Subject: MYSTARA-L Digest - 20 Aug 2003 to 21 Aug 2003 (#2003-205) From: Automatic digest processor Date: 22/08/2003, 17:00 To: Recipients of MYSTARA-L digests Reply-to: Mystara RPG Discussion There are 9 messages totalling 333 lines in this issue. Topics of the day: 1. danger for any MML member. Geoff should take actions (4) 2. Unable to update website 3. I don't want to seem like I'm flaking out on this, but... (3) 4. virus warning ******************************************************************** The Other Worlds Homepage: http://www.wizards.com/dnd/OtherWorlds.asp The Mystara Homepage: http://www.dnd.starflung.com/ To unsubscribe, send email to LISTSERV@ORACLE.WIZARDS.COM with UNSUB MYSTARA-L in the body of the message. ---------------------------------------------------------------------- Date: Thu, 21 Aug 2003 11:03:27 +0100 From: Colin Davidson Subject: Re: danger for any MML member. Geoff should take actions ----- Original Message ----- From: "Daniel Mayer" To: Sent: Thursday, August 21, 2003 6:51 AM Subject: Re: [MYSTARA] danger for any MML member. Geoff should take actions > Many, many, many.... (26 virus-mails in the last 24h)... > I would really appreciate if everyone of you checks for the sobig-F > virus. it's a new one (08/2003) and can be removed by a > stand-alone-utility from sophos.com. Please look at my recent email, the > link there leads directly to the utility. And - it's free :) Note that the 'from' part of emails that contain this virus is usually falsified, the worm can get hold of emails from a range of files stored on your computer and send itself out with as if from any of those. As a result a -lot- of people are getting notifications from automated email response thingies telling them that they're virussed when they're not. That said, check to see if you have this one anyway! ------------------------------ Date: Thu, 21 Aug 2003 13:22:20 +0200 From: Daniel Mayer Subject: Re: danger for any MML member. Geoff should take actions Hi, Colin! > > Note that the 'from' part of emails that contain this virus is usually > falsified, the worm can get hold of emails from a range of files stored on > your computer and send itself out with as if from any of those. As a result > a -lot- of people are getting notifications from automated email response > thingies telling them that they're virussed when they're not. That said, > check to see if you have this one anyway! As far as I know, the Sobig-F uses the adress-book of the infected PC. It picks one of them as "sender" and sends the virus to everyone else in the book... I got those 26 virus-mails not as notifications but as spread virus itself (those nice little attachments...). everyone of it was sent by foreign people to me. Because I never used this email-address for "foreign"-contact except the two D&D-Lists, I'm quite sure of the origin. The notifications you speak of are most of the time "hoaxes"...... and I'm proud to be contacted by everyone existing.... :) Another hint toward Mystara or FR-List: The viruses are all sent after midnight but before daybreak...... in GMT+1... so they most likely come from China/Japan or America during normal PC-"activity". Anyway, using the sophos-tool won't hurt your PC. (Though as good DM I'll check on FORTUNE saves) :) Greetings, Daniel ------------------------------ Date: Thu, 21 Aug 2003 08:42:24 -0400 From: Chris Cherrington Subject: Re: danger for any MML member. Geoff should take actions Yesterday I got all the notifications of me sending viruses, now today I got over a hundred emails with attachments from people I don't know. Now I am a member of several different lists, and I am only getting these from an MML contact. I double checked my registries, at home and at work just in case. Anyways, sobig-f is a mail spoofer, so we all will continue to get these little packages for quite a while, complete with the warnings that we have tried to infect someone else. > > From: Daniel Mayer > Date: 2003/08/21 Thu AM 07:22:20 EDT > To: MYSTARA-L@ORACLE.WIZARDS.COM > Subject: Re: [MYSTARA] danger for any MML member. Geoff should take actions > > Hi, Colin! > > > > > Note that the 'from' part of emails that contain this virus is usually > > falsified, the worm can get hold of emails from a range of files stored on > > your computer and send itself out with as if from any of those. As a result > > a -lot- of people are getting notifications from automated email response > > thingies telling them that they're virussed when they're not. That said, > > check to see if you have this one anyway! > > As far as I know, the Sobig-F uses the adress-book of the infected PC. > It picks one of them as "sender" and sends the virus to everyone else in > the book... > I got those 26 virus-mails not as notifications but as spread virus > itself (those nice little attachments...). everyone of it was sent by > foreign people to me. Because I never used this email-address for > "foreign"-contact except the two D&D-Lists, I'm quite sure of the origin. > The notifications you speak of are most of the time "hoaxes"...... and > I'm proud to be contacted by everyone existing.... :) > Another hint toward Mystara or FR-List: The viruses are all sent after > midnight but before daybreak...... in GMT+1... so they most likely come > from China/Japan or America during normal PC-"activity". > Anyway, using the sophos-tool won't hurt your PC. > (Though as good DM I'll check on FORTUNE saves) :) > > Greetings, > Daniel > > ******************************************************************** > The Other Worlds Homepage: http://www.wizards.com/dnd/OtherWorlds.asp > The Mystara Homepage: http://www.dnd.starflung.com/ > To unsubscribe, send email to LISTSERV@ORACLE.WIZARDS.COM > with UNSUB MYSTARA-L in the body of the message. > > ------------------------------ Date: Thu, 21 Aug 2003 09:20:42 EDT From: Alex