For Jeremy Suiter: Received W32.Bugbear virus from you 
Author Message
 For Jeremy Suiter: Received W32.Bugbear virus from you

Good morning Jeremy,

When I switched on the PC this morning I received 2 emails supposedly
from you. Both had the W32.Bugbear virus attached. My Nortons detected
and disposed of them....but I thought that I should warn you in case
you do not know about it.

Regards,

Ross McKenzie
ValuSoft
Melbourne Australia



Mon, 11 Apr 2005 08:06:08 GMT  
 For Jeremy Suiter: Received W32.Bugbear virus from you
Ross

They probably weren't from Jeremy - I've recieved the same type of email
proclaiming to be from Dave Pearson but that and others I've recieved under
different names all had the same IP address (I don't have them anymore so
can't say what it was).

--
HTH
Steve Quinn
http://www.tuxedo.org/~esr/faqs/smart-questions.html
'I want to move to Theory...Everything works in Theory'



Mon, 11 Apr 2005 08:35:26 GMT  
 For Jeremy Suiter: Received W32.Bugbear virus from you
On Thu, 24 Oct 2002 10:35:26 +1000, "Stephen Quinn"

Quote:

>Ross

>They probably weren't from Jeremy - I've recieved the same type of email
>proclaiming to be from Dave Pearson but that and others I've recieved under
>different names all had the same IP address (I don't have them anymore so
>can't say what it was).

>--
>HTH
>Steve Quinn
>http://www.tuxedo.org/~esr/faqs/smart-questions.html
>'I want to move to Theory...Everything works in Theory'

Hi Steve,

Yes, you are probably correct...but it doesn't hurt to mention it.

Regards,

Ross McKenzie
ValuSoft
Melbourne Australia



Mon, 11 Apr 2005 10:05:37 GMT  
 For Jeremy Suiter: Received W32.Bugbear virus from you

Quote:

>On Thu, 24 Oct 2002 10:35:26 +1000, "Stephen Quinn"

>>Ross

>>They probably weren't from Jeremy - I've recieved the same type of email
>>proclaiming to be from Dave Pearson but that and others I've recieved under
>>different names all had the same IP address (I don't have them anymore so
>>can't say what it was).

<aol>
Me too!
</aol>

Headers follow:

Received: from ns3.solcon.nl (212.45.37.3)
        by mailgate.witzendcs.co.uk with SMTP id smtpdhMsvPb; Wed, 23 Oct
2002 16:36:13 EDT
Received: from h (wc-55104.solcon.nl [212.45.55.104])
        by ns3.solcon.nl (NCRVNet/) with SMTP id g9NKSVX22791;
        Wed, 23 Oct 2002 22:28:31 +0200
Date: Wed, 23 Oct 2002 22:28:31 +0200

So it would appear that it's coming from solcon.nl, not



Mon, 11 Apr 2005 14:45:14 GMT  
 For Jeremy Suiter: Received W32.Bugbear virus from you

Quote:
> On Thu, 24 Oct 2002 10:35:26 +1000, "Stephen Quinn"

> >They probably weren't from Jeremy - I've recieved the same type of email
> >proclaiming to be from Dave Pearson but that and others I've recieved under
> >different names all had the same IP address (I don't have them anymore so
> >can't say what it was).

> Yes, you are probably correct...but it doesn't hurt to mention it.

Yes, it does. It puts the blame where it doesn't belong. You did _not_,
in all probability, receive this e-mail from Jeremy, but from a third
party who has both of you in his address book.
Bugbear picks two addresses from the infected computer's addresses, then
sends it to the first random address with the From: header claiming it
comes from the second random address. In fact, I've even had Bugbear
mails with a From: address that was clearly patched together from _two_
random addresses. For example, I've had one from "My colleague's name"

is distinctive enough to make it unlikely someone of that name has the
same address at the completely unrelated domain.
Bottom line: you cannot depend on the From: header in a Bugbear mail.

Richard



Mon, 11 Apr 2005 15:58:29 GMT  
 For Jeremy Suiter: Received W32.Bugbear virus from you

Quote:

> Received: from ns3.solcon.nl (212.45.37.3)
>    by mailgate.witzendcs.co.uk with SMTP id smtpdhMsvPb; Wed, 23 Oct
> 2002 16:36:13 EDT
> Received: from h (wc-55104.solcon.nl [212.45.55.104])
>    by ns3.solcon.nl (NCRVNet/) with SMTP id g9NKSVX22791;
>    Wed, 23 Oct 2002 22:28:31 +0200
> Date: Wed, 23 Oct 2002 22:28:31 +0200

> So it would appear that it's coming from solcon.nl, not



This neatly proves my other post: someone (who is on solcon.nl) has you,

virus has sent it to you, abusing the others' names to hack together an
invalid From: address.

