Re: [vox] [OT] Anyone else getting hit with a deluge of virus emailbounces?

To: "LUGOD's general discussion mailing list" <vMAPSox@lists.lugod.org>
Subject: Re: [vox] [OT] Anyone else getting hit with a deluge of virus emailbounces?
From: Bill Kendrick <MAPSnbs@sonic.net>
Date: Tue, 11 Jan 2005 11:35:47 -0800
Delivered-to: lugod@livepenguin.com
Delivered-to: vox@livepenguin.com
In-reply-to: <Pine.LNX.4.58.0501111109280.1579@bolt.sonic.net>
List-archive: <http://ns1.livepenguin.com/pipermail/vox>
List-help: <mailto:vox-request@lists.lugod.org?subject=help>
List-id: LUGOD's general discussion mailing list <vox.lists.lugod.org>
List-post: <mailto:vox@lists.lugod.org>
List-subscribe: <http://lists.lugod.org/mailman/listinfo/vox>,<mailto:vox-request@lists.lugod.org?subject=subscribe>
List-unsubscribe: <http://lists.lugod.org/mailman/listinfo/vox>,<mailto:vox-request@lists.lugod.org?subject=unsubscribe>
Mail-followup-to: LUGOD's general discussion mailing list <vox@lists.lugod.org>
References: <20050111185909.GE31562@sonic.net><Pine.LNX.4.58.0501111109280.1579@bolt.sonic.net>
Reply-to: LUGOD's general discussion mailing list <vMAPSox@lists.lugod.org>
Sender: vox-boMAPSunces@lists.lugod.org
User-agent: Mutt/1.4.2i

On Tue, Jan 11, 2005 at 11:12:01AM -0800, Mark K. Kim wrote:
> I'm getting no more spams/virus/virus-reply than usual.  I'm guessing the
> virus is, once again, Outlook-related?  Most of my friends use
> Hotmail/Yahoo/MSN/Gmail.

I obviously didn't look at all of the bounce emails.
(In fact, I didn't look at ANY, except the subject lines.)

However, from the subject line of many of the "you sent a virus..." ones,
I gathered that I'm being indirectly hit by W32/Zafi-D, which is actually
a worm:

  http://www.sophos.com/virusinfo/analyses/w32zafid.html

Some snippets:

  W32/Zafi-D harvests email addresses from the Windows Address Book and
  from files found on the hard drive.

  W32/Zafi-D attempts to open files containing the following strings
  and keep them open so as to make them inaccessible to the user:
    reged, msconfig, task

  W32/Zafi-D copies itself to folders containing one of the following strings:
    share, upload, music 

It looks like it's a manually-activated worm (versus taking advantage of
some Outlook bug, for example), as the description doesn't mention Outlook
or Explorer, and it looks like the worm sends email messages pretending to
be holiday greeting postcards.

Pretty old-school means of propogating, really.

-bill!
bill@newbreedsoftware.com          April shower bring Kompressor power!
http://newbreedsoftware.com/
_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox

References:
- [vox] [OT] Anyone else getting hit with a deluge of virus emailbounces?
  - From: Bill Kendrick
- Re: [vox] [OT] Anyone else getting hit with a deluge of virus emailbounces?
  - From: Mark K. Kim

Prev by Date: Re: [vox] [OT] Anyone else getting hit with a deluge of virus emailbounces?
Next by Date: Re: [vox] [OT] Anyone else getting hit with a deluge of virus emailbounces?
Previous by thread: Re: [vox] [OT] Anyone else getting hit with a deluge of virus emailbounces?
Next by thread: Re: [vox] [OT] Anyone else getting hit with a deluge of virus emailbounces?
Index(es):
- Date
- Thread

LUGOD Group on LinkedIn

LUGOD Group on Facebook

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
1105 Kennedy Place, Suite 1, Davis, CA 95616
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.