[gentoo-dev] Virus

[gentoo-dev] Virus

[John Nilsson]

[-- Attachment #1: Type: text/plain, Size: 800 bytes --]

For five days now I have been receiving mails containing a virus called  
I-Worm.Swen

http://www.viruslist.com/eng/viruslist.html?id=88029

The mails come from diffrent ISPs allover the world so I figured that  
the virus probably got my mailadress as a result of a mailinglist.

The only list I am currently active on is this. While hard to believe  
the most logical conclusion is that some gentoo-dev subscribers has  
been infected.

The virus disables antivirus programs, and deletes all current and  
future traces of it self from the victims mailbox (it actually connects  
to the pop3 server to do this).

Most of you probably has spamfilters that would hide this mail from  
you, but shurley if it comes from gentoo-dev more people then I would  
get these mails.

/John

[-- Attachment #2: Type: application/pgp-signature, Size: 481 bytes --]

Re: [gentoo-dev] Virus

[Jeremy Maitin-Shepard]

John Nilsson <john@milsson.nu> writes:

[snip]

> The only list I am currently active on is this. While hard to believe  
> the most logical conclusion is that some gentoo-dev subscribers has  
> been infected.

[snip]

I would say that actually the most logical conclusion is that your
e-mail address was obtained from a web spider which found the web
interface to the portage CVS tree, or an archive of this mailing list.

-- 
Jeremy Maitin-Shepard

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Virus

[John Nilsson]

[-- Attachment #1: Type: text/plain, Size: 340 bytes --]

> I would say that actually the most logical conclusion is that your
> e-mail address was obtained from a web spider which found the web
> interface to the portage CVS tree, or an archive of this mailing  
> list.

I should have said that the virus gets mailadresses from incoming mail  
to the infected victims pop3 account.

/John

[-- Attachment #2: Type: application/pgp-signature, Size: 481 bytes --]

Re: [gentoo-dev] Virus

[Jeremy Maitin-Shepard]

John Nilsson <john@milsson.nu> writes:

>> I would say that actually the most logical conclusion is that your
>> e-mail address was obtained from a web spider which found the web
>> interface to the portage CVS tree, or an archive of this mailing  
>> list.

> I should have said that the virus gets mailadresses from incoming mail  
> to the infected victims pop3 account.

I am not sure what you mean by this.  I would imagine that certain spam
spider software would attempt to find a related address to use as the
spoofed From address.

-- 
Jeremy Maitin-Shepard

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Virus

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 1474 bytes --]

On Sun, Dec 14, 2003 at 06:57:16AM +0100, John Nilsson wrote:
> The virus disables antivirus programs, and deletes all current and  
> future traces of it self from the victims mailbox (it actually connects  
> to the pop3 server to do this).
Only on windows of course.

> The only list I am currently active on is this. While hard to believe  
> the most logical conclusion is that some gentoo-dev subscribers has  
> been infected.
You neglect the spread mechanism here. Given that the worm forges it's
source address to a random value, the ONLY requirement to recieve an
infected email from somebody is that they have have at some point
recieved an email from you (either directly or via some mailing list) in
the past, and they still have your email on their system.

> Most of you probably has spamfilters that would hide this mail from  
> you, but shurley if it comes from gentoo-dev more people then I would  
> get these mails.
Plenty of us get viral and other spam on a daily basis (for several
months now), and even bounce messages for other virii that forge our
addresses (even our @gentoo.org ones). Set up some filtering for
yourself I use qmail-scanner + spamassassin + procmail to handle all of
my stuff.

-- 
Robin Hugh Johnson
E-Mail     : robbat2@orbis-terrarum.net
Home Page  : http://www.orbis-terrarum.net/?l=people.robbat2
ICQ#       : 30269588 or 41961639
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: [gentoo-dev] Virus

[Marc Hildebrand]

Robin H. Johnson wrote:

> Set up some filtering for
> yourself I use qmail-scanner + spamassassin + procmail to handle all of
> my stuff.

And I can add that I'm a happy, virus-free amavis-ng + f-prot user.
I highly recommend it.


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Virus

[John Nilsson]

[-- Attachment #1: Type: text/plain, Size: 824 bytes --]

> > The only list I am currently active on is this. While hard to
> believe
> > the most logical conclusion is that some gentoo-dev subscribers has
> 
> > been infected.
> You neglect the spread mechanism here. Given that the worm forges  
> it's
> source address to a random value, the ONLY requirement to recieve an
> infected email from somebody is that they have have at some point
> recieved an email from you (either directly or via some mailing list)
> in
> the past, and they still have your email on their system.


Reading the virus description again I see that I missed a critival  
part. The virus does not use the victims smtp but rather one of 350  
diffrent servers around the world, thus this may very well come from  
the same host.


Im sorry about the superflous list traffic.

/John

[-- Attachment #2: Type: application/pgp-signature, Size: 481 bytes --]