[LON-CAPA-dev] Weeeeee! ;)))

Jeremy Bowers lon-capa-dev@mail.lon-capa.org
Wed, 03 Mar 2004 09:35:35 -0500 

Josh Tacey wrote:
> Yea, Virus time
> 
> And MSU engineering services advice (yes I called them)

Interesting. On my bowersj2@msu.edu account, I got a totally different 
virus. I'll not bother with attaching it, but I've compared the one from 
"Felicia" with mine and it is definately not the same.

It also had much more exciting text attached to it:

------

Dear user of Msu.edu,

Your e-mail  account  will be  disabled because  of improper  using in next
three days, if you are still wishing  to use it,  please, resign your
account  information.

Advanced  details can be found in  attached  file.

Sincerely,
     The  Msu.edu team                          http://www.msu.edu

------

I'm thinking maybe they realized they don't have the English skills to 
pull off such a long message (surely somewhere in the world there is a 
virus writer who can also write in English?), so they shortened it in 
later attacks.

Someone must have tuned one of the existing Windows viruses specifically 
for MSU (and perhaps other schools? though I see nothing in the virus 
binaries so it must be a backdoor-type), because while the "Felicia" 
email (sorry, Felicia!) came from on campus according to the headers, 
mine did not. Headers:

------

Return-Path: <bowerjoy@msu.edu>
Delivered-To: jerf@jerf.org
Received: (qmail 17117 invoked from network); 2 Mar 2004 17:38:21 -0500
Received: from sys11.mail.msu.edu (35.9.75.111)
   by 64.79.65.39 with SMTP; 2 Mar 2004 17:38:21 -0500
Received: from lnngmi-l10-891.dsl.tds.net ([134.215.235.129] 
helo=sarahmjohnston)
	by sys11.mail.msu.edu with smtp (Exim 4.24 #37)
	id 1AyIV5-0001Tq-K4
	for bowersj2@pilot.msu.edu; Tue, 02 Mar 2004 17:36:31 -0500
Date: Tue, 02 Mar 2004 17:36:22 -0500
To: bowersj2@msu.edu
Subject: Notify about using the e-mail account.
From: administration@msu.edu
Message-ID: <xwxeggemdyduxanxskj@msu.edu>
MIME-Version: 1.0
Content-Type: multipart/mixed;
         boundary="--------lfdledfareiaduwsnold"
X-Virus: None found by Clam AV

------

Note the identical X-Virus header; does MSU run Clam AV on their mail 
servers? (I don't run Clam AV on my mail server. Until there are Linux 
viruses that Mozilla auto-executes I'm pretty safe.) But this email came 
from off-network, "tds.net".

Anyhow, if the MSU network folks make some kind of announcement, could 
someone forward me a copy in case they don't send it to all users? I 
forwarded the email I received with headers to "abuse@msu.edu"; is there 
a better place?