Thread: OT: HEADS-UP: viral storm out there

OT: HEADS-UP: viral storm out there

From
"Nikola Milutinovic"
Date:
Hi all.
 
This is off topic and is a cross-post, so I'll be brief. There is a very nasty virus out there and I urge everybody to get their AV in order. The virus is known as: "W32.Gibe-F" or "W32.Swen-A".
 
Yesterday, I got cca. 200 viral messages.
 
Today, it's about 800 viral messages!
 
I suspect that a lot of viral traffic directed to me is coming from users on one of the lists I'm crossposting to. Check yourselves.
 
Nix.

Re: OT: HEADS-UP: viral storm out there

From
"Nigel J. Andrews"
Date:
On Fri, 19 Sep 2003, Nikola Milutinovic wrote:

> Hi all.
>
> This is off topic and is a cross-post, so I'll be brief. There is a very nasty virus out there and I urge everybody
toget their AV in order. The virus is known as: "W32.Gibe-F" or "W32.Swen-A". 
>
> Yesterday, I got cca. 200 viral messages.
>
> Today, it's about 800 viral messages!
>
> I suspect that a lot of viral traffic directed to me is coming from users on one of the lists I'm crossposting to.
Checkyourselves. 

Yes, this one seems particularly productive, from nothing late yesterday to >50
an hour now for me. Damn annoying, it's not as though I can do my sarcastic
emails to sys admins telling me forged emails are from me.

On a side note, my new work place lost all internet services earlier in the
week when a virus got in and shutdown the DMZ network. Seemed near
instantaneous as well. Workstation alarms went and DMZ went offline. Nasty and
costly.


--
Nigel J. Andrews


Re: OT: HEADS-UP: viral storm out there

From
Mike Mascari
Date:
Nigel J. Andrews wrote:

> On Fri, 19 Sep 2003, Nikola Milutinovic wrote:
>
>
>>Hi all.
>>
>>This is off topic and is a cross-post, so I'll be brief.
>>There is a very nasty virus out there and I urge everybody
>>to get their AV in order.
>>The virus is known as: "W32.Gibe-F" or "W32.Swen-A".
>
> On a side note, my new work place lost all internet services earlier in the
> week when a virus got in and shutdown the DMZ network. Seemed near
> instantaneous as well. Workstation alarms went and DMZ went offline. Nasty and
> costly.
>

In keeping with being off topic, how do people feel about Verisign
wild-carding the .com and .net domain names so any miskeys
(www.someunregistereddomain.com) resolve to sitefinder.verisign.com.

It is my understanding that sendmail's default configuration rejects
mail whose envelope contains an unregistered domain name, and now that
line of defense (as small as it is) has been rendered useless.

Mike Mascari
mascarm@mascari.com





Re: OT: HEADS-UP: viral storm out there

From
Tom Lane
Date:
Mike Mascari <mascarm@mascari.com> writes:
> In keeping with being off topic, how do people feel about Verisign
> wild-carding the .com and .net domain names so any miskeys
> (www.someunregistereddomain.com) resolve to sitefinder.verisign.com.

They'll be first against the wall when the revolution comes.  I suggest
voting with your feet: if you still have any domains registered via
Network Solutions, reregister them elsewhere, immediately.

> It is my understanding that sendmail's default configuration rejects
> mail whose envelope contains an unregistered domain name, and now that
> line of defense (as small as it is) has been rendered useless.

Yeah.  The latest version of BIND is able to reject verisign's bogus
redirections and maintain the proper behavior.  I installed it about
thirty hours ago, and I've already rejected 270 spams that would have
gotten through (that particular line of defense anyway) without the
fix.  I think a lot of them were this newest worm though, as normally
the reject rate is a lot lower.

            regards, tom lane

Re: OT: HEADS-UP: viral storm out there

From
Bruno Wolff III
Date:
On Fri, Sep 19, 2003 at 18:44:24 -0400,
  Mike Mascari <mascarm@mascari.com> wrote:
>
> In keeping with being off topic, how do people feel about Verisign
> wild-carding the .com and .net domain names so any miskeys
> (www.someunregistereddomain.com) resolve to sitefinder.verisign.com.

They have been a screw up from day 1 when some ex CIA guys used their
connections to get the contract and then proceded to charge premium
prices while doing a terrible job. I am not a big fan of the digital
certificate racket either.

I try to stay as far away from NS and ICANN as I can. I found that
the people running .to have much more user friendly policies, though
I pay a bit more. Their registry is first come first serve. They don't
publish your name, phone number or email address in their whois database.
They also don't like spammers.

Re: OT: HEADS-UP: viral storm out there

From
Mike Mascari
Date:
Bruno Wolff III wrote:
> On Fri, Sep 19, 2003 at 18:44:24 -0400,
>   Mike Mascari <mascarm@mascari.com> wrote:
>
>>In keeping with being off topic, how do people feel about Verisign
>>wild-carding the .com and .net domain names so any miskeys
>>(www.someunregistereddomain.com) resolve to sitefinder.verisign.com.
>
> They have been a screw up from day 1 when some ex CIA guys used their
> connections to get the contract and then proceded to charge premium
> prices while doing a terrible job. I am not a big fan of the digital
> certificate racket either.

