REFLECTOR:MyDoom A

Brian Michalk reflector@tvbf.org
Tue, 10 Feb 2004 13:06:24 -0600 

This is a multi-part message in MIME format.

------=_NextPart_000_0046_01C3EFD6.AFB943E0
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: 7bit

I seriously doubt it came from my server.  If anyone can send me the
original UNADULTERATED email, I might be able to figure out where it came
from.  My filters are detecting and killing the MyDoomA virus, however, it
might not be catching the new third variant, and Norton is classifying it as
the A version.

I scanned my logs, and came up empty.  Had my software seen it, there would
have been an entry like this:

>From ""  Sat Feb  7 05:28:58 2004
Return-Path: <>
Delivered-To: virus-quarantine
X-Envelope-To: <combs@awpi.com>
X-Quarantine-id: <virus-20040207-052858-XXuAditc>
Received: from process.asu.edu by asu.edu (PMDF V6.1-1X6 #30769)
 id <0HSP00C01OUP5X@asu.edu> for combs@awpi.com; Sat,
 07 Feb 2004 04:20:49 -0700 (MST)
Received: from asu.edu (PMDF V6.1-1X6 #30769) id <0HSP00C0COUP4X@asu.edu>;
Sat,
 07 Feb 2004 04:20:49 -0700 (MST)
Date: Sat, 07 Feb 2004 04:20:49 -0700 (MST)
From: ASU Postmaster <Postmaster@asu.edu>
Subject: Delivery Notification: Delivery has failed
To: combs@awpi.com
Message-id: <0HSP00C0GOUP4X@asu.edu>
MIME-version: 1.0
Content-type: multipart/report; report-type=delivery-status;
 boundary="Boundary_(ID_HhBREBy6XhyqHoVZKHoWCg)"
X-AMaViS-Alert: INFECTED, message contains virus: Worm.SCO.A

If anyone else thinks they are getting viruses from my server, please let me
know.
  -----Original Message-----
  From: reflector-admin@tvbf.org [mailto:reflector-admin@tvbf.org]On Behalf
Of Chuck Jensen
  Sent: Tuesday, February 10, 2004 1:06 PM
  To: 'reflector@tvbf.org'
  Subject: RE: REFLECTOR:MyDoom A


  I'm innocent but I feel guilty.  Someone, hacker or virus, must have
hijacked my address and sent the bad-stuff to reflector.  I'm protected by
both Norton and CA but that doesn't always mean too much.  Anyway, I'll give
everyone good advice that applies to all my postings........beware!!!

  Chuck Jensen
    -----Original Message-----
    From: reflector-admin@tvbf.org [mailto:reflector-admin@tvbf.org]On
Behalf Of Robin Ream
    Sent: Tuesday, February 10, 2004 1:27 PM
    To: reflector@tvbf.org
    Subject: Re: REFLECTOR:MyDoom A


    Hi Ronnie,

        It came in on the REFLECTOR in the Jensen post (one of our regular
guys)...  A whole suitcase of code...

    Robin
      ----- Original Message -----
      From: Ronnie Brown
      To: reflector@tvbf.org
      Sent: Tuesday, February 10, 2004 12:17 PM
      Subject: Re: REFLECTOR:MyDoom A


      Robin, I didn't get an infected note from Reflector.

      Perhaps you got it from some one on the Reflector list and it picked
up the subject line containing "Reflector"?
        ----- Original Message -----
        From: Robin Ream
        To: REFLECTOR
        Sent: Tuesday, February 10, 2004 1:07 PM
        Subject: REFLECTOR:MyDoom A


        Hi Guys,

            I got a REFLECTOR message about half an hour ago with the MyDoom
A piggybacked on it.  If you don't have new software with both virus and
worm hunting capability, now would be a good time to go get it.  I sent a
reply to that message so you could see what happened, but the file turned
out to be so large the server bounced it.  How it slipped through the server
the first time so it could get this far I don't know but it did, and Norton
2004 caught it on my end.  --  I hope the rest of you have a program to
protect your computers; this seems like it's going to be a never ending
battle...

