Computer Security - Re: PLEASE REMOVE ALL PUBLIC POSTINGS CONTAINING MALICIOUS VIRUS CODE

11-16-2003, 05:03 PM

MI6 U2:

Please do NOT use all caps. Either your "Caps Lock" key is broken or you are
deliberately using all caps. Unfortunately, in UseNet that means you are screaming as well
as the fact that all caps are harder to read than normally formatted text.

About virus laden posts in UseNet news groups. Examine the headers of each post.
Look for the ABUSE email address or the posting IP address. Send the Full Headers and body
to the abuse address found in the headers. If you can only find the IP address, go to
http://www.dnsstuff.com/ and look up the records of the IP and you should find an ABUSE
email address there. Then you can send a complaint using that information.

Now there are two type of virus laden posts. Deliberately posted attachments and the Swen
worm. Recently there was a poster from British Telecom that was deliberately, and
maliciously, posting dozens of infected attachments (all different) to
microsoft.public.security.virus I have been in contact with British Telecom and I am
confident that poster will be prosecuted under British law. The administrators of the
Microsoft News Groups have been diligent about removing the posted infectors as soon as they
were able to.

The Swen worm is new and has a new tactic. Built into the Swen worm is its own NNTP client.
(BTW: Swen spelled backwards is News !) Infected platforms can, w/o the knowledge of the
owner of the infected platform, post itself in two forms to UseNet news groups. The first
is a post that has a 106KB EXE attachment and it is capable of infecting a platform if
executed. The second is ZIP file of 0 ~ 2bytes. This is a form that is NOT infectious. I
have heard about, but not seen, a variant of the Swen worm that posts an EXE ~ 89KB.

Now about Google. They extract, copy, and cache UseNet. What you need to do is send abuse
email to the Google abuse email address addressing your concerns. As it is your post will
go mostly ignored due to being in all caps and in effect being a flame post.

I hope I have addressed your concerns and have also pointed out the problems in the way you
expressed them.

Dave

David H. Lipman

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

11-16-2003, 05:03 PM	#1
	Re: PLEASE REMOVE ALL PUBLIC POSTINGS CONTAINING MALICIOUS VIRUS CODE MI6 U2: Please do NOT use all caps. Either your "Caps Lock" key is broken or you are deliberately using all caps. Unfortunately, in UseNet that means you are screaming as well as the fact that all caps are harder to read than normally formatted text. About virus laden posts in UseNet news groups. Examine the headers of each post. Look for the ABUSE email address or the posting IP address. Send the Full Headers and body to the abuse address found in the headers. If you can only find the IP address, go to http://www.dnsstuff.com/ and look up the records of the IP and you should find an ABUSE email address there. Then you can send a complaint using that information. Now there are two type of virus laden posts. Deliberately posted attachments and the Swen worm. Recently there was a poster from British Telecom that was deliberately, and maliciously, posting dozens of infected attachments (all different) to microsoft.public.security.virus I have been in contact with British Telecom and I am confident that poster will be prosecuted under British law. The administrators of the Microsoft News Groups have been diligent about removing the posted infectors as soon as they were able to. The Swen worm is new and has a new tactic. Built into the Swen worm is its own NNTP client. (BTW: Swen spelled backwards is News !) Infected platforms can, w/o the knowledge of the owner of the infected platform, post itself in two forms to UseNet news groups. The first is a post that has a 106KB EXE attachment and it is capable of infecting a platform if executed. The second is ZIP file of 0 ~ 2bytes. This is a form that is NOT infectious. I have heard about, but not seen, a variant of the Swen worm that posts an EXE ~ 89KB. Now about Google. They extract, copy, and cache UseNet. What you need to do is send abuse email to the Google abuse email address addressing your concerns. As it is your post will go mostly ignored due to being in all caps and in effect being a flame post. I hope I have addressed your concerns and have also pointed out the problems in the way you expressed them. Dave David H. Lipman