Just did an arin lookup on some of those IP address. They are major players in the Cable and DSL marketplace.

yeah, looks that way.

however 4 of them look like they are located in korea.

it is not clear if the instigator of this mess has any affiliation with the ip's posted, my best guess is they are machines that were hacked, and the owners originally hadn't a clue about it.

Did anyone hear what the virus was set to do...what the code downloaded from those 20 computers would trigger?

regarding where the worm gets the emails to use for "spoofing", the major av providers list about a dozen different file formats it scans and uses to havest email addresses.

if someone visits your web site, they get your page stuck in their cache, the worm picks it out of their cache.

Well, I am certain it got my address from my web site ... but I also got an infected message sent to me within hours of sending an e:mail a friend and it used the same heading I had used.

This is very scary stuff. If your e:mails can be harvested and also somehow intercepted using your own subject titles ... what else can they do? :o

as far as the damage with this nasty mess, i believe that there was no major catastrophe and the villan was foiled this time thanks to the dedicated efforts of many individuals in several companies and government agencies. (thank you, thank you, thank you - people out there.)

i haven't read what was intended to happen, had the thing been permitted to operate.

please note that the parameters, as i have read on various web sites, indicate that the potential still exists for havoc down the road.

from what i read the initial 'payload' was blatant crap-spam, not exactly sure but probably along the lines of 'getting bigger ones' or something like that.

also, what i (and many others) experienced were some serious and considerable server and network loads.

best,

Certainly hasn't died down here; in fact, it has picked up. I've gotten about 50 emails from the virus in the last hour, the highest number I have gotten since it started.

well, you are lucky then that you didn't catch the front end of this thing ;-)

here are the stats from my mail server

aug 15 - 5,737 messages processed
aug 16 - 4,603
aug 17 - 4,541
aug 18 - 7,137
aug 19 - 21,901
aug 20 - 31,888
aug 21 - 23,037
aug 22 - 13,383 (today isn't over yet ;-)

looks like it is diminishing, thank goodness!

on the 20th i noticed the cpu load at 1200%, and had to make some serious modifications to the incoming and outgoing queue processing... also i set it to drop all the bounce-backs NDRs caused from the worm.

Hmm, definitely a major acceleration in email received from the virus beginning about 8pm US Eastern Time for me (3 hrs ago). Now averaging more than one incoming message per minute. In Google news there are several reports that the thing was cut off from its main spawning activity this afternoon; unless I'm special, I have a feeling those reports may have been premature.

(A happy Mac user just watching it all.)

And you know, I still stick to my belief that creating smtp servers that only relay authentic digitally signed email would have helped diminish this problem.

Basically IMHO the 'anonymous' nature of the internet is the real problem here.

I have written some articles about this, and have even started creating my own 'open' smtp server that authenticates based on the signature of the message. My hope is that someone bigger than me would take to the idea and put it in place.

When one becomes the victim of several different spam campaigns using spoofed addresses and hi-jacked domains, you start getting sick of it, as I have. This recent incident really tops the cake.

I advocate an Internet where it is only possible to send email if you have a valid digital signature and use it to sign your message.

Of course, as pgp/ssl is a double-edged sword by nature, the public portion of the signature will end up in a directory somewhere. So I reckon privacy advocates might have some concern of alarm.

But just think of a world where people can drive automobiles on public streets privately and anonymously. What trouble we would have.

This Internet is not a private playground, it is a public network.

I also concede that my suggestion is an imperfect solution, however I feel it is a big step in the right direction. We currently have all sorts of problems with blatant crap-spam, typically using spoofed addresses and faked headers. People seem to think that putting legislation into place will solve the problem, however it seems to me that the people that enforce these types of things already have enough of a work load as it is, and good luck tracking down the source when it is coming from some third world country.

If the email had to have their signature on it to begin with, it seems the problem would be reduced. Since I think that the people who provide the access to the Internet would be responsible for signing and/or creating the signatures, it would seem to be a trivial task to cut people off who 'abuse the system' so to speak.

Anyhow, in light of the recent nasty incident on our hands, I felt it appropriate to make note of a possible solution.

Best Regards,

I'm sick of it too. I'm just wondering why it's always the MS operating system that is effected and why? I'm wondering why MS can't close these holes in their system and software before they release the software and operating systems in the first place.

Well, I am more of a Linux/FreeBSD guy myself, however I use one Windows notebook for communication and another Windows machine for some graphic work.

I understand that the virus used a flaw in the operating system to exploit our SMTP network.

It seems that it is one of those situations where the exposed and apparent issue may obscure the actual problem.

A lot of people do not understand how trivial it is to assume any identity while online. The media may advertise identity theft with regards to consumer credit and personal identification however they do not seem to consider the virtual attibutes of any business or individual.

