[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [Fwd: VIRUS (Worm.Bagle.A) IN MAIL TO YOU (from <owner-openldap-softwar e@OpenLDAP.org>)]
The virus was either from inside the network where the OpenLDAP mailserver
resides (unlikely) or from a client of samara.net, which is apparently a
Russian ISP.
http://www.samspade.org/t/lookat?a=195.128.153.203
Doug's mail only lists a portion of the fake headers, the important part is
this:
>Received: from winxp ([195.128.153.203])
> by boole.openldap.org (8.12.10/8.12.10) with SMTP id i0LB6NrZ089148
> for <openldap-software@OpenLDAP.org>; Wed, 21 Jan 2004 11:06:24 GMT
> (envelope-from dieter@dkluenter.de)
As you can see the SMTP envelope (which is completely spoofable) claims to be
from Dieter Kluenter. However, Dieter's mail seems to come from dialup
addresses in the 62.180.0.0/16 CIDR netblock, which belong to German ISP "BT
Ignite" (whoever that is).
For comparison, here's a message header that's actually from Dieter:
>Received: from pink.l4b.de (c-180-221-89.cvx-h.dial.de.ignite.net
[62.180.221.89])
> by boole.openldap.org (8.12.10/8.12.10) with ESMTP id i0HGVerY091284
> for <openldap-software@openldap.org>; Sat, 17 Jan 2004 16:31:49 GMT
> (envelope-from dieter@dkluenter.de)
Most of the recent mail-borne virii get their address information by randomly
sampling the outlook address book or similar sources, and most of them get
their host names from the CIFS host ID. So, even though I haven't looked up
how Bagle works, I'll guess that the source of this virus is a windows XP box
running outlook somewhere in eastern Europe. If that describes you, check your
IP address (and if it is 195.128.153.203 you win the prize).
I'm kind of surprised the OpenLDAP mailserver didn't stop the thing.
--Charlie
On 21 Jan 2004 at 11:21, Douglas Furlong wrote:
>
> Just to let people know, an email was sent to the list just now, with
> the Bagle.A virus/worm attached.
>