Mydoom worm and Macs

[DaveC]

If there's a better forum to ask this question, please forgive and recommend.


The Mydoom worm that is spreading unchecked across the net does not effect
Macs. Or so I thought. I'm getting lots of mail with attachments, as is
everybody, and these are getting thrown in the trash.

But I'm also getting, from a POP web mail service that I use, lots of
"Failure to deliver message" messages with various reasons stated, about lots
of addresses at this service I don't know. Also, I'm getting some of those
"white-list" confirmations from this same service. None of these messages has
an attachment. They really look authentic.

Since I don't know any of these people, don't have any of their addresses in
my address book, nor have I ever sent them a message -- nor ever received a
message from any of these people -- how come I'm getting these error messages
from the mail service? Is my web mail service the one that's infected, and
sending these out, randomly, to all of the users?

Thanks,

 

[Christoph Gartmann]

The Mydoom worm that is spreading unchecked across the net does not effect
Macs. Or so I thought. I'm getting lots of mail with attachments, as is
everybody, and these are getting thrown in the trash.

But I'm also getting, from a POP web mail service that I use, lots of
"Failure to deliver message" messages with various reasons stated, about lots
of addresses at this service I don't know. Also, I'm getting some of those
"white-list" confirmations from this same service. None of these messages has
an attachment. They really look authentic.

Since I don't know any of these people, don't have any of their addresses in
my address book, nor have I ever sent them a message -- nor ever received a
message from any of these people -- how come I'm getting these error messages
from the mail service? Is my web mail service the one that's infected, and
sending these out, randomly, to all of the users?

This worm scans infected computers for e-mail addresses. Then it sends itself
out to these addreses. Even worse, it uses these addresses as the sender's
address. So if your friend's computer is infected, it is very likely that it
will distribute the worm with your address. On the other hand, many sites have
anti virus software installed on their mailservers. These will reject infected
messages and return them to the sender. That's why you get these things.

Regards,
Christoph Gartmann

--
Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
Immunbiologie
Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
D-79011 Freiburg, Germany
http://www.immunbio.mpg.de/home/menue.html

 

[kurt wismer]

If there's a better forum to ask this question, please forgive and recommend.


The Mydoom worm that is spreading unchecked across the net does not effect
Macs. Or so I thought. I'm getting lots of mail with attachments, as is
everybody, and these are getting thrown in the trash.

But I'm also getting, from a POP web mail service that I use, lots of
"Failure to deliver message" messages with various reasons stated, about lots
of addresses at this service I don't know. Also, I'm getting some of those
"white-list" confirmations from this same service. None of these messages has
an attachment. They really look authentic.

Since I don't know any of these people, don't have any of their addresses in
my address book, nor have I ever sent them a message -- nor ever received a
message from any of these people -- how come I'm getting these error messages
from the mail service? Is my web mail service the one that's infected, and
sending these out, randomly, to all of the users?

mydoom forges the from address... when the email fails to go through
the error will go to the address specified forged from address...

 

[Matthew Russotto]

If there's a better forum to ask this question, please forgive and recommend.

But I'm also getting, from a POP web mail service that I use, lots of
"Failure to deliver message" messages with various reasons stated, about lots
of addresses at this service I don't know. Also, I'm getting some of those
"white-list" confirmations from this same service. None of these messages has
an attachment. They really look authentic.

Forged "From" addresses mean you get the bounces the virus sends.
Someone infected has your address on their computer somehow.

 

[Phil Stripling]

But I'm also getting, from a POP web mail service that I use, lots of
"Failure to deliver message" messages with various reasons stated, about
lots of addresses at this service I don't know. Also, I'm getting some of
those "white-list" confirmations from this same service. None of these
messages has an attachment. They really look authentic.

Not all of these are real bounce messages. The worm is using that as a
device to get dumb Windows users to open the attachment to see what it
is. The enclose message says something like, "The attachment is zipped
because it contains unicode characters which cannot be displayed." So
people unzip the document (called document.zip) to see what it is.
Surprise! It's document.exe, which is the payload.

 

[Bill Cole]

If there's a better forum to ask this question, please forgive and recommend.


The Mydoom worm that is spreading unchecked across the net does not effect
Macs. Or so I thought. I'm getting lots of mail with attachments, as is
everybody, and these are getting thrown in the trash.