Benson Subject: Re: danger for any MML member. Geoff should take actions I too am getting a truckload of failed to send emails that I did not send. This is from a a AOL account that is used exclusively on a Windows Me machine. So I should be okay from virus. I only use this machine and account to post here and for one other forum (beta games). I have had two mails in my In Box w/attachments today. This were sent after the failed to send mails began so it's not that. > From the addys, it looks like it came from the MML or perhaps from the Oracle.wizards servers. I also noted that Horizons Beta had a blurb about a missent response email lacked the BCC, and reports of it being used as a spam list are being reported. Another possibility are PHP format web sites. A few months back there was discovered a security problem where IP addys were easy to hack. That was supposedly patched and any problemsshould have shown themselves before now. Other than that, I can only think that this virus is so wide spread that there will be residual spam mails for some time. ------------------------------ Date: Thu, 21 Aug 2003 18:13:25 +0200 From: =?iso-8859-1?q?Havard=20Faanes?= Subject: Re: Unable to update website --- Larry skrev: > Are you using FTP? If so then you need to know that > they stoped offering that to free email > accounts...you > need to be a paying custemer to use FTP. You have to > use there web based upload "thing" to upload your > files on there system. I didnt know that, but even their upload program doesn't work these days... Havard ______________________________________________________ Få den nye Yahoo! Messenger på http://no.messenger.yahoo.com/ Nye ikoner og bakgrunner, webkamera med superkvalitet og dobbelt så morsom ------------------------------ Date: Thu, 21 Aug 2003 12:49:50 -0400 From: SteelAngel Subject: Re: I don't want to seem like I'm flaking out on this, but... Help! Someone, I am not sure if they are on this list or not, hell, I'm not even sure if this person is a spammer who has one of my email addresses on their spam list, and has an infected machine.. but, if you have the address: rrcs-sw-24-173-32-81.biz.rr.com [24.173.32.81] your machine is infected with the SoBig.F worm. The only plausible solution is to format your hard disk, and install Linux. Any virus emails that have my addresses attached to them are not from me. I do not use Windows for mail, and am immune to the effects of Big Billy-boy's 'security problems'. Ethan -- Kinard 210 Linux Guru Webmaster www.steelangel.com ------------------------------ Date: Thu, 21 Aug 2003 20:03:44 +0000 From: Giampaolo Agosta Subject: Re: I don't want to seem like I'm flaking out on this, but... SteelAngel wrote: > Help! > > Someone, I am not sure if they are on this list or not, hell, I'm not even > sure if this person is a spammer who has one of my email addresses on > their spam list, and has an infected machine.. but, if you have the > address: > > rrcs-sw-24-173-32-81.biz.rr.com [24.173.32.81] Same here. All the infected messages came from that ip. A bit of tracking can be done here: http://www.senderbase.com/search?searchString=24.173.32.81 It's an address from a isp in Virginia, covering the S.E. of US. Actually, we could write to the abuse desk, if the thing goes on. > your machine is infected with the SoBig.F worm. The only plausible > solution is to format your hard disk, and install Linux. Indeed. > Any virus emails that have my addresses attached to them are not from > me. I do not use Windows for mail, and am immune to the effects of Big > Billy-boy's 'security problems'. Same here. Bye, GP -- di nuovo come un tempo sopra l'Italia intera urla il vento e soffia la bufera ------------------------------ Date: Thu, 21 Aug 2003 22:44:21 -0700 From: Larry Subject: virus warning Some one that knows me, that has me in there address book sent me a virus. Its that Sobig virus and i sujest you all scan your systems. Since i recived the email in my yahoo addy and looked "out of place" i had yahoo scan it. Once more, please scan your systems. ===== "Happy Hunting!" My web site: http://www.geocities.com/boonedale/ My Robotech game on Yahoo! groups: http://groups.yahoo.com/group/RobotechGame/ My Online AD&D Game: http://groups.yahoo.com/group/World_of_Zarcaddia/ __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ------------------------------ Date: Fri, 22 Aug 2003 08:05:59 +0200 From: Daniel Mayer Subject: Re: I don't want to seem like I'm flaking out on this, but... Yo, now... 45 virus-mails in last 24h hours. If we are confirmed that they come over the MML, perhaps a notification to the admin could help. He could be able to identify the origin of the virus-spams by looking into the log-files, corner the ip-adresses and find the bad boy. The ip-addresses you found (24.173.32.81): Registrant: Road Runner HoldCo LLC RR6-DOM 13241 Woodland Park Rd Herndon VA 20171 US Domain Name: RR.COM Administrative Contact Technical Contact: Road Runner abuse@RR.COM 13241 Woodland Park Rd Herndon VA 20171 US 703-345-3416 fax: 703-345-3607 Record expires on 30-Sep-2010. Record created on 20-Aug-2002. Database last updated on 22-Aug-2003 01: 51: 25 EDT. Domain servers in listed order: DNS1.RR.COM 24.30.200.3 DNS2.RR.COM 24.30.201.3 DNS3.RR.COM 24.30.199.7 DNS4.RR.COM 65.24.0.172 Further traced, the noted ip seems to be in ownership of network solutions, Inc. I wrote them an email with an enquiry to investigate. The Homepage says they will answer in 24h.... But anyone on this list who uses an email-account from network solutions should put increased energy on cleaning his PC. Another note: this virus will only be active until Sept., 10th.... a small hope... Greetings, Daniel ------------------------------ End of MYSTARA-L Digest - 20 Aug 2003 to 21 Aug 2003 (#2003-205) ****************************************************************