I've been writing Java 2 Mico Edition code lately, and sadly enough,
Motorola's implementation for their IDEN phones won't accept any other
certificate for an https connection except VeriSign.

> I try to stay as far away from NS and ICANN as I can. I found that
> the people running .to have much more user friendly policies, though
> I pay a bit more. Their registry is first come first serve. They don't
> publish your name, phone number or email address in their whois database.
> They also don't like spammers.

And here I thought you lived in the Kingtom of Tonga! :-)

Mike Mascari
mascarm@mascari.com




Re: OT: HEADS-UP: viral storm out there

From
Christopher Browne
Date:
Nikola.Milutinovic@ev.co.yu ("Nikola Milutinovic") writes:
> This is off topic and is a cross-post, so I'll be brief. There is a
> very nasty virus out there and I urge everybody to get their AV in
> order. The virus is known as: "W32.Gibe-F" or "W32.Swen-A".

CERT has a report on it (if the URL resolves :-().

http://www.cert.org/current/current_activity.html#swena

I have been receiving _thousands_ of these today, and others are
reporting similar.  It's as bad for us not running W32 as it is for
those that are...
--
"cbbrowne","@","libertyrms.info"
<http://dev6.int.libertyrms.com/>
Christopher Browne
(416) 646 3304 x124 (land)

Re: OT: HEADS-UP: viral storm out there

From
Ron Johnson
Date:
On Fri, 2003-09-19 at 17:16, Christopher Browne wrote:
> Nikola.Milutinovic@ev.co.yu ("Nikola Milutinovic") writes:
> > This is off topic and is a cross-post, so I'll be brief. There is a
> > very nasty virus out there and I urge everybody to get their AV in
> > order. The virus is known as: "W32.Gibe-F" or "W32.Swen-A".
>
> CERT has a report on it (if the URL resolves :-().
>
> http://www.cert.org/current/current_activity.html#swena
>
> I have been receiving _thousands_ of these today, and others are
> reporting similar.  It's as bad for us not running W32 as it is for
> those that are...

Except they can get infected.

--
-----------------------------------------------------------------
Ron Johnson, Jr. ron.l.johnson@cox.net
Jefferson, LA USA

Causation does NOT equal correlation !!!!!!!!


Re: OT: HEADS-UP: viral storm out there

From
Christopher Browne
Date:
After takin a swig o' Arrakan spice grog, ron.l.johnson@cox.net (Ron Johnson) belched out...:
> On Fri, 2003-09-19 at 17:16, Christopher Browne wrote:
>> Nikola.Milutinovic@ev.co.yu ("Nikola Milutinovic") writes:
>> > This is off topic and is a cross-post, so I'll be brief. There is a
>> > very nasty virus out there and I urge everybody to get their AV in
>> > order. The virus is known as: "W32.Gibe-F" or "W32.Swen-A".
>>
>> CERT has a report on it (if the URL resolves :-().
>>
>> http://www.cert.org/current/current_activity.html#swena
>>
>> I have been receiving _thousands_ of these today, and others are
>> reporting similar.  It's as bad for us not running W32 as it is for
>> those that are...
>
> Except they can get infected.

No, it can be worse for "us" that aren't infected, because our systems
are a little more robust so that instead of falling over due to the
load, we wind up actually receiving all the messages, which is a
further problem.

In the end (and we're not exactly at the "end" yet), I wound up
receiving about 1500 of the messages, which, after I punted them into
my ~/Mail/deleted path, and cpio'ed and gzipped them, turned into
about 80MB of compressed material, corresponding to probably 170MB of
data.  (Yes, I'll purge it.)

My systems didn't go down, but 170MB of bandwidth got eaten.  I'm just
lucky that my ISP has recently moved over to a "we don't charge for
overuse of bandwidth" policy.  There used to be a fee for going over a
certain "cap."
--
(format nil "~S@~S" "cbbrowne" "acm.org")
http://www3.sympatico.ca/cbbrowne/wp.html
Why do we drive on parkways and park on driveways?