All the mail is the only thing the worm can do to you. The worm itself
cannot run on a Mac.

But I'm also getting, from a POP web mail service that I use, lots of
"Failure to deliver message" messages with various reasons stated, about lots
of addresses at this service I don't know. Also, I'm getting some of those
"white-list" confirmations from this same service. None of these messages has
an attachment. They really look authentic.

Since I don't know any of these people, don't have any of their addresses in
my address book, nor have I ever sent them a message -- nor ever received a
message from any of these people -- how come I'm getting these error messages
from the mail service? Is my web mail service the one that's infected, and
sending these out, randomly, to all of the users?

No.

This worm sends out mail forged to appear to be from any address it can
find on the infected machine and it also invents addresses using any
domain name it finds in an address and a list of a few dozen common
first names. It sends to all of those addresses AND uses them all as
fake return addresses on mail it sends. The result is that somewhere out
there someone stupid enough to get infected (and this one DOES require
that the infected computer be run by a complete fool) either had your
address in some file on their computer OR had an address in the same
domain, and you have a common username.

For example, 'bill' is one of those names. I have it as my username in a
number of domains, some of which are addresses I've never used publicly.
For the first time ever this week, 2 mailboxes of mine got mail from
outside their domains. That mail is all worms and some bounces of worms
that most certainly did not come from anywhere near the addresses they
were bounced to.

 

[Geoffrey]

The Mydoom worm that is spreading unchecked across the net does not effect
Macs. Or so I thought. I'm getting lots of mail with attachments, as is
everybody, and these are getting thrown in the trash.

Yup, that's about all we Mac people can do.

But I'm also getting, from a POP web mail service that I use, lots of
"Failure to deliver message" messages with various reasons stated, about
lots of addresses at this service I don't know. Also, I'm getting some of
those "white-list" confirmations from this same service. None of these
messages has an attachment. They really look authentic.

They're a side-effect of one of the four viruses doing the rounds: two
of them plunder people's e-mail addressbooks and uses the data gleaned
as the Sender tag for the email -- obviously, if the address the spam is
sent to bounces, *you* will be the one copping the daemon's bounce
message.

Unfortunately, there's sod-all you can do about this, but delete the
messages or set up a filter.

Since I don't know any of these people, don't have any of their addresses
in my address book, nor have I ever sent them a message -- nor ever
received a message from any of these people -- how come I'm getting these
error messages from the mail service?

See above. These viruses are damn good at gathering addresses from
anyone still using Outlook on an unprotected Windows machine. No doubt
some people you know (who use Windows and Outlook / Address Book) that
you correspond with have added your email address details to their
address book, which in turn has become plundered data and sent off to
the virus-creator's HQ.

These viruses also contain their own basic SMTP mail transmission
client, so it is possible for the trojan's creator to 'tap' the infected
machine as a transmission source for spam without the owner's knowledge.

Sadly, once your email address gets out like this, the only way to stop
it from attracting any more spam is to stop using it and get another,
and/or pay that little bit extra to have your mail routed through a
professional spam-cleaning service.


Geoffrey

(remove EXCESS BAGGAGE to reply via mail)

 

[DaveC]

mydoom forges the from address... when the email fails to go through the
error will go to the address specified forged from address...

Oh, I think I get it. Someone's computer is sending random e-mails with my
address as the "from" address. When it bounces, I get the error message.

Thanks,

 

[Wes Groleau]

Oh, I think I get it. Someone's computer is sending random e-mails with my
address as the "from" address. When it bounces, I get the error message.

Plus, there are a lot of "geniuses" running ISPs who
detect the virus and inform you (a Mac user) that you
need to disinfect your system from this (windows) virus!

 

[M-M]

pay that little bit extra to have your mail routed through a
professional spam-cleaning service.

Can you elaborate on this or provide name/url?

thx,
m-m

 

[Alec McKenzie]

Sadly, once your email address gets out like this, the only way to stop
it from attracting any more spam is to stop using it and get another,
and/or pay that little bit extra to have your mail routed through a
professional spam-cleaning service.

Or use a free one and pay nothing

 

[David Turley]

On the other hand, many sites have
anti virus software installed on their mailservers. These will reject infected
messages and return them to the sender. That's why you get these things.

