Educause Security Discussion mailing list archives
Novarg/MyDoom/MiMail observations
From: Michael_Maloney <Michael_Maloney () MIDDLESEXCC EDU>
Date: Wed, 28 Jan 2004 16:13:38 -0500
I've noticed a couple of things about this worm that don't coincide with what is said by the AV vendors. 1) Symantec says that it does not get sent to .edu addresses. The 8100 and growing emails deleted by my server contradict that statement. 2) AV vendors are saying that the worm is grabbing addresses from .htm, .wab, .txt, .php etc files from the infected system. While this may be the case, the worm is also sending out emails to generic named addresses (dave () domain edu, brenda () domain edu, john () domain edu). It appears as if this worm is attempting to use a brute force technique to get to addresses that don't appear on the infected PC. Mike ******************************************** Mike Maloney Sr. System Engineer Middlesex County College 2600 Woodbridge Avenue Edison, NJ 08818 Phone: 732-906-7754 Cell: 908-217-2086 Fax: 732-906-4266 Email: Michael_Maloney () middlesexcc edu ******************************************** ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Novarg/MyDoom/MiMail observations Michael_Maloney (Jan 28)
- <Possible follow-ups>
- Re: Novarg/MyDoom/MiMail observations Brian Davis (Jan 28)
- Re: Novarg/MyDoom/MiMail observations Craig W. Drake (Jan 28)
- Re: Novarg/MyDoom/MiMail observations Marty Hoag (Jan 28)
- Re: Novarg/MyDoom/MiMail observations Michael_Maloney (Jan 29)