Richard



Mon, 11 Apr 2005 16:23:32 GMT  
 For Jeremy Suiter: Received W32.Bugbear virus from you

Quote:


>> On Thu, 24 Oct 2002 10:35:26 +1000, "Stephen Quinn"

>> >They probably weren't from Jeremy - I've recieved the same type of email
>> >proclaiming to be from Dave Pearson but that and others I've recieved under
>> >different names all had the same IP address (I don't have them anymore so
>> >can't say what it was).

>> Yes, you are probably correct...but it doesn't hurt to mention it.

>Yes, it does. It puts the blame where it doesn't belong. You did _not_,
>in all probability, receive this e-mail from Jeremy, but from a third
>party who has both of you in his address book.
>Bugbear picks two addresses from the infected computer's addresses, then
>sends it to the first random address with the From: header claiming it
>comes from the second random address. In fact, I've even had Bugbear
>mails with a From: address that was clearly patched together from _two_
>random addresses. For example, I've had one from "My colleague's name"

>is distinctive enough to make it unlikely someone of that name has the
>same address at the completely unrelated domain.
>Bottom line: you cannot depend on the From: header in a Bugbear mail.

>Richard

Hi Richard,

If you read my message to Jeremy again you will see that I said
"supposedly". I was not blaming him...simply warning him in case he
was not aware...and the wider c.l.c community because we appear at
some risk. If one of us is infected and doesn't know to look....well
you can just imagine the results.

No offense was meant...hopefully none is taken.

Regards,

Ross McKenzie
ValuSoft
Melbourne Australia



Mon, 11 Apr 2005 16:29:33 GMT  
 For Jeremy Suiter: Received W32.Bugbear virus from you

* GMT:
<snip>

Quote:
> it comes from the second random address. In fact, I've even had
> Bugbear mails with a From: address that was clearly patched together
> from _two_ random addresses. For example, I've had one from "My
> colleague's name"

>name is distinctive enough to make it unlikely someone of that name
>has the same address at the completely unrelated domain.  Bottom
>line: you cannot depend on the From: header in a Bugbear mail.

Confirmed. I had the same thing the other way around:



Mon, 11 Apr 2005 16:54:32 GMT  
 For Jeremy Suiter: Received W32.Bugbear virus from you

Quote:


> >Yes, it does. It puts the blame where it doesn't belong. You did _not_,
> >in all probability, receive this e-mail from Jeremy, but from a third
> >party who has both of you in his address book.
> >Bottom line: you cannot depend on the From: header in a Bugbear mail.

> If you read my message to Jeremy again you will see that I said
> "supposedly". I was not blaming him...simply warning him in case he
> was not aware...

Myeah, ok, but in all probability Jeremy has nothing whatsoever to do
with this virus to begin with. You're warning someone who doesn't need
to be warned.

Quote:
> and the wider c.l.c community because we appear at some risk.

Not me - I don't use LookOut <g>. Pegasus users are immune to Bugbear -
as, btw, are users of OutLook 6 and later, or of OutLook 5 who have used
the latest service pack, or who have the latest virus definitions for
their anti-virus program (as should everyone who is on the 'net at all,
IMO, but that's another matter).

Quote:
> If one of us is infected and doesn't know to look....well
> you can just imagine the results.

I don't have to - my colleagues had a whole wave of Bugbear infections
three weeks ago, so I know what it looks like. As one of the sysadmins
and postmasters here, I was not well pleased - and the strongest phase
of the attack happened just as we got our new mail server, leading to
(spurious, thank heavens) accusations against the server. But the larger
part of the Bugbear wave has been over for two weeks - what we're seeing
now is just the aftermath of people who _still_ haven't updated their
virus catchers.

Quote:
> No offense was meant...hopefully none is taken.

No offense, but I am concerned about misinformation about viruses. More
damage is done, it is said, by people reacting badly to incorrect virus
information than by the viruses themselves, and judging from my users I
believe it.

Richard



Mon, 11 Apr 2005 20:31:28 GMT  
 For Jeremy Suiter: Received W32.Bugbear virus from you
Another bugbear tale of woe.
Try having to cope with the bugbear exe being dumped to all of your network
printers every time a user plugs a computer (that you have told them to
leave till it is cleaned) back into your network.

muppets...

--
Andy B

Replace NOSPAM with ANDY

Quote:



> > >Yes, it does. It puts the blame where it doesn't belong. You did _not_,
> > >in all probability, receive this e-mail from Jeremy, but from a third
> > >party who has both of you in his address book.

