Educause Security Discussion mailing list archives

Re: Novarg/MyDoom/MiMail observations

From: Michael_Maloney <Michael_Maloney () MIDDLESEXCC EDU>
Date: Thu, 29 Jan 2004 09:40:07 -0500

They must have updated their pages, on Tues and Wednesday it said it did not
go to .edu addresses, and was selecting addresses from .htm, .wab, .txt etc
files.

Mike

-----Original Message-----
From: Craig W. Drake
To: SECURITY () LISTSERV EDUCAUSE EDU
Sent: 1/28/04 5:03 PM
Subject: Re: [SECURITY] Novarg/MyDoom/MiMail observations

http://www.sarc.com/avcenter/venc/data/w32.novarg.a () mm html

1) I don't see anything in the Symantec website that says that it does
not get sent to .edu addresses. There is a list of domain strings that
it avoids. .edu is not on the list.

2) They also specifically say that it prepends a set list of names to
any domain that it finds.

Craig W. Drake, MCSE
Windows Server Systems Administrator
Networking and Distributed Services
Northeastern Illinois University
Office: (773)442-4386
Fax: (773)442-4195
Email: C-Drake () neiu edu

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael_Maloney
Sent: Wednesday, January 28, 2004 3:14 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Novarg/MyDoom/MiMail observations

I've noticed a couple of things about this worm that don't coincide with
what is said by the AV vendors.

1)  Symantec says that it does not get sent to .edu addresses.  The 8100
and
growing emails deleted by my server contradict that statement.

2) AV vendors are saying that the worm is grabbing addresses from .htm,
.wab, .txt, .php etc files from the infected system.  While this may be
the
case, the worm is also sending out emails to generic named addresses
(dave () domain edu, brenda () domain edu, john () domain edu). It appears as if
this
worm is attempting to use a brute force technique to get to addresses
that
don't appear on the infected PC.

Mike

********************************************
Mike Maloney
Sr. System Engineer
Middlesex County College
2600 Woodbridge Avenue
Edison, NJ 08818
Phone: 732-906-7754
Cell: 908-217-2086
Fax: 732-906-4266
Email: Michael_Maloney () middlesexcc edu
********************************************

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Novarg/MyDoom/MiMail observations Michael_Maloney (Jan 28)
- <Possible follow-ups>
- Re: Novarg/MyDoom/MiMail observations Brian Davis (Jan 28)
- Re: Novarg/MyDoom/MiMail observations Craig W. Drake (Jan 28)
- Re: Novarg/MyDoom/MiMail observations Marty Hoag (Jan 28)
- Re: Novarg/MyDoom/MiMail observations Michael_Maloney (Jan 29)