        Robin

------=_NextPart_000_0046_01C3EFD6.AFB943E0
Content-Type: text/html;
	charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Dwindows-1252" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2614.3500" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D930040219-10022004>I=20
seriously doubt it came from my server.&nbsp; If anyone can send me the =
original=20
UNADULTERATED email, I might be able to figure out where it came =
from.&nbsp; My=20
filters are detecting and killing the MyDoomA virus, however, it might =
not be=20
catching the new third variant, and Norton is classifying it as the A=20
version.</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D930040219-10022004></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D930040219-10022004>I=20
scanned my logs, and came up empty.&nbsp; Had my software seen it, there =
would=20
have been an entry like this:</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D930040219-10022004></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D930040219-10022004>From=20
""&nbsp; Sat Feb&nbsp; 7 05:28:58 2004<BR>Return-Path: =
&lt;&gt;<BR>Delivered-To:=20
virus-quarantine<BR>X-Envelope-To: &lt;<A=20
href=3D"mailto:combs@awpi.com">combs@awpi.com</A>&gt;<BR>X-Quarantine-id:=
=20
&lt;virus-20040207-052858-XXuAditc&gt;<BR>Received: from process.asu.edu =
by=20
asu.edu (PMDF V6.1-1X6 #30769)<BR>&nbsp;id &lt;<A=20
href=3D"mailto:0HSP00C01OUP5X@asu.edu">0HSP00C01OUP5X@asu.edu</A>&gt; =
for <A=20
href=3D"mailto:combs@awpi.com">combs@awpi.com</A>; Sat,<BR>&nbsp;07 Feb =
2004=20
04:20:49 -0700 (MST)<BR>Received: from asu.edu (PMDF V6.1-1X6 #30769) id =
&lt;<A=20
href=3D"mailto:0HSP00C0COUP4X@asu.edu">0HSP00C0COUP4X@asu.edu</A>&gt;;=20
Sat,<BR>&nbsp;07 Feb 2004 04:20:49 -0700 (MST)<BR>Date: Sat, 07 Feb 2004 =

04:20:49 -0700 (MST)<BR>From: ASU Postmaster &lt;<A=20
href=3D"mailto:Postmaster@asu.edu">Postmaster@asu.edu</A>&gt;<BR>Subject:=
 Delivery=20
Notification: Delivery has failed<BR>To: <A=20
href=3D"mailto:combs@awpi.com">combs@awpi.com</A><BR>Message-id: &lt;<A=20
href=3D"mailto:0HSP00C0GOUP4X@asu.edu">0HSP00C0GOUP4X@asu.edu</A>&gt;<BR>=
MIME-version:=20
1.0<BR>Content-type: multipart/report;=20
report-type=3Ddelivery-status;<BR>&nbsp;boundary=3D"Boundary_(ID_HhBREBy6=
XhyqHoVZKHoWCg)"<BR>X-AMaViS-Alert:=20
INFECTED, message contains virus: Worm.SCO.A</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D930040219-10022004></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D930040219-10022004>If=20
anyone else thinks they are getting viruses from my server, please let =
me=20
know.</SPAN></FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: =
0px; PADDING-LEFT: 5px">
  <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT =
face=3DTahoma=20
  size=3D2>-----Original Message-----<BR><B>From:</B> =
reflector-admin@tvbf.org=20
  [mailto:reflector-admin@tvbf.org]<B>On Behalf Of </B>Chuck=20
  Jensen<BR><B>Sent:</B> Tuesday, February 10, 2004 1:06 =
PM<BR><B>To:</B>=20
  'reflector@tvbf.org'<BR><B>Subject:</B> RE: REFLECTOR:MyDoom=20
  A<BR><BR></DIV></FONT>
  <DIV><SPAN class=3D281405718-10022004><FONT color=3D#0000ff =
face=3DArial size=3D2>I'm=20
  innocent but I feel guilty.&nbsp; Someone, hacker or virus, must have =
hijacked=20
  my address and sent the bad-stuff to reflector.&nbsp; I'm protected by =
both=20
  Norton and CA but that doesn't always mean too much.&nbsp; Anyway, =
I'll give=20
  everyone good advice that applies to all my=20
  postings........beware!!!</FONT></SPAN></DIV>
  <DIV><SPAN class=3D281405718-10022004><FONT color=3D#0000ff =
face=3DArial=20
  size=3D2></FONT></SPAN>&nbsp;</DIV>
  <DIV><SPAN class=3D281405718-10022004><FONT color=3D#0000ff =
face=3DArial=20
  size=3D2>Chuck Jensen</FONT></SPAN></DIV>
  <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
    <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT =
face=3DTahoma=20
    size=3D2>-----Original Message-----<BR><B>From:</B> =
reflector-admin@tvbf.org=20
    [mailto:reflector-admin@tvbf.org]<B>On Behalf Of </B>Robin=20
    Ream<BR><B>Sent:</B> Tuesday, February 10, 2004 1:27 =
PM<BR><B>To:</B>=20
    reflector@tvbf.org<BR><B>Subject:</B> Re: REFLECTOR:MyDoom=20
    A<BR><BR></FONT></DIV>
    <DIV>Hi Ronnie,</DIV>
    <DIV>&nbsp;&nbsp;&nbsp; </DIV>
    <DIV>&nbsp;&nbsp;&nbsp; It came in on the REFLECTOR in the Jensen =
post (one=20
    of our regular guys)...&nbsp; A whole suitcase of code...</DIV>
    <DIV>&nbsp;</DIV>
    <DIV>Robin</DIV>
    <BLOCKQUOTE dir=3Dltr=20
    style=3D"BORDER-LEFT: #000000 2px solid; MARGIN-LEFT: 5px; =
MARGIN-RIGHT: 0px; PADDING-LEFT: 5px; PADDING-RIGHT: 0px">
      <DIV style=3D"FONT: 10pt arial">----- Original Message ----- =
</DIV>
      <DIV=20
      style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
      <A href=3D"mailto:romott@adelphia.net" =
title=3Dromott@adelphia.net>Ronnie=20
      Brown</A> </DIV>
      <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
      href=3D"mailto:reflector@tvbf.org"=20
      title=3Dreflector@tvbf.org>reflector@tvbf.org</A> </DIV>
      <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Tuesday, February 10, =
2004=20
      12:17 PM</DIV>
      <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: =
REFLECTOR:MyDoom A</DIV>
      <DIV><BR></DIV>
      <DIV><FONT size=3D2>Robin, I didn't get an infected&nbsp;note from =

