Educause Security Discussion mailing list archives
Re: Novarg/MyDoom/MiMail observations
From: Brian Davis <bdavis () VIRGINIA EDU>
Date: Wed, 28 Jan 2004 16:44:55 -0500
We have found both of these to be true at the University of Virginia as well. At 4:13 PM -0500 1/28/04, Michael_Maloney wrote:
I've noticed a couple of things about this worm that don't coincide with what is said by the AV vendors. 1) Symantec says that it does not get sent to .edu addresses. The 8100 and growing emails deleted by my server contradict that statement. 2) AV vendors are saying that the worm is grabbing addresses from .htm, .wab, .txt, .php etc files from the infected system. While this may be the case, the worm is also sending out emails to generic named addresses (dave () domain edu, brenda () domain edu, john () domain edu). It appears as if this worm is attempting to use a brute force technique to get to addresses that don't appear on the infected PC. Mike
-- Brian Davis <mailto:bdavis () virginia edu> IT Security & Policy Specialist <http://www.itc.virginia.edu/security/> Office of Information Technologies <http://www.itc.virginia.edu/policy/> University of Virginia, ITC-Cresap Phone 434.243.8707 Box 400217, Charlottesville, VA 22904-4217 Fax 434.924.3579 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Novarg/MyDoom/MiMail observations Michael_Maloney (Jan 28)
- <Possible follow-ups>
- Re: Novarg/MyDoom/MiMail observations Brian Davis (Jan 28)
- Re: Novarg/MyDoom/MiMail observations Craig W. Drake (Jan 28)
- Re: Novarg/MyDoom/MiMail observations Marty Hoag (Jan 28)
- Re: Novarg/MyDoom/MiMail observations Michael_Maloney (Jan 29)