Contributed By IronNormally, I don't think much about spam. It's easy to spot it in a mail index. Spam just doesn't have plausable Subject: lines. Too many capital letters, too many '$' and other symbols, and words that no person would put in a subject; e.g., "Here's the info you asked about."
Three weeks ago, I started receiving a lot of binary attachments. After two weeks of seeing the same subject lines over and over, I started keeping count. 241 messages in 9 days, or 32 MB. Ironically, the culprit itself revealed its identity. One of the subjects was "W32.Klez.E removal tools". I headed to www.datafellows.com, searched for "Klez.E", and sure enough, it's a worm.
It's quite a complicated little beastie. It has a large pool of subjects to choose from and also incorporates phrases it finds in files. It has a built-in SMTP client and sends itself to whoever it finds in your Outlook address book, pretending to be From: somebody else in your address book.
Linux users of course can't get infected, although it can leak onto Linux mailing lists and pretend to be From: a Linux user. But Windows users who are unlucky enough to run the program or let IE or Outlook automatically execute it will have their documents overwritten with random data, their anti-virus programs disabled, and their address book harvested. Often it pretends to be an audio file, exploiting a bug in some Windows programs that automatically executes audio attachments.
In the past week, the worm has forged the addresses of both Alex (former Answer Gang member and column writer) and the Editor Gal (Heather), and sent three messages to a linux-list recipient claiming to be From: linux-list. Interestingly, the addresses it chose for Heather and the linux-list person were obsolete.
I have no idea why the Gazette address has the honor of receiving 99% of these critters.
What burns me up was not only the bandwidth but the sneaky way it tries to trick you into running the attachments, claiming to be a Win XP patch (that's what first got me suspicious) or an anti-virus tool against itself. Some of its messages include the URLs of real anti-virus companies as a way to sound legitimate.
A Win XP patch Your password A nice game This is a very nice game<br> This game is my first work.<br> I hope you would enjoy it. A special excite game If you're not connected to the Internet W32.Klez.E removal tools <FONT>Sophos give you the W32.Klez.E removal tools<br> W32.Klez.E is a dangerous virus that spread through email.<br> <br> For more information,please visit http://www.Sophos.com</FONT> Worm Klex.E immunity <FONT>Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.<br> Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.<br> We developed this free immunity tool to defeat the malicious virus.<br> You only need to run this tool once,and then Klez will never come into your PC.<br> NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.<br> If so,Ignore the warning,and select 'continue'.<br> If you have any question,please <a href=3Dmailto:firstname.lastname@example.org>mail to me</a>.</FONT> W32.Elkern removal tools W32.Elkern is a dangerous virus that can infect on Win98/Me/2000/XP. Trendmicro give you the W32.Elkern removal tools For more information,please visit http://www.Trendmicro.com Hi,gazette,darling Introduction on ADSL False) window.parent.GoNext() Tooltips.style.visibility CELLSPACING Content-Type: audio/x-wav; name=height.bat So cool a flash,enjoy it name=Nt324-00.doc A IE 6.0 patch name=sidprod1.htm Password. Make sure you remove the cookies byCutest subject: "there's a solution". It sounds like a religious evangelist, but with the vagueness of a fortune cookie.
First non-English subjects: "Impostati", "Bliver brugt i Netscape".
Ben sent in this procmail stanza that catches all messages with Windows binary attachments and sends them to /dev/null:
# Goodbye to all the fools sending me "executable" attachments :0B: * name=.*(\.exe$|\.scr$|\.pif$) /dev/nullI wrote a recipe that catches the subject lines used by this worm, with double spaces after the words it uses double spaces after. It puts the messages in I.worm in my mail directory. ("I." is the common prefix for my incoming mailboxes.)
To generate the subject lines:
grep -i 'Subject:' spambin | tr A-Z a-z | sed 's/subject: //' | sort -u >victims
I've also started temporarily moderating linux-list, where it also tried to spread. And I've been collecting these critters in a mailbox and sending complaints to the postmaster@ and abuse@ the relay ISPs, and blocking mail from those that don't respond.
More from Symantec: http://email@example.com
The colleague who answers the support@ mailbox here reports receiving 282 of these in 5 days.
