Fw: Viruses being transported with Cygwin messages

Elfyn McBratney emcb_exposure@hotmail.com
Sun Oct 13 17:41:00 GMT 2002 

I didnt mean that. I meant how it came through the system (mailing list)...
:) i was looking at the headers sent by e-mails from me and its all plain
text, no mime encoded blocks for attatched stuff...

Elfyn

> ----- Original Message -----
> From: Randall R Schulz <rrschulz@cris.com>
> To: Elfyn McBratney <emcb_exposure@hotmail.com>
> Cc: <cygwin@cygwin.com>
> Sent: Monday, October 14, 2002 12:50 AM
> Subject: Re: Viruses being transported with Cygwin messages
>
>
> > Elfyn,
> >
> > Let me be clear that I'm not accusing you (or Gareth or Chris F.) of
> > anything here. As others have pointed out, these worms are clever about
> > coming up with addresses both for the apparent "From:" address and the
> next
> > ply of intended victim recipients.
> >
> > Here are the routing headers from the message _ostensibly_ from you:
> >
> > Return-Path: <elfyn@mail.utexas.edu>
> > Received: from mail18.svr.pol.co.uk (mail18.svr.pol.co.uk
[195.92.67.23])
> >          by morse.concentric.net [Concentric SMTP MX 1.0]
> >          id g9DJ7ih10880; Sun, 13 Oct 2002 15:07:44 -0400 (EDT)
> >          [1-800-745-2747 The Concentric Network]
> > Errors-To: <elfyn@mail.utexas.edu>
> > Received: from modem-2289.chimpanzee.dialup.pol.co.uk ([217.134.120.241]
> > helo=mcb-home)
> >          by mail18.svr.pol.co.uk with smtp (Exim 3.35 #1)
> >          id 180nmm-0007hQ-00; Sun, 13 Oct 2002 19:48:20 +0100
> > From: "Elfyn McBratney" <elfyn@mail.utexas.edu>
> >
> >
> > As you can see, although it claims (suggests? "From:" headers are
> > distinctly non-authoritative) you're at UT Austin, the message itself
did
> > not originate or traverse any servers there. Nor does Hotmail appear in
> the
> > SMTP server-supplied forwarding header. (Concentric is my ISP.)
> >
> > As I understand these worms, they use other user's address books (are
they
> > called "Contact Lists" in Outlook and Outlook Express?) to come up with
> > both fraudulent "From:" addresses and recipients. Win32.Bugbear@mm uses
> > registry data to propagate, too.
> >
> > Randall Schulz
> > Mountain View, CA USA
> >
> >
> > Here's the full text of the message I receive (attachment graciously
> > elided--in fact, I delete them as soon as I confirm my hunch that
they're
> > worms):
> >
> > -==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-
> > Return-Path: <elfyn@mail.utexas.edu>
> > Received: from mail18.svr.pol.co.uk (mail18.svr.pol.co.uk
[195.92.67.23])
> >          by morse.concentric.net [Concentric SMTP MX 1.0]
> >          id g9DJ7ih10880; Sun, 13 Oct 2002 15:07:44 -0400 (EDT)
> >          [1-800-745-2747 The Concentric Network]
> > Errors-To: <elfyn@mail.utexas.edu>
> > Received: from modem-2289.chimpanzee.dialup.pol.co.uk ([217.134.120.241]
> > helo=mcb-home)
> >          by mail18.svr.pol.co.uk with smtp (Exim 3.35 #1)
> >          id 180nmm-0007hQ-00; Sun, 13 Oct 2002 19:48:20 +0100
> > From: "Elfyn McBratney" <elfyn@mail.utexas.edu>
> > Subject:  Re: Need your Mac OS 8 support plan...
> > MIME-Version: 1.0
> > Content-Type: multipart/alternative;
boundary="----------ISQROT15KBZQSTO"
> > Message-Id: <E180nmm-0007hQ-00.2002-10-13-19-48-20@mail18.svr.pol.co.uk>
> > Bcc:
> > Date: Sun, 13 Oct 2002 19:48:20 +0100
> >
> > Content-Type: text/html;
> >
> > That is really not fare :(
> >
> > Do you know when we'll get a time-indexed beta-sp ???
> >
> > ----- Original Message -----
> > From: Michael Aumeerally
> > To:
> > Sent: Sunday, August 25, 2002 9:52 PM
> > Subject: Re: Need your Mac OS 8 support plan...
> >
> >
> >  > > Just wanted to beg you to bring in Mac OS 8 if your on your travels
> >  > towards the office :)...
> >  >
> >  > I may come in Wednesday evening, depending on how the week unfolds...
> >  >
> > <file://D:\Attachments\connexionscard-pass.txt.scr>[]
> > connexionscard-pass.txt.scr
> > -==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-
> >
> >
> > At 16:33 2002-10-13, Elfyn McBratney wrote:
> > >I for one would like to know how that happend. If its from hotmail then
> fare
> > >do's, sorry. If it was from elfyn@exposure.org.uk thats impossible
> because
> > >all I can send through my mailgate is .txt or tars/gz's files...even
then
> > >all archives are extracted/scanned.
> > >
> > >What month???
> > >
> > >Elfyn
> > >
> > >----- Original Message -----
> > >From: Randall R Schulz <rrschulz@cris.com>
> > >To: <cygwin@cygwin.com>
> > >Sent: Sunday, October 13, 2002 11:03 PM
> > >Subject: Re: Viruses being transported with Cygwin messages
> > >
> > >
> > > > Hi,
> > > >
> > > > I might help to know this is the "W32.Bugbear@mm" worm. It has been
> > > > spreading a lot lately. In today's batch I received 3 copies under
> > > > different names (supposedly from Christopher Faylor, Gareth Pearce
and
> > > > Elfyn McBratney), each with different contents and different
> attachment
> > >names.
> > > >
> > > > Here's what Symantec has to say about this worm:
> > > > <http://www.sarc.com/avcenter/venc/data/w32.bugbear@mm.html>
> > > >
> > > > Randall Schulz
> > > > Mountain View, CA USA
> >
>

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

More information about the Cygwin mailing list