Virus Borrows Internet Pioneer's Server To Spread

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/02/175003.html

By Brian McWilliams, Newsbytes
SAN FRANCISCO, CALIFORNIA, U.S.A.,
06 Mar 2002, 9:46 AM CST
 
A server operated by Internet pioneer John Gilmore is being used by a
new Internet worm to perform its mass-mailing routine, according to
virus researchers.

The address of the server, Toad.com, is one of 25 open mail relays
hard-coded by its unidentified author into the W32.Yaha worm,
according to analyses by anti-virus firms Symantec and Sophos.
 
While most of the open servers are located in China and Korea,
Toad.com is a system installed in Gilmore's home in San Francisco.

Besides co-founding the Electronic Frontier Foundation and the
Cypherpunks cryptography discussion list, Gilmore takes credit for
helping establish the "alt" Usenet discussion groups.

Last March, Gilmore's Internet service provider, Verio, threatened to
cut off his service unless he secured Toad.com so that it could not be
used by third parties to relay junk e-mail or "spam."

Since its discovery around Valentine's Day, Yaha, also known as
"Valscr," has wormed its way past Nimda, Hybris and Funlove to the
number eight position on the current list of virus threats tracked by
managed e-mail provider MessageLabs.

Symantec has assigned Yaha a level-2 risk rating. The worm arrives
with a subject line, "Melt the Heart of your Valentine with this
beautiful screen saver." It comes with an attachment named
"valentin.scr."

If executed, the attachment will install the worm and unleash its only
payload: mass-mailing copies of infected messages to addresses in the
Windows address book and e-mail addresses found in cached HTML files
on the victim's hard disk.

Gilmore, a life member of the Libertarian party, has accused Verio of
censorship and said he configured the mail server to accept and
forward e-mail from anyone in part so that friends could use it while
traveling around the world.

Gilmore was not immediately available for comment.

According to Gilmore's Web site, Verio agreed last August not to
terminate his service if he modified his mailer software to avoid
forwarding large quantities of e-mail from single addresses over short
periods of time.

Jay Dyson, a security consultant with California-based Treachery
Unlimited, confirmed that Toad.com remains "a wide-open relay."

According to Dyson, numerous methods exist for authenticating whether
users are authorized to relay mail through a server.

"I think Gilmore is being a stubborn old fool for leaving his mail
systems as open relays," he said.

Gilmore's home page is http://www.toad.com/gnu/

Symantec's description of Yaha is at
http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha () mm html

Sophos's write-up is at
http://www.sophos.com/virusinfo/analyses/w32yahaa.html

The MessageLabs Threat List is at 
http://www.messagelabs.com/viruseye/threatlist.asp 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.