[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [Fwd: VIRUS (Worm.Bagle.A) IN MAIL TO YOU (from <owner-openldap-softwar e@OpenLDAP.org>)]



The virus was either from inside the network where the OpenLDAP mailserver 
resides (unlikely) or from a client of samara.net, which is apparently a 
Russian ISP.

  http://www.samspade.org/t/lookat?a=195.128.153.203

Doug's mail only lists a portion of the fake headers, the important part is 
this:

>Received: from winxp ([195.128.153.203])
>	by boole.openldap.org (8.12.10/8.12.10) with SMTP id i0LB6NrZ089148
>	for <openldap-software@OpenLDAP.org>; Wed, 21 Jan 2004 11:06:24 GMT
>	(envelope-from dieter@dkluenter.de)

As you can see the SMTP envelope (which is completely spoofable) claims to be 
from Dieter Kluenter.  However, Dieter's mail seems to come from dialup 
addresses in the 62.180.0.0/16 CIDR netblock, which belong to German ISP "BT 
Ignite" (whoever that is).

For comparison, here's a message header that's actually from Dieter:

>Received: from pink.l4b.de (c-180-221-89.cvx-h.dial.de.ignite.net 
[62.180.221.89])
>	by boole.openldap.org (8.12.10/8.12.10) with ESMTP id i0HGVerY091284
>	for <openldap-software@openldap.org>; Sat, 17 Jan 2004 16:31:49 GMT
>	(envelope-from dieter@dkluenter.de)

Most of the recent mail-borne virii get their address information by randomly 
sampling the outlook address book or similar sources, and most of them get 
their host names from the CIFS host ID.  So, even though I haven't looked up 
how Bagle works, I'll guess that the source of this virus is a windows XP box 
running outlook somewhere in eastern Europe.  If that describes you, check your 
IP address (and if it is 195.128.153.203 you win the prize).

I'm kind of surprised the OpenLDAP mailserver didn't stop the thing.

--Charlie

On 21 Jan 2004 at 11:21, Douglas Furlong wrote:

> 
> Just to let people know, an email was sent to the list just now, with
> the Bagle.A virus/worm attached.
>