When someone takes one of my domain names, and uses it to send a spam campaign to potentially hundreds of thousands or millions of addresses, and I receive hundreds or thousands of NDR reports and personal complaints, that sure feels like identity theft. Perhaps we could consider a domain name a tangible object, as others have, and then it the act seems more criminal.

All this speak of security in technical magazines and we can't even control who uses our domain name for just about any purpose they see fit.

Take care,

"... I am certain it got my address from my web site ..."

In my case it was from a computer in a university that has me on certain mailing lists (not spam, legitimate).

I got the non-delivery reports, (and a few understanding/tolerant 'complaints'). The header of the attached undeliverable emails showed "from" email address = me; IP address = not me. Tracing the source based on the IP address revealed that it was just an innocent party (the unversity) who got hit by the virus. The worm probably got my address by looking at lists or MS Outlook 'Contacts' on the host.

I think waitman's suggestion of digitally signed emails is a good way to go.

Good time to take a little revenge on spammers! If you have a high traffic site and know some email addresses of spammers, you can include those on your page (invisible for viewers, but visible for virus!) and they will drown in viruses just like you used to drown in their spam (LOL, just kidding).

Now we are investigating random UDP traffic that has been seen in the net, possibly relating to the worm.

After my big day of being attacked by the virus (50 to 100 an hour) my firewall was warning me every 5 minutes of a UDP access attempt, since then I have not had a single warning.

So it looks like you will receive on your 1st day heavy email with the virus then 2nd day attempts to access your computer through UDP.

Currently only getting 2 attacks an hour really slowed down at the moment.

My biggest fear s version G and maybe H if they are ever realesed as every new strain is far stronger then the previous release.

When they catch the writer.... Hang 'em!

I have a MAC so I wasn't hit by the virus but I manage about 21 websites and didn't have my own email encoded on all of them yet and my email is allllll over the internet on various directories and web pages so I've been hit with the emails since Tues--about 40 per hour--two different emails so far. I had encoded all my clients emails and so far haven't heard that they were hit with this virus. I use a different method of encoding than what I've seen on the net by writing the email out thusly:

info AT domain DOT com

then I give instructions to remove all spaces, change caps to symbols or periods and copy and paste into an email doc. It's annoying for surfers to have to do this but sure has cut down the spam.

I was the 2nd one to inform my ISP that I was getting a virus on Tues the 19th and they managed to filter out about 99% of the attachments and I filtered the emails out in my Eudora email program by adding the subject lines and sending them to the delete file on the server. Now I'm only getting one every time I check my email--for some reason one gets thru every time.

I thought that the virus started when I subscribed to a new mailing list for web designers on Yahoo Groups last Tues because they started immediately thereafter but I may be wrong.

I can see why using a web forum like this one is preferable to a mailing list now--because spammers are infiltraing mailing list and there isn't much that the moderators can do about it because they just resubscribe with a new email after being booted out.

One thing I'm finding interesting re the spoofed notifications that I have a virus--is that they are coming from strange countries with extensions I've never seen before, like .hu.

Although I have up to date NAV and all MS patches for XP, I still feel safer checking all emails via webmail, removing obvious spam or reading dubious before downloading.

Here's what I did...

Though I have a spam filter for my pc, anti-virus and using OE with attachment disabled.

I have all my web sites addresses (webmaster, admin, etc.) forwarded to my real email address but instead of downloading the emails with my OE, I manually scan all emails subjects through my ISP web mail.

1. If I spot a good email, I then moved it to a 'good email' folder.
2. The rest, I just simply empty the whole folder to trash and empty the trash at the same time too.

Thus, I still can receive valid emails without exposing my server to any viruses or my home pc.

Much faster rather than have my filter run though hundreds or thousands of emails.

BTW, it seems like it's slowing down, probably taking a break. Does any of you using Outlook Express is aware that you can disable attachments? Good feature for my wife who is always susceptible to opening attachments :)

Cheers

"...One thing I'm finding interesting re the spoofed notifications that I have a virus--is that they are coming from strange countries with extensions I've never seen before, like .hu. ..."

This is just because of two factors: 1) The nature of the virus is global - it attacks and spreads globally; and 2) You are not used to receiving email from those countries, so when you do get an email from them, it is unusual.

I have seen arguments (including in various threads in WebmasterWorld in the past) that suggest blocking email from certain countries because they are alledgedly more prolific in sending spam or viruses. I find this a sad and unfortunate outcome for the Internet, and can only imagine that it is driven by a mixture of ignorance and biggotism. The truth is that research shows that the majority of spam originates from the US. (For viruses, the US and the UK share the honours). The research is published periodically, and there is an abundance of it, but just three examples:

[psinet.it...]
[bullguard.com...]
[trendmicro.com...]

It is true that western countries have tried to petition minority countries to legislate against spam and viruses, but in my view this is just to get consistency and present a multi-lateral legislative framework against hackers; not because those minority countries produce more spam or viruses.

