[Dixielandjazz] V-i-r-u-s-e-s and DJML

david_haupt@agilent.com david_haupt@agilent.com
Fri, 4 Oct 2002 12:05:51 -0600 

As some have noted, the Bugbear worm is alive and kicking.  However, the Mailman software on which DML is operated is incapable of spreading any such nasties.

The way these things get the DJML list is by infecting a DJML user's PC, and reading the addresses for messages sent and received.  If you are in the single-message mode (most of us are, I think), then your email software has logged the email address of anybody who has posted to DJML during your tenure.  Dropping your subscription won't stop the undesired emails because they're coming from someone's PC that has your email address in their mail system.

When Bugbear sends an email, it uses a "from" address that does not belong to the infected computer.  It randomly chooses an address from any message in your inbox, outbox, sentbox, or maybe even hatbox.  It uses that as the "from" address and randomly picks a victim the same way.  So, if Bill Gunter seems to receive the bug from Bob Ringwald, the only thing we can say for certain is that somebody's PC somewhere has the infection, and has also received emails from both of those fine gentlemen, or has sent emails to them.  That pretty much qualifies everybody on DJML.  Bugbear is additionally deceptive, because it uses, as message text and title, a title and text it finds in some message on your PC.  So it is very easy to fool someone into thinking it's a legitimate email.

Bugbear does its dirty deed by sending a Visual Basic executable script, disguised as a Word document, or MIDI file.  This is a platform-independent script, and it does not care if you're running a PC or Macintosh.  As long as you have any of the standard Microsoft applications like Outlook, Works, or Office, this script can inflict damage.

Symantec offers a free removal tool for this infection.  Their anti-virus software, Norton, cannot un-infect a computer once infected.  The free removal tool is at:

http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.removal.tool.html

However, the procedure is not for the faint of heart, requiring booting the PC into safe mode and so forth.  A task best referred to the neighbor's responsible 14 year old hacker, if one happens to be handy.

Musical content: "Nobody knows when you're down and out"

Dave Haupt
Santa Rosa, CA