Educause Security Discussion mailing list archives
Re: Novarg/MyDoom/MiMail observations
From: Michael_Maloney <Michael_Maloney () MIDDLESEXCC EDU>
Date: Thu, 29 Jan 2004 09:40:07 -0500
They must have updated their pages, on Tues and Wednesday it said it did not go to .edu addresses, and was selecting addresses from .htm, .wab, .txt etc files. Mike -----Original Message----- From: Craig W. Drake To: SECURITY () LISTSERV EDUCAUSE EDU Sent: 1/28/04 5:03 PM Subject: Re: [SECURITY] Novarg/MyDoom/MiMail observations http://www.sarc.com/avcenter/venc/data/w32.novarg.a () mm html 1) I don't see anything in the Symantec website that says that it does not get sent to .edu addresses. There is a list of domain strings that it avoids. .edu is not on the list. 2) They also specifically say that it prepends a set list of names to any domain that it finds. Craig W. Drake, MCSE Windows Server Systems Administrator Networking and Distributed Services Northeastern Illinois University Office: (773)442-4386 Fax: (773)442-4195 Email: C-Drake () neiu edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael_Maloney Sent: Wednesday, January 28, 2004 3:14 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Novarg/MyDoom/MiMail observations I've noticed a couple of things about this worm that don't coincide with what is said by the AV vendors. 1) Symantec says that it does not get sent to .edu addresses. The 8100 and growing emails deleted by my server contradict that statement. 2) AV vendors are saying that the worm is grabbing addresses from .htm, .wab, .txt, .php etc files from the infected system. While this may be the case, the worm is also sending out emails to generic named addresses (dave () domain edu, brenda () domain edu, john () domain edu). It appears as if this worm is attempting to use a brute force technique to get to addresses that don't appear on the infected PC. Mike ******************************************** Mike Maloney Sr. System Engineer Middlesex County College 2600 Woodbridge Avenue Edison, NJ 08818 Phone: 732-906-7754 Cell: 908-217-2086 Fax: 732-906-4266 Email: Michael_Maloney () middlesexcc edu ******************************************** ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Novarg/MyDoom/MiMail observations Michael_Maloney (Jan 28)
- <Possible follow-ups>
- Re: Novarg/MyDoom/MiMail observations Brian Davis (Jan 28)
- Re: Novarg/MyDoom/MiMail observations Craig W. Drake (Jan 28)
- Re: Novarg/MyDoom/MiMail observations Marty Hoag (Jan 28)
- Re: Novarg/MyDoom/MiMail observations Michael_Maloney (Jan 29)