[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] Nimda virus information

To: <idn@ops.ietf.org>
Subject: Re: [idn] Nimda virus information
From: "Bruce Thomson" <bthomson@fm-net.ne.jp>
Date: Thu, 8 Nov 2001 13:52:55 +0900
References: <7FC3066C236FD511BC5900508BAC86FE4D7F83@trestles.internal.realnames.com> <20011108101924.A15111@spsoft.co.kr> <002e01c167fd$0c842c20$a3420fd3@bruce> <20011108115915.J15111@spsoft.co.kr>

> ) for idn-data@psg.com; Tue, 06 Nov 2001 17:54:11 -0800
> ) Received: from [???.???.?.??] (helo=ALBERT)

Well, the IP address you replaced with ??? is where the infected
mail came from. It's just a Windows machine infected by Nimda
that happened to have the idn mailing list in its address book. My
guess is it's Yves' computer at home or somewhere, but in any case
case the owner is an innocent victim like the rest of us.

(For those who don't know how Nimda works, once a computer
is infected, it automatically mails everyone in your address book
with infected messages.)

Bruce

----- Original Message ----- 
From: "YangWoo Ko" <newcat@spsoft.co.kr>
To: <idn@ops.ietf.org>
Sent: Thursday, November 08, 2001 11:59 AM
Subject: Re: [idn] Nimda virus information


> On Thu, Nov 08, 2001 at 11:28:27AM +0900, Bruce Thomson wrote:
> > > 
> > > According route informatin in the mail header, it was NOT originated
> > > from Yves but from somewhere else. Maybe virus forge sender field
> > > of mail message.
> > > 
> > Or possibly the virus has infected another computer Yves has used in
> > the past to post to this list. It should be possible to figure it out from the
> > mail headers, but I already deleted my copy of the infected mail.
> 
> I attached infected mail header. Please see where it started its journey.
> I overwrite IP address with '?' to avoid unintended dispute.
> 
> ) Date: Tue, 06 Nov 2001 17:54:03 -0800
> ) From owner-idn@ops.ietf.org  Wed Nov  7 12:00:50 2001
> ) From: <yves@realnames.com>
> ) Subject: [idn] ip
> ) Return-Path: <owner-idn@ops.ietf.org>
> ) Received: from psg.com (psg.com [147.28.0.62])
> ) by nexus.spsoft.co.kr (8.10.0/8.10.0) with ESMTP id fA7301l01436
> ) for <newcat@spsoft.co.kr>; Wed, 7 Nov 2001 12:00:08 +0900
> ) Received: from lserv by psg.com with local (Exim 3.33 #1)
> ) id 161Hut-0003c9-00
> ) for idn-data@psg.com; Tue, 06 Nov 2001 17:54:11 -0800
> ) Received: from [???.???.?.??] (helo=ALBERT)
> 
>                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> ) by psg.com with smtp (Exim 3.33 #1)
> ) id 161Hul-0003bw-00
> ) for idn@ops.ietf.org; Tue, 06 Nov 2001 17:54:03 -0800
> ) MIME-Version: 1.0
> ) Content-Type: multipart/related;
> ) type="multipart/alternative";
> ) boundary="====_ABC123456j7890DEF_===="
> ) X-Priority: 3
> ) X-MSMail-Priority: Normal
> ) X-Unsent: 1
> ) Message-Id: <E161Hul-0003bw-00@psg.com>
> ) Bcc:
> ) Sender: owner-idn@ops.ietf.org
> ) Precedence: bulk
> 
> -- 
> /*------------------------------------------------
> YangWoo Ko : newcat@spsoft.co.kr
> We Invent Enterprise Software Solutions
> and Make You Secure & Powerful.
> ------------------------------------------------*/
> 
>

References:
- RE: [idn] Nimda virus information
  - From: Yves Arrouye <yves@realnames.com>
- Re: [idn] Nimda virus information
  - From: YangWoo Ko <newcat@spsoft.co.kr>
- Re: [idn] Nimda virus information
  - From: "Bruce Thomson" <bthomson@fm-net.ne.jp>
- Re: [idn] Nimda virus information
  - From: YangWoo Ko <newcat@spsoft.co.kr>

Prev by Date: Re: [idn] Nimda virus information
Next by Date: RE: [idn] Nimda virus information
Prev by thread: Re: [idn] Nimda virus information
Next by thread: Re: [idn] Nimda virus information
Index(es):
- Date
- Thread