Any sys admin worth his salt knows that the "From" address on just about
every single virused/trojaned emai is fake. It takes a total loser sys
admin to set such an auto-reply system in place. I get more "you sent a
virus" emails than I do actual virused mails.

If your organization is doing this, the next thing your sys admin should
be saying is "Would you like fries with that order?" (But if they're so
incompetant to be sending these notices, they're likely too stupid to
flip burgers either.)

 

[Bob Tripi]

I see those messages on my PC and my antivirus is saying the attachment
is infected. You may also be seeing what looks to be patches from
Microsoft to IE which are also infected. The virus I saw only runs on MS
Windows so I think you are OK

 

[David C.]

Any sys admin worth his salt knows that the "From" address on just
about every single virused/trojaned emai is fake. It takes a total
loser sys admin to set such an auto-reply system in place. I get
more "you sent a virus" emails than I do actual virused mails.

Yeah, but the internet is crawling with total loser sys admins.

-- David

 

[DaveC]

I see those messages on my PC and my antivirus is saying the attachment is
infected. You may also be seeing what looks to be patches from Microsoft to
IE which are also infected. The virus I saw only runs on MS Windows so I
think you are OK

I know I'm free from the risk of infection, I was just confused about
receiving these "message undeliverable" from my mail service, addressed to
me. I thought, at first, that maybe the mail servers were infected and
sending out these messages, but they're just responding to what they think
are legitimate messages apparently (but not actually) sent by me.

 

[Wes Groleau]

and/or pay that little bit extra to have your mail routed through a
professional spam-cleaning service.

http://www.despammed.com

No charge. (Though he does stick a plea for donations
on the bottom of every e-mail.)

There are others.

I used despammed for a while. Now I have a Unix account,
write my own filters, and forward the good stuff on home.

Mail.app has no problem tossing the few that get out of
the Unix box.

 

[Van Bagnol]

The Mydoom worm that is spreading unchecked across the net does not effect
Macs. Or so I thought. I'm getting lots of mail with attachments, as is
everybody, and these are getting thrown in the trash.

But I'm also getting, from a POP web mail service that I use, lots of
"Failure to deliver message" messages with various reasons stated, about lots
of addresses at this service I don't know.

Apparently, "MyDoom" is forging your address and sending out mail
claiming to be from you. Some of the recipients are invalid accounts,
and the recipients' mailservers are sending _you_ the "undeliverable
message" notices.

MyDoom apparently finds an address, then forms random destinations by
concatenating names with that address's domain. For example, it found
your <[email protected]> address, so it sends mail to <[email protected]>,
<[email protected]>, <[email protected]>, <[email protected]>, and so on.

Your Mac was not infected, nor did the worm get information from your
address book. The worm did, however, use your address and others it
found for subsequent infections.

Van

 

[Dale Thompson]

Apparently, "MyDoom" is forging your address and sending out mail
claiming to be from you. Some of the recipients are invalid accounts,
and the recipients' mailservers are sending _you_ the "undeliverable
message" notices.

MyDoom apparently finds an address, then forms random destinations by
concatenating names with that address's domain. For example, it found
your <[email protected]> address, so it sends mail to <[email protected]>,
<[email protected]>, <[email protected]>, <[email protected]>, and so on.

Your Mac was not infected, nor did the worm get information from your
address book. The worm did, however, use your address and others it
found for subsequent infections.

Van

According to McAfee's virus defintion page, these are not responses to
mai claiming to be you, but the worm itself, attepting to get into your
system
<http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100983
Rosemary

 

[Alec McKenzie]

According to McAfee's virus defintion page, these are not responses to
mai claiming to be you, but the worm itself, attepting to get into your
system
<http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100983>

Rosemary

You must be misunderstanding the information on that page, which
actually says:

 

[Van Bagnol]

According to McAfee's virus defintion page, these are not responses to
mai claiming to be you, but the worm itself, attepting to get into your
system
<http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=10098>

Actually, while there may be _some_ messages claiming to be a server
error (I received a few from apparently legitimate e-mail addresses that
were victimized), the ones I'm talking about were from legitimate mailer
daemons.

They either detected or removed the infecting attachment from the
original message (hence deactivating the payload) or provided traceback
headers which showed the originating message came from an IP address
associated with forged mail.

Some mailservers, sadly, did _not_ detect the Mydoom worm but instead
passed the payload on in the delivery notification.

Van