[tig] a word about a worm

Rob Lingelbach rob
Thu Jan 29 04:24:49 GMT 2004


this is in response to many messages i?m getting from tig
subscribers.  forgive my nonuse of caps but it is because 
my typing speed is a lot faster if i don?t use the caps key.

there was as many of you know a new worm released this week
that does a really good job of grabbing destination
addresses from the files of mail user agents of certain
operating systems and then manufacturing outgoing messages
from that machine to random and nonrandom, guessed
destination addresses, and for good measure including a copy
of its code, as an attachment.  details of this are
available on websites devoted to security and also on the
mainstream news sites.

in its current implementation this worm does not invade
colorist.org.  if you are in doubt about a received message
look closely at the headers to see from what host it came
and the Received: header can help.  the To: Cc: From: etc.
headers probably won?t help because they are usually bogus.  

there are viruses that will resend old messages from an
infected computer?s mail folders (said computer running the
convenient operating system and mail transport agent/user
agent easiest to infect) and some of these will
appear to be from the tig because they will have [Tig] in
the Subject: header, but a closer look will reveal they were
resent from a different (infected) machine.  another clue is
that the subject tag [Tig] went out of use a while ago, we
use [tig] now, though if these 'remail' viruses are around
long enough they will catch up to the messages with [tig]
and start resending those.  to reiterate, these are not
coming from the tig host but from an infected machine
somewhere.

the level of garbage into the tig from the new worm has
increased something like 10 times over what it was a few
days ago, and amazingly enough it looks like the current
worm is eclipsing in volume the spam level, which translates
to like (for me) many hundreds of messages to try to handle.
blocking them or filtering them out isn?t that difficult,
but the load at the tcp-ip port level is a concern.

regards
--Rob

Rob Lingelbach
tig founder, unix system administrator
http://www.colorist.org





More information about the Tig mailing list