Novarg/MyDoom/MiMail observations

[Michael_Maloney <Michael_Maloney () MIDDLESEXCC EDU>]

I've noticed a couple of things about this worm that don't coincide with
what is said by the AV vendors.

1)  Symantec says that it does not get sent to .edu addresses.  The 8100 and
growing emails deleted by my server contradict that statement.

2) AV vendors are saying that the worm is grabbing addresses from .htm,
.wab, .txt, .php etc files from the infected system.  While this may be the
case, the worm is also sending out emails to generic named addresses
(dave () domain edu, brenda () domain edu, john () domain edu). It appears as if this
worm is attempting to use a brute force technique to get to addresses that
don't appear on the infected PC.

Mike

********************************************
Mike Maloney
Sr. System Engineer
Middlesex County College
2600 Woodbridge Avenue
Edison, NJ 08818
Phone: 732-906-7754
Cell: 908-217-2086
Fax: 732-906-4266
Email: Michael_Maloney () middlesexcc edu
********************************************

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.