[thelist] Does my client have the MyDoom virus?

John C Bullas jcbullas at nildram.co.uk
Fri Jan 30 12:54:42 CST 2004

>Understood.  The odd thing is that, even if the headers were spoofed and the
>sender email was completely random, what are the odds that the random or
>spoofed sender address would be my client?
>The only scenario I could think of would be that a mutual acquaintance has
>the virus and it picked my client randomly as the sender from their address
>book.  Does that seem consistent with MyDoom?

Are they a big company with an "unmunged" presence? They might be 
"harvested" then (see below)
one of my unmunged website given email addresses has been ;(

Your clients are fools not to sit behind anti-virus......


he say....

Additionally, the worm contains strings, which it uses to randomly 
generate, or
guess, email addresses. These are prepended as user names to harvested
domain names:
    * sandra
    * linda
    * julie
    * jimmy
    * jerry
    * helen
    * debby
    * claudia
    * brenda
    * anna
    * alice
    * brent
    * adam
    * ted
    * fred
    * jack
    * bill
    * stan
    * smith
    * steve
    * matt
    * dave
    * dan
    * joe
    * jane
    * bob
    * robert
    * peter
    * tom
    * ray
    * mary
    * serg
    * brian
    * jim
    * maria
    * leo
    * jose
    * andrew
    * sam
    * george
    * david
    * kevin
    * mike
    * james
    * michael
    * john
    * alex

Finally the virus sends itself via SMTP - constructing messages using its 
own SMTP engine.
The worm guesses the recipient email server, prepending the target domain 
name with the following strings:
    * mx.
    * mail.
    * smtp.
    * mx1.
    * mxs.
    * mail1.
    * relay.
    * ns.
Use this signiture to confirm infection and a detailed examination of the
unspoofable bit of the header [insde the brackets]


More information about the thelist mailing list