HomeRoast Digest

Topic: viruses continue to go around. (17 msgs / 325 lines)
1) From: Kevin DuPre
Dan Bollinger,
I think that something on your system is infected or
someone you may know is sending virus-infected e-mail
on your behalf.
Today, I received the following e-mail to my Yahoo
account with an attachment "church.doc.pif" attached
which contained the Win32Bugbear virus - Yahoo
quarantined it but did not clean it. Just thought I'd
let you know.  The content of the e-mail may allow you
to narrow down to a timeframe.  It was sent from
danbollinger, but when I tried to reply it was
undeliverable so someone may have hacked a server at
MIT and is using it to send mail.  The mail relay that
sent it to my yahoo account was:
Received: from gbrost (unverified []) by
mail.usadatanet.net (Vircom SMTPRS 5.1.202) with SMTP
id ; Thu, 3 Oct 2002
07:20:38 -0400 
Date: Thu, 3 Oct 2002 07:20:38 -0400 
crack is the 
result of
agree, and coffee 
seems to be no
Kevin DuPre
obxwindsurfhttp://profiles.yahoo.com/obxwindsurf"The real voyage of discovery consists not in seeking new landscapes but in having new eyes -- Marcel Proust"
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!http://lists.sweetmarias.com/mailman/listinfo/homeroast">http://sbc.yahoo.comhomeroast mailing listhttp://lists.sweetmarias.com/mailman/listinfo/homeroast

2) From: hlhurd
Kevin wrote
Today, I received the following e-mail to my Yahoo
account with an attachment "church.doc.pif" attached . . . .
It was sent from danbollinger . . . 
I got the same email & attachment which I deleted unopened.
I think attachments to homeroast posts are discouraged 
& I didn't think Dan would have sent it.
homeroast mailing listhttp://lists.sweetmarias.com/mailman/listinfo/homeroast

3) From: John
It's not necessarily Dan's system. The writeup on Bugbear is very
sophisticated. It generates .pif .exe and a couple of other extensions.
It patches together pieces of subject lines and develops names based on
received ISP addresses and user names - mix and match.  The clue is to
not open ANY attachments from a list!
I too received the Danbollinger with an attachment. I'm running
Linux which warned me and I killed it. (I hope).
Something on the list is active though so Y'all be careful up there!
On Thu, 2002-10-03 at 09:09, Kevin DuPre wrote:
homeroast mailing listhttp://lists.sweetmarias.com/mailman/listinfo/homeroast

4) From: Spencer W. Thomas
The bugbear virus adds a new twist to the "use someone else as the 
return address" feature of Klez and its friends.  Bugbear will take the 
user part of one email address, and the "host" part of another email 
address, and will put them together to make the forged return address on 
the mail it sends out. And, apparently, sometimes it will just make up a 
return address.  Seehttp://vil.nai.com/vil/content/v_99728.htmfor more 
information about this virus.
All we can be sure of is that this message was sent by someone who has 
Dan Bollinger and Homeroast in his/her address book.  By looking at the 
"Received" and "Message-ID" headers in the message source, we can make a 
further surmise: that the person who has the virus sends mail through 
"usadatanet.net", and that his or her username on usdatanet may be 
"gbrost".  Here are the headers in question:
Received: from gbrost (unverified []) by mail.usadatanet.net
 (Vircom SMTPRS 5.1.202) with SMTP id ;
 Thu, 3 Oct 2002 07:20:38 -0400
Kevin DuPre wrote:
homeroast mailing listhttp://lists.sweetmarias.com/mailman/listinfo/homeroast

5) From: Dan Bollinger
IT WASN'T ME, FOLKS!!!  The infected email was not sent by me, nor was the
message something I said.  The virus maker took my name, created the false
email address danbollinger (I'm a Purdue grad!) and sent it to all
of you us.  Note that it was not sent through the homeroast-list-server.
Just so you know, I use Norton anti-virus which keeps itself updated and
checks all outgoing emails for viruses.  Dan
in having new eyes -- Marcel Proust"
homeroast mailing listhttp://lists.sweetmarias.com/mailman/listinfo/homeroast

