[vox-tech] Viruses coming from UC Davis.....

Samuel N. Merritt vox-tech@lists.lugod.org
Wed, 11 Feb 2004 10:19:55 -0800


--6c2NcOVqGQ03X4Wi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Feb 11, 2004 at 10:12:23AM -0800, Mitch Patenaude wrote:
> On Wednesday, Feb 11, 2004, at 09:15 US/Pacific, Gabriel Rosa wrote:
> >I wouldn't say that's the only way you could be getting targeted. My=20
> >mail
> >server at home has been getting dictionaried lately.
> >
> >With such a short username, it's entirely possible that someone just=20
> >guessed
> >your username at sonic.
>=20
> While I've heard of spammers trying dictionary attacks, I've never=20
> heard of viruses using it.

MyDoom has a small dictionary of common usernames that it uses.=20

A very brief scan of my mail logs shows "john", "maria", "stan",
"jimmy", and "leo". There are dozens of others, but that shows the
pattern.=20

> Also, it's unlikely that they would get my initials (mrp) from a=20
> dictionary attack, and trying all ~17000 3 letter combinations seems a=20
> low yield method, considering so many better techniques exist,  and=20
> it's even MORE unlikely that they'd hit that twice within 24 hours from=
=20
> he same machine.

That's true; plus, "mrp" isn't in MyDoom's dictionary, so it must have
been snarfed from a file on the infected machine.=20

> However, MANY current viruses (including mydoom.{a,b,c}, which is what=20
> I suspect these were) use address books and return addresses from=20
> recently received messages, which seems a much more "profitable" method=
=20
> from a virus writers perspective.  I'm hoping that somebody AT UC Davis=
=20
> who recognizes the IP will track down the machine and patch it.
>=20
>   -- Mitch
>=20
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech

--=20
Samuel Merritt
OpenPGP key is at http://meat.andcheese.org/~spam/spam_at_andcheese_dot_org=
.asc
Information about PGP can be found at http://www.mindspring.com/~aegreene/p=
gp/

--6c2NcOVqGQ03X4Wi
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFAKnJLW3tuPJ1t7wURAqkKAJ4nDOx3cK33DMes9RoebeY1PVaK1gCfZeJ4
lUVemUKSybpF7Qa/urAB548=
=+vgd
-----END PGP SIGNATURE-----

--6c2NcOVqGQ03X4Wi--