Curiously, "the virus doesn't work on any operating system except Windows 98 because of a serious bug in its code. Due to some blind luck the virus also works on Windows 2000... When the main code gets control, the first thing is does is calls the IsDebuggerPresent API function. But the virus calls this function using a fixed API address and this address is only valid for Windows 98. On all other systems the virus just crashes. ... [Stuff about registry keys it sets] ... On Windows NT this doesn't happen because the virus crashes. Due to a dumb luck the virus doesn't crash on Windows 2000 though it calls a non-existing API address. "
Trendmicro/antivirus.com describes the worm's attack scheme:
It does not require the email receiver to open the attachment for it to execute. It uses a known vulnerability in Internet Explorer-based email clients to execute the file attachment automatically. This is also known as Automatic Execution of Embedded MIME type.
The infected email contains the executable attachment registered as content-type of audio/x-wav or sometimes audio/x-midi so that when recipients view the infected email, the default application associated with audio files is opened. This is usually the Windows Media Player. The embedded EXE file cannot be viewed in Microsoft Outlook."
However Trendmicro also pretends that the thing (at least the `E' and `H' variants) composes the message body "randomly"... The `H' variant is supposed to contain the following strings:Win32 Klez V2.01 & Win32 Foroux V1.0 Copyright 2002,made in Asia About Klez V2.01: 1,Main mission is to release the new baby PE virus,Win32 Foroux 2,No significant change.No bug fixed.No any payload. About Win32 Foroux (plz keep the name,thanx) 1,Full compatible Win32 PE virus on Win9X/2K/NT/XP 2,With very interesting feature.Check it! 3,No any payload.No any optimization 4,Not bug free,because of a hurry work.No more than three weeks from having such idea to accomplishing coding and testing"The sender `from:' address seems to be taken randomly either from the infected user's address book (which means that the apparent originator is not necessarily infected her/himself), or from a set of hardcoded addresses.
Iron:Better go to Scotland. If it's cold enough that tomatoes don't grow up there, maybe you're safe from dust bunnies too. Dust bunnies are those clumps of dust that accumulate behind and underneath furniture. Sounds like there might be a dust bunny convention under your sofa.
I'm just kidding, of course. I mean, at least there the Le Mans... That's a strange highway, though; after a while, the faces in the crowds along the side of the road (and *boy* are they big crowds - you'd think they've never seen a car before!) begin to look _really_ familiar, like they were *repeating* or something. And there's no place to pull over and buy a hot dog, either.
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible.
I didn't know there was a minimum age to use Linux. If you're old enough to write an e-mail, you're old enough to write Linux.
Are you old enough to set your mailer so it sends us only text-format messages, not HTML format? Text messages are easier for us to read and respond to, and are the standard for Internet e-mail.
You're not old enough to use Linux and you're trying to configure Sendmail??? Mamma mia! Why? Use a mail transfer agent like Postfix that's much easier to configure than Sendmail.
What exactly do you want to do, what have you tried, and what are the problems?
I assume by "mail relay" you just mean you want Sendmail to work, so you can send mail from and to your computer. That's not a mail relay. A "mail relay" means that your Sendmail program accepts mail *from non-local senders to non-local recipients*. Normally, Sendmail accepts mail only if it's *from a local user* or *to a local user*. Otherwise, you open up your mail server for exploitation by spammers.
If this is the central mail server for an organization, it probably accepts mail from computers in the organization but not from other computers. This is technically "relaying", but with most mail transfer agents you don't configure it as a relay, instead you tell the program these are local addresses.
If you're trying to be a spammer yourself, see Linux Gazette's advice for crackers: #1 #2
So, I'm putting it up here. Some of you might care, others hit 'delete' - and Faber, presumably, will get a high-speed cartoon brick with a message wrapped around it, telling him to smack his server so that it will take my messages and _like_ it.
<making faces at Faber's server> Nyah. :)
Yeah, *right*. Micros*ft may produce a broken OS, be in league with the Dark Forces, and smell of elderberries, but they're *not* stupid enough to spam millions of people. Sorry, slimeball; try elsewhere.----- Forwarded message from Microsoft Corporation Security Center
----- Date: Sun, 17 Mar 2002 20:35:29 -0600 From: "Microsoft Corporation Security Center" To: "Microsoft Customer" <'firstname.lastname@example.org'> Subject: Internet Security Update
First off, the poor English should trigger off warnings; you don't "protect from" vulnerabilities; dependent clauses need a referent; and "security update" takes a definite article. An articulate seven-year old, or an under-educated teenager? Take your pick.Microsoft Customer, this is the latest version of security update, the known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities, and is discussed in Microsoft Security Bulletin MS02-005. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run code on your computer.
