[thelist] A short worm story
George Dillon
evolt at georgedillon.com
Wed Jul 11 15:33:29 CDT 2001
OK so these alerts are not really good form, but this little story is
directly related to this list, so please forgive a momentary lapse. At
least this is a real (and informed) account and not some wild scare-story.
A Short Worm Story
On Monday my 'with attachments' folder turned bold, so after disconnecting I
peeked in the folder and saw a new message from Hahaha with the subject
'Snowhite and the Seven Dwarfs - The REAL story!' "Yummy!" I thought,
"a nice juicy worm!" and I was right - a scan showed it contained W95.Hybris
http://www.symantec.com/avcenter/venc/data/w95.hybris.gen.html
but who was it from?
The nasty had arrived at the address I use for evolt mail, so that narrowed
the field to about 2,000 suspects. The from line was of course forged (heck
I've even received one from MYSELF before now, as some of you may recall)
however a peek at the message source revealed (in the Received: from line) a
single name (which I won't reveal to save them embarrassment). A search
through recent evolt digests showed a recent post from someone of the same
name, who joined my eventual short-list of 4 suspected sources.
Meanwhile copy #2 had arrived at my regular in-box with a different name in
the Received from: line... this was (and remains) ODD!
So a very polite "Excuse me but I think you have a problem and need this
URL" type message went out to the 4, but before sending it I created a new
account with a new alias ... and sure enough, the third copy of the worm I
received arrived at my new Hybris inbox, confirming that someone on my short
list of 4 was the source of at least 2 out of 3 instances.
Happily they took my warning in good faith and replied thusly:
"YOU ARE RIGHT!!!!!!!!!!!!!!! ... but I am curious...what did you originally
send me and what did I email you earlier...."
And here is where this story concerns us all... I replied:
"Nothing at all... the first message came to me @ my evolt address... which
raises the horrible prospect (as far as you're concerned) that you may have
been sending this virus directly to others (possibly all those) who have
recently contributed to the evolt list.
In which case... stay calm, people are generally understanding, and the list
servers would block the virus reaching the WHOLE list.
If you wish I can put an alert on the list on your behalf (although
generally they are not appreciated)."
So that's what this is... a heads up identifying a worm that is at large and
may be coming to you soon (or have come to you recently) with a URL for more
info.
While I'm at it, and for no reason other than the scrutiny of my peers (and
mostly betters on this list) will help me improve it - I'd welcome comments
on the CONTENT of the following 3 pages on my site. [No site critiques
please - I'm not ready for 'em yet ;) ]
Basic Online Security:
http://www.georgedillon.com/web/online_security.shtml
Netiquette:
http://www.georgedillon.com/web/netiquette.shtml
HTML Email is Evil:
http://www.georgedillon.com/web/html_email_is_evil.shtml
Please send comments (or suggestions) to:
evoltfeedback at georgedillon.com
HTH
George Dillon
More information about the thelist
mailing list