[TriLUG] Virus Attachments
David A. Cafaro
dac at cafaro.net
Wed Jan 28 14:11:26 EST 2004
Ok, you really need to go and read up on what these viruses are actually
doing. Neither MyDoom nor Win32.Swen infect Linux or Mac computers
(they could copy a file onto a Linux computer running a samba share that
is being accessed by an infected windows client, but that is not the
Linux machine being infected). Win32.Swen will create from address that
could look like they are from MS support as well as from any domain
names admin (admin at somedomain.net etc...). This is randomly created and
doesn't not tell you who is actually infected. Same with MyDoom, it is
creating random from address, so the from does not tell you who it is
from, only that someone who knows you and the from address person, some
mutual acquaintance is infected, NOT you or the necessarily the FROM
person.
Here is Win32.Swen:
http://www.ravantivirus.com/virus/showvirus.php?v=201
Here is MyDoom:
http://www.ravantivirus.com/virus/showvirus.php?v=205
Now a linux based server that doesn't have virus filtering on can
forward an infected email, but it is not infected itself, it is just
passing on what it considers a normal email to the recipient. What may
be even more annoying (or helpful) is that at least Win32.Swen may run
it's own SMTP server (thus the from IP address may show the infected
machine), but sometimes it still may use the victims computers ISPs
email server.
Hope that clears some of that up. As for the pgp signature, no telling,
it may have just been coincidence (a forged infected email with his from
address at the same time he sent a legitimate email, need to check the
email body to make sure it was the pgp one. Also some email scanning
server may be setup to block all attachments and could block pgp mime
attachments).
Cheers,
David
On Wed, 2004-01-28 at 13:50, Roberto J. Dohnert wrote:
> If it did think that your pgp.sig was a virus, why myDoom, another guys
> sent me a virus that was called Win32.Swen and I emailed him as well.
> It is confusing. And I will get to the bottom of it and I will keep in
> touch. If someone here could explain how a virus goes from a Linux mail
> server let me know.
>
> -----Original Message-----
> From: Joshua Gitlin [mailto:josh at glowfilms.com]
> Sent: Wednesday, January 28, 2004 1:30 PM
> To: David A. Cafaro
> Cc: Roberto J. Dohnert
> Subject: Re: [TriLUG] Virus Attachments
>
> What is more annoying is when I get emails from virus
> scanning servers telling me that I'm infected (yeah, that funny, a
> windows virus has infected and taken over my Linux desktop..hehe yeah
> what ever..)
>
> David,
>
> Actually, this happened to me, too. Roberto's email server said that it
> stripped the myDoom virus off of an email that I sent to him... but I'm
> using MacOS and Linux -- I'm not infected. When Roberto received sed
> email from me, the bottom of the message read:
> ---
> avast! Antivirus: Inbound message INFECTED:
> (Win32:MyDoom) was deleted from the message.
>
> Virus Database (VPS): 1/26/2004
> Tested on: 1/28/2004 11:15:09 AM
> avast! is copyright (c) 2000-2003 ALWIL Software.
> http://www.avast.com
>
> My only thinking could be that somehow the avast! software running on
> Roberto's mail server thought that my PGP signature was a virus... Other
> than that, I'm baffled. Because this was an email that I deliberately
> composed (I sent it to TriLUG also, the subject was Re: [TriLUG] HD
> Diags -> smarttools). I'm quite confused... Why would Virus scanning
> software be telling me (and you) that we're infected
>
> -Josh
--
David A. Cafaro <dac(at)cafaro.net>
Sys Admin to User: "You did what?!?"
More information about the TriLUG
mailing list