"Don't delay! Grab the patch from *THIS* Micros*ft site RIGHT NOW!!!"
Yeah, this whole thing sparked me to mantion a "warning in case you have gullible end users" to my local sysadmins list.
Reports of a new strain of the "lack of clue" virus, in which people who lack a clue when dealing with email attachments are victimized easily, is going around.
This one affects all clueless Microsoft customers and is invoked when the hapless victim opens an attachment claiming to be "from Microsoft" (CLUE: Microsoft never sends attachments. They have a website and a rather annoying auto-update system. They don't need to waste their own email bandwidth spamming customers with update .exe packets).
Linux users are largely immune, as are freeBSD users, but users of MSwin based mailers which "helpfully" open attachments for them are heavy sufferers in this ailment. Linux and BSD folk who use WINE or DOSEMU and have made any special effort to autolaunch those sort of binaries should beware though. ("Too much clue" is also a problem at times...)
Sites using a central SMTP gateway can apply filters against undesired attachments. If you don't have a clue what policy to apply, consider dumping all mail bearing attachments with the "Known Dangerous Extensions" - a Microsoft Knowledge Base document available on their website - into some moderated account which is maintained by a user with no interesting privileges, or to pass it through some antivirus scanning.
Results are kinda gross, actually. I predict incompatibility with most kitchen protocols, especiially teen-chores.
Ah, but your professor wants you to do the research yourself.
Yes, of course. Linux is the OS that causes cancer. http://www.theregister.co.uk/content/4/19396.html
Linux is also obsolete. http://groups.google.com/groups?selm=12595%40star.cs.vu.nl
It was written by high school students who are in jail now. http://geraldholmes.freeyellow.com/LinusSucks.html
Every second billions of innocent assembler instructions are executed all over the world. Inhumanly they are put on a pipeline and executed with no regard to their feelings. The illegal instructions are spared, although they should be executed instead of the legal ones.
Prior to the execution the instructions are transported to a cache unit using a bus. There they spent their last moments waiting for the execution. Just before the execution the instruction is separated into several pieces. The execution isn't always fast and painless. On crude hardware the execution of a complex instruction can take as long as 150 clock cycles. Scientists are working on shorter execution times.
Microsoft endorses the needless execution of instructions with their products like DOS(TM), Windows(TM), Word(TM) and Excel(TM). It is more humane to use software which minimises the executions.
Modern machines use several units to execute multiple instructions simultaneously. This way it is possible to execute several hundred million instructions per second. The time is near when there will be no more instructions to execute.
Just to make it clear, THERE IS NO OFFICIALLY-SANCTIONED LINUX GAZETTE HANDSHAKE!!! If anybody tries to tell you there is and offers to teach it to you for a "donation", tell them to jump off a short plank into Chesapeake Bay.
PS. I think Ben should host a Linux Gazette New Year's party on his fancy new yacht.
I have been mandated by my colleagues on the Panel to seek your assistance in the transfer of the sum of US$18.5 Million into your Bank account. As you may have known, the late General Abacha and members of his government embezzled billions of dollars through spurious contracts and payments to foreigners between 1993 and 1998 and this is now the subject of the probe by my Panel.
In the course of our review, we have discovered this sum of $18.5 Million, which the former dictator could not transfer from the dedicated account of the Central Bank of Nigeria before his sudden death in June 1998. It is this amount that my Colleagues and I have decided to acquire for ourselves through your assistance. This assistance becomes crucial because we cannot acquire the funds in our names and as government officials we are not allowed to own or operate foreign bank accounts.
[Bah, they want to acquire knowingly-embezzled funds for themselves, and need a partner because as government officials they can't open a government bank acct? -Iron.]
To: email@example.com Cc: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org Subject: i recommend trying this .
Mike ("Iron") Orr
Editor, Linux Gazette, email@example.com