> > >Bottom line: you cannot depend on the From: header in a Bugbear mail.

> > If you read my message to Jeremy again you will see that I said
> > "supposedly". I was not blaming him...simply warning him in case he
> > was not aware...

> Myeah, ok, but in all probability Jeremy has nothing whatsoever to do
> with this virus to begin with. You're warning someone who doesn't need
> to be warned.

> > and the wider c.l.c community because we appear at some risk.

> Not me - I don't use LookOut <g>. Pegasus users are immune to Bugbear -
> as, btw, are users of OutLook 6 and later, or of OutLook 5 who have used
> the latest service pack, or who have the latest virus definitions for
> their anti-virus program (as should everyone who is on the 'net at all,
> IMO, but that's another matter).

> > If one of us is infected and doesn't know to look....well
> > you can just imagine the results.

> I don't have to - my colleagues had a whole wave of Bugbear infections
> three weeks ago, so I know what it looks like. As one of the sysadmins
> and postmasters here, I was not well pleased - and the strongest phase
> of the attack happened just as we got our new mail server, leading to
> (spurious, thank heavens) accusations against the server. But the larger
> part of the Bugbear wave has been over for two weeks - what we're seeing
> now is just the aftermath of people who _still_ haven't updated their
> virus catchers.

> > No offense was meant...hopefully none is taken.

> No offense, but I am concerned about misinformation about viruses. More
> damage is done, it is said, by people reacting badly to incorrect virus
> information than by the viruses themselves, and judging from my users I
> believe it.

> Richard



Mon, 11 Apr 2005 22:31:35 GMT  
 For Jeremy Suiter: Received W32.Bugbear virus from you

Quote:

> Another bugbear tale of woe.
> Try having to cope with the bugbear exe being dumped to all of your network
> printers every time a user plugs a computer (that you have told them to
> leave till it is cleaned) back into your network.

<g> Luckily, I'm physically close enough to my users that when they do
that, I can impound the damn thing.

Richard



Mon, 11 Apr 2005 23:28:48 GMT  
 For Jeremy Suiter: Received W32.Bugbear virus from you
It wasn't me guvnor, honest!

I'm _very_ thorough about keping my anti-virus software upto date.
Richard's right in that bugbear 'makes up' email addresses so you thought it
was from me.

Jeremy 'not guilty m'lord' Suiter


Quote:

> > Received: from ns3.solcon.nl (212.45.37.3)
> > by mailgate.witzendcs.co.uk with SMTP id smtpdhMsvPb; Wed, 23 Oct
> > 2002 16:36:13 EDT
> > Received: from h (wc-55104.solcon.nl [212.45.55.104])
> > by ns3.solcon.nl (NCRVNet/) with SMTP id g9NKSVX22791;
> > Wed, 23 Oct 2002 22:28:31 +0200
> > Date: Wed, 23 Oct 2002 22:28:31 +0200

> > So it would appear that it's coming from solcon.nl, not



> This neatly proves my other post: someone (who is on solcon.nl) has you,

> virus has sent it to you, abusing the others' names to hack together an
> invalid From: address.

> Richard



Tue, 12 Apr 2005 00:04:58 GMT  
 For Jeremy Suiter: Received W32.Bugbear virus from you
On Thu, 24 Oct 2002 17:04:58 +0100, "Jeremy Suiter"

Quote:

>It wasn't me guvnor, honest!

>I'm _very_ thorough about keping my anti-virus software upto date.
>Richard's right in that bugbear 'makes up' email addresses so you thought it
>was from me.

>Jeremy 'not guilty m'lord' Suiter

Hi Jeremy,

Apologies again...

Regards,

Ross McKenzie
ValuSoft
Melbourne Australia



Tue, 12 Apr 2005 07:50:24 GMT  
 
 [ 14 post ] 

 Relevant Pages 

1. just recieved a new virus W32/Bugbear@MM Virus Found

2. help to delete w32/bugbear and trjan virus

3. w32.bugbear@mm

4. W32.bugbear@mm unable to run fix

5. BugBear Virus: IP Cleariong House

6. BugBear virus

7. bugbear virus hoax

8. BugBear Virus/ISDN Configuration Wizard

9. Virus W32.Sobig.C@mm from 3be15be7@news.softvelocity.com

10. Antigen found W32/Ska.A.Worm virus

11. VIRUS WARNING : W32/Sobig.E@mm

12. W32/Pate.b.worm Virus

 

 
Powered by phpBB® Forum Software