[thelist] Does my client have the MyDoom virus?
John C Bullas
jcbullas at nildram.co.uk
Fri Jan 30 12:54:42 CST 2004
>
>Understood. The odd thing is that, even if the headers were spoofed and the
>sender email was completely random, what are the odds that the random or
>spoofed sender address would be my client?
>
>The only scenario I could think of would be that a mutual acquaintance has
>the virus and it picked my client randomly as the sender from their address
>book. Does that seem consistent with MyDoom?
Are they a big company with an "unmunged" presence? They might be
"harvested" then (see below)
one of my unmunged website given email addresses has been ;(
Your clients are fools not to sit behind anti-virus......
http://vil.nai.com/vil/content/v_100983.htm
he say....
Additionally, the worm contains strings, which it uses to randomly
generate, or
guess, email addresses. These are prepended as user names to harvested
domain names:
* sandra
* linda
* julie
* jimmy
* jerry
* helen
* debby
* claudia
* brenda
* anna
* alice
* brent
* adam
* ted
* fred
* jack
* bill
* stan
* smith
* steve
* matt
* dave
* dan
* joe
* jane
* bob
* robert
* peter
* tom
* ray
* mary
* serg
* brian
* jim
* maria
* leo
* jose
* andrew
* sam
* george
* david
* kevin
* mike
* james
* michael
* john
* alex
Finally the virus sends itself via SMTP - constructing messages using its
own SMTP engine.
The worm guesses the recipient email server, prepending the target domain
name with the following strings:
* mx.
* mail.
* smtp.
* mx1.
* mxs.
* mail1.
* relay.
* ns.
Use this signiture to confirm infection and a detailed examination of the
unspoofable bit of the header [insde the brackets]
FB
More information about the thelist
mailing list