messages filling up your queue, apparently > from "[EMAIL PROTECTED]" to addresses such as: > >[EMAIL PROTECTED] Yeap, I've seen that one, but didn't pay much attention to it... I thought it was some wise-ass customer fooling around. Appearently... it isn't. RC -- +--- | Ricardo Cerqueira | PGP Key fingerprint - B7 05 13 CE 48 0A BF 1E 87 21 83 DB 28 DE 03 42 | Novis Telecom - Engenharia ISP / Rede Técnica | Pç. Duque Saldanha, 1, 7º E / 1050-094 Lisboa / Portugal | Tel: +351 2 1010 - Fax: +351 2 1010 4459 PGP signature
Re: WARNING: Worm (?) sending from root@microsoft.com to *@anon.lcs.mit.ed
Quoting Sean Reifschneider ([EMAIL PROTECTED]): > Anyone else seeing thousands of messages filling up your queue, apparently > from "[EMAIL PROTECTED]" to addresses such as: > >[EMAIL PROTECTED] I'm pretty sure this is the work of the W95.Hybrid email worm (the sexyfun.net one), sending copies of itself to the mail2news gateway for distribution to news servers worldwide, so that other infected computers can download new plugins. That sure is a nasty bugger. One or more of your users is undoubtedly infected with the worm--plenty of ours are, I'm sorry to say. It would seem that when it was discovered that worm authors intended to use them for worm distribution, the administrators of that gateway shut it down. One point to the miscreants. Aaron
WARNING: Worm (?) sending from root@microsoft.com to *@anon.lcs.mit.ed
Anyone else seeing thousands of messages filling up your queue, apparently from "[EMAIL PROTECTED]" to addresses such as: [EMAIL PROTECTED] Looks like this has started within the hour. Looks like one of our clients got hit with about 6000 of them, and they're still coming in. We're currently just trapping them by setting up anon.lcs.mit.edu in virtualdomains and directing that to a maildir: echo anon.lcs.mit.edu:virustrap >>/var/qmail/control/virtualdomains echo '/path/to/maildir/' >~alias/.qmail-virustrap maildirmake /path/to/maildir killall -HUP qmail-send It seems like putting "[EMAIL PROTECTED]" in badmailfrom may prevent it from hitting your boxes resources, but we have tons of resources and would like to check it out a bit. The message is around 80 lines of 70 column upper-case text, something like: Subject: i_rz [NZM zmPaLazCnSTOnermbGneLqrmDGbenCfWrCrSXSTiI GYEPBZDWDNIOFPKVGXPSHSGSFRBVIUNTEBFSDRKTEVLNGCCUKCKCOTCXZNPBFWGBOZ EZGZMMLYBQGVNQGBGPOXFNONKMDTBMZQHNPVCTLCBTHXGWDSESBWDMZWHOMRNPKUEC FSOVFVZSDRFNOWHYMZFUDZBUJYJVIMNSDVJYGWFSCMGNDUEBPBDCFUZMMZPVCQMOEM [...] Sean -- Tragedy is when I cut my finger. Comedy is when you fall into an open sewer and die. -- Mel Brooks Sean Reifschneider, Inimitably Superfluous <[EMAIL PROTECTED]> tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
