Re: Novarg/MyDoom/MiMail observations

[Brian Davis <bdavis () VIRGINIA EDU>]

We have found both of these to be true at the University of Virginia as well.

At 4:13 PM -0500 1/28/04, Michael_Maloney wrote:
> I've noticed a couple of things about this worm that don't coincide with
> what is said by the AV vendors.
>
> 1)  Symantec says that it does not get sent to .edu addresses.  The 8100 and
> growing emails deleted by my server contradict that statement.
>
> 2) AV vendors are saying that the worm is grabbing addresses from .htm,
> .wab, .txt, .php etc files from the infected system.  While this may be the
> case, the worm is also sending out emails to generic named addresses
> (dave () domain edu, brenda () domain edu, john () domain edu). It appears as if this
> worm is attempting to use a brute force technique to get to addresses that
> don't appear on the infected PC.
>
> Mike

--

Brian Davis                                      <mailto:bdavis () virginia edu>
IT Security & Policy Specialist       <http://www.itc.virginia.edu/security/>
Office of Information Technologies      <http://www.itc.virginia.edu/policy/>
University of Virginia, ITC-Cresap                        Phone  434.243.8707
Box 400217, Charlottesville, VA 22904-4217                Fax    434.924.3579

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.