      Reflector.&nbsp; </FONT></DIV>
      <DIV><FONT size=3D2></FONT>&nbsp;</DIV>
      <DIV><FONT size=3D2>Perhaps you got it from some one on =
the&nbsp;Reflector=20
      list and it picked up the subject line containing=20
"Reflector"?</FONT></DIV>
      <BLOCKQUOTE dir=3Dltr=20
      style=3D"BORDER-LEFT: #000000 2px solid; MARGIN-LEFT: 5px; =
MARGIN-RIGHT: 0px; PADDING-LEFT: 5px; PADDING-RIGHT: 0px">
        <DIV style=3D"FONT: 10pt arial">----- Original Message ----- =
</DIV>
        <DIV=20
        style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
        <A href=3D"mailto:robinream@earthlink.net"=20
        title=3Drobinream@earthlink.net>Robin Ream</A> </DIV>
        <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
        href=3D"mailto:reflector@tvbf.org" =
title=3Dreflector@tvbf.org>REFLECTOR</A>=20
        </DIV>
        <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Tuesday, February =
10, 2004=20
        1:07 PM</DIV>
        <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> REFLECTOR:MyDoom =
A</DIV>
        <DIV><BR></DIV>
        <DIV>Hi Guys,</DIV>
        <DIV>&nbsp;</DIV>
        <DIV>&nbsp;&nbsp;&nbsp; I got a REFLECTOR message about half an =
hour ago=20
        with the MyDoom A piggybacked on it.&nbsp; If you don't have new =

        software with both virus and worm hunting capability, now would =
be a=20
        good time to go get it.&nbsp; I sent a <EM>reply</EM> to that =
message so=20
        you could see what happened, but the file turned out to be so =
large the=20
        server bounced it.&nbsp; How it slipped through the server the =
first=20
        time so it could get this far I don't know but it did, and =
Norton 2004=20
        caught it on my end.&nbsp; --&nbsp; I hope the rest of you have =
a=20
        program to protect your computers; this seems like it's going to =
be a=20
        never ending battle...</DIV>
        <DIV>&nbsp;</DIV>
        =
<DIV>Robin</DIV></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BOD=
Y></HTML>

------=_NextPart_000_0046_01C3EFD6.AFB943E0--