Your application
John E. Malmberg
wb8tyw at qsl.net
Tue Jun 3 12:20:11 GMT 2003
Tim Potter wrote:
> On Tue, Jun 03, 2003 at 01:48:06AM +0000, splint-bug at cs.virginia.edu wrote:
From adsl-34-165-79.hsv.bellsouth.net [67.34.165.79]? This does not
appear to be a mail server.
>>Please see the attached file.
>
> Which was stripped by mailman. Care to resend? Assuming you are not a
> spammer of course.
It is the same worm that was being sent with the forged address of
support(at)microsoft.com. It has morphed to use different from: address.
Apparently this worm is going directly to the SAMBA MX from the infected
machine.
#ifdef Paranoia
It may be that it's purpose is to identify machines that are vulnerable
to being taken over, so it targets e-mail addresses from usenet. Then
the cracker can use google to find I.P. addresses and possibly e-mail
addresses in the archives that they can send remote control programs too.
#undef
-John
wb8tyw at qsl.network
Personal Opinion Only
More information about the samba-technical
mailing list