Re: OT: HEADS-UP: viral storm out there

From
Robert Treat
Date:
On Sat, 2003-09-20 at 18:47, Christopher Browne wrote:
> After takin a swig o' Arrakan spice grog, ron.l.johnson@cox.net (Ron Johnson) belched out...:
> > On Fri, 2003-09-19 at 17:16, Christopher Browne wrote:
> >> Nikola.Milutinovic@ev.co.yu ("Nikola Milutinovic") writes:
> >> > This is off topic and is a cross-post, so I'll be brief. There is a
> >> > very nasty virus out there and I urge everybody to get their AV in
> >> > order. The virus is known as: "W32.Gibe-F" or "W32.Swen-A".
> >>
> >> CERT has a report on it (if the URL resolves :-().
> >>
> >> http://www.cert.org/current/current_activity.html#swena
> >>
> >> I have been receiving _thousands_ of these today, and others are
> >> reporting similar.  It's as bad for us not running W32 as it is for
> >> those that are...
> >
> > Except they can get infected.
>
> No, it can be worse for "us" that aren't infected, because our systems
> are a little more robust so that instead of falling over due to the
> load, we wind up actually receiving all the messages, which is a
> further problem.
>
> In the end (and we're not exactly at the "end" yet), I wound up
> receiving about 1500 of the messages, which, after I punted them into
> my ~/Mail/deleted path, and cpio'ed and gzipped them, turned into
> about 80MB of compressed material, corresponding to probably 170MB of
> data.  (Yes, I'll purge it.)
>
> My systems didn't go down, but 170MB of bandwidth got eaten.  I'm just
> lucky that my ISP has recently moved over to a "we don't charge for
> overuse of bandwidth" policy.  There used to be a fee for going over a
> certain "cap."

I'm waiting for the day that someone fires up a class action lawsuit
against m$ for all the excess bandwidth fees users end up paying due to
bugs in m$ software. That or the government decides to issue a recall on
outlook due to the monumental cost it has on the nations economy... we
seem to recall every other sort of product, why not software?

Robert Treat
--
Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL


Re: OT: HEADS-UP: viral storm out there

From
"Andrew L. Gould"
Date:
On Monday 22 September 2003 09:05 am, Robert Treat wrote:
>
> I'm waiting for the day that someone fires up a class action lawsuit
> against m$ for all the excess bandwidth fees users end up paying due to
> bugs in m$ software. That or the government decides to issue a recall on
> outlook due to the monumental cost it has on the nations economy... we
> seem to recall every other sort of product, why not software?
>
> Robert Treat

Does anyone know Ralph Nader's email address?  He'd be the one to start it.

Re: OT: HEADS-UP: viral storm out there

From
"Shridhar Daithankar"
Date:
On 22 Sep 2003 at 9:24, Andrew L. Gould wrote:

> On Monday 22 September 2003 09:05 am, Robert Treat wrote:
> >
> > I'm waiting for the day that someone fires up a class action lawsuit
> > against m$ for all the excess bandwidth fees users end up paying due to
> > bugs in m$ software. That or the government decides to issue a recall on
> > outlook due to the monumental cost it has on the nations economy... we
> > seem to recall every other sort of product, why not software?
> >
> > Robert Treat
>
> Does anyone know Ralph Nader's email address?  He'd be the one to start it.

I can contribute whatever I can to such an action. I had excess of 300 spam
mails to delete between friday night 9PM and monday morning 11AM. Usually that
is limited to 10-15 over week end.

Not to mention, internet is crawling here ATM. It wouldn't be hard to guess
why..

 What to do? :-(



Bye
 Shridhar

--
QOTD:    How can I miss you if you won't go away?


Re: OT: HEADS-UP: viral storm out there

From
"James Moe"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 22 Sep 2003 20:06:56 +0530, Shridhar Daithankar wrote:

>I had excess of 300 spam
>mails to delete between friday night 9PM and monday morning 11AM. Usually that
>is limited to 10-15 over week end.
>
  Is that all? Lucky you.

- --
jimoe at sohnen-moe dot com
pgp/gpg public key: http://www.keyserver.net/en/
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0 OS/2 for non-commercial use
Comment: PGP 5.0 for OS/2
Charset: cp850

wj8DBQE/bzDcsxxMki0foKoRAsgqAKCwzfP1d4qo1bN3FmVm1dMOS1/5IgCeNLhu
0I6koUHZimntHk2F05A0gY4=
=WLxv
-----END PGP SIGNATURE-----



Re: OT: HEADS-UP: viral storm out there

From
Andrew Sullivan
Date:
(I trimmed some of the cc:s)

On Fri, Sep 19, 2003 at 07:42:04PM -0400, Tom Lane wrote:
> Mike Mascari <mascarm@mascari.com> writes:
> > In keeping with being off topic, how do people feel about Verisign
> > wild-carding the .com and .net domain names so any miskeys

> voting with your feet: if you still have any domains registered via
> Network Solutions, reregister them elsewhere, immediately.

Note that, while NSI is indeed a VeriSign company, VGRS (VeriSign
Global Registry Services, the registry people) are the ones doing
this, _not_ Network Solutions.  That is, the action is at the
registry, not the registrar.

NSI competes to register names as a registrar.  VGRS has no
competition in running .com or .net registries, however, except
insofar as people register domains in other top-level domains.
I'm not in the marketing department here, though, so I'll not suggest
other top level domains you might want to use.  For the record, I am
not expressing any view on whether the wildcard idea is a good one,
although I certainly have an opinion on the matter.

A

--
----
Andrew Sullivan                         204-4141 Yonge Street
Liberty RMS                           Toronto, Ontario Canada
<andrew@libertyrms.info>                              M2P 2A8
                                         +1 416 646 3304 x110