OK, I'm off my soap-box. Sorry if this is a bit off topic... Although this thread is not really highly focussed anyway

I think spam is all set to shoot up as soon as this subsides because spammers will have access to tons of newer email addresses now.

It's funny you mentioned that :)

It come across my mind to store all these email addresses in a database...at the rate it's coming...it beats subscription to my newsletter. Come to think of it, they did email me ;)

However, conscience got a hold of me, morally and ethically it's just not right to take advantage of the situation.

But, you are right, it may have slowed down the spammers but on the bright side they have a field day with all those email addresses.

Is it just me or this situation is getting worse? 75 in just under 15 mins.

I have not noticed any increase. What I did notice was a new one.

From: Microsoft
Subject: Apply this patch immediatly!

Now this is going to nail many people given the national press coverage and related mass hysteria surrounding blast and sobig.

Not sure what the bug in it is, as my AV kills the attachment before I have a chance to screw it up.

apparently there is another new virus out there that attempts to locate vulnerable machines and "patch them" - it could be that this is what you are describing...

anyhow, this new thing is somehow faulty, it was the blame for the canadian railway disruption.

check out your favourite av site for details...

take care,

I got lucky. Only got about 10 bounces and 1 virus sent that NA took out. However, every bounce had my newsletter address and the worm tried to come in on that. I have no addys posted on the web, so they had to have gotten the email addy from their contact list.

I may have gotten lucky because in every newsletter I report how many attacks I got on the newsletter email address and warn ppl to protect themselves and maybe they listened.

A long time ago it was posted somewhere that you should change the default cache directory of Explorer to keep ppl from getting into it. They guess where it is based on the default. I did that then just to be sure.

lol, i am still laughing at this one.

looks like the worm might have had one small 'good' effect:

It appears to have removed me from some crappy spam mailing list, we'll see!

Message:

We have removed the email address "waitman@emkdesign.com"
from mailing list "specialoffers2". Thank you for using our service.

The original message sent was:
> From waitman@emkdesign.com Fri Aug 29 17:57:59 2003
> Received: from KERRAY-PF08UJB2 (p50927D46.dip.t-dialin.net [80.146.125.70])
> by i.pm0.net (8.12.8/8.11.6) with ESMTP id h7U0vYWu040912
> for <specialoffers2@reply.mb00.net>; Fri, 29 Aug 2003 17:57:40 -0700 (PDT)
> (envelope-from waitman@emkdesign.com)
> Message-Id: <200308300057.h7U0vYWu040912@i.pm0.net>
> From: <waitman@emkdesign.com>
> To: <specialoffers2@reply.mb00.net>
> Subject: Re: That movie

I don't now how can you get so troubled!
I do not use any antivirus and my systems are always clean. I send mailings to many people and sometimes (2-3 times a year) somebody tells me that my mail had a virus.
Once I tried to install Panda and I was not able to boot my computer again: i had to format the hard drive and re-install Windows again.
So I will never use an antivirus. But I also never open an unexpected attach without caring. I NEVER receive runable files, so if one of them appears in an attach, i delete it immediately (sometimes i store it and try to un-compile it:))

For any home-computer, windows user, there is something better than antivirus software: keep a backup on date and do a format c: if you feel in danger.
If a virus has harmed the system, simply delete ALL partitions of your hard drive(s) and create them again. Then reinstall your software and restore your backups. Remember to use safe diskettes for partitioning.
I haven't found any virus that harms my system :P ;)

Greetings,
Herenvardö

Another way to get protected against many viruses:
Simply install LiNUX and use it to read e-mail. Most of viruses only attack MS Windows systems.
You could use any UNIX-like system, but I say LiNUX because it's free. Any Windows virus is a trouble for linux users! ;)

Me again,
Herenvardö

hmmmmm

Herenvardo

Surely you have more time on your hands then the rest of us, although you are right about formatting your hard drive and keeping a back up files, but if I did that I would be cleaning my computer 10 times per day.

All very clever to say how we can format our pc's and reinstall our software but with over 10 highly ranked web sites and over 100 enquiries a day I don't have the time.

I have never had a problem installing anti virus software, just put in the cd from a full version! bought from a shop then click install, update and I am protected.

I also want to point out that I have over 15 email addresses to manage from different companies that I work for.

By the way I don't have a problem with viruses because I have good up todate firewalls and anti virus software and I have never had to clean my computer or re-install my software.

:)

[This is not a virus complaint] ;-)

Because the email addresses being used for these virus mass mailings are coming from a web spider... I'm wondering if anyone here knows how that spider identifies itself. Does it look exactly like a legitimate IE broswer, or is it catchable?

What I'm getting at is that if someone has identified a unique pattern in the user agent sent by the virus when it's spidering for emails, protecting your site is no problem at all.