6) From: sschlang
I received the same virus.  Quick question...I 
quarantined and deleted without opening.  Is this the 
correct protocol?  I'll be happy to take it off-line 
unless the recent spate of viruses makes this of group 
interest.  Thanks,
homeroast mailing listhttp://lists.sweetmarias.com/mailman/listinfo/homeroast

7) From: jim gundlach
This appears to be the BugBear worm.   Wired's write-up is available at:
    http://www.wired.com/news/technology/0,1282,55532,00.htmlI also got the same from Dan so I think his machine must be infected.
    Jim Gundlach
On Thursday, October 3, 2002, at 09:50 AM, hlhurd wrote:
homeroast mailing listhttp://lists.sweetmarias.com/mailman/listinfo/homeroast

8) From: Dan Bollinger
Just to be safe, and just so I'd know, I ran Norton's BugBear fix.  It did
not find the bug-bear-worm on my machine. Whew!  Dan
homeroast mailing listhttp://lists.sweetmarias.com/mailman/listinfo/homeroast

9) From: Simpson
I wonder what the listserver is running on. MIS folks are notorious for
being lax about their patches and this bugbear virus is supposed to use a
vulnerability that was patched over a year ago. BTW I got this post too,
and my system is also clean. And yes the correct protocol is to delete the
darned thing unopened and keep you windows system patched at http://v4.windowsupdate.microsoft.com/en/default.aspalso keep virus software updated.
*********** REPLY SEPARATOR  ***********
On 10/3/2002 at 3:31 PM Dan Bollinger wrote:
homeroast mailing listhttp://lists.sweetmarias.com/mailman/listinfo/homeroast

10) From: C. Marley
Dan Bollinger wrote:
But someone got the SM mailing list from somewhere.  I got the same post
from "danbollinger".  Did someone hack your machine and get your
outlook address book? 
For the conservation of the Tibetan Lhasa Apso,
Regards, Cathy http://lists.sweetmarias.com/mailman/listinfo/homeroast">http://www.lhasa-apso.orghomeroast mailing listhttp://lists.sweetmarias.com/mailman/listinfo/homeroast

11) From: Dan Bollinger
Uh, beggin' your pardon, but how would I know the answer to that question?
I don't think the BugBear virus works that way. I read the description at
the Norton website. No hacking is involved, it uses an Outlook Express fault
(which I patched last year when this virus first came out). I checked my
Norton AV log.  I've gotten four emails with the BB attached.  The first one
was on 10/2 from danbollinger (this is not me, it is a false
address) the same day everyone else got theirs from the same source. Just so
you know, I don't have everyone's email address in my address book, just 3-4
of the people I write to off-list. I feel bad being involved in this if only
because they stole my name to hurt you; but I'm just as much a victim as you
are.  Dan
homeroast mailing listhttp://lists.sweetmarias.com/mailman/listinfo/homeroast

12) From: John
Don't feel bad! The fact that it picked your name out of the system is
pretty good evidence that it is not on your machine.  We should all know
that first of all you wouldn't use an attachment on the list, and second
that the list server doesn't send them - then the information on the
virus was WIDELY distributed so that people should have suspected
immediately and killed the file. I run a Linux system and it didn't open
or display the attachment, which is what made me look at the address. I
killed the whole file and reported it to CERN.  To point fingers at
ANYONE on the list is just silly.  
About stealing your name, IF I were to want to look harmless, I'd grab
your name too, cause we all know you're a good guy!
Enjoy your morning cup and consider making a clay critter called worm!
On Fri, 2002-10-04 at 08:58, Dan Bollinger wrote:
homeroast mailing listhttp://lists.sweetmarias.com/mailman/listinfo/homeroast

13) From: Dan Bollinger
Thanks, Lissa and John!   John, we had thought about a Clay Critter slug.
Does that count?  ;)  Personally, I want to do a coffee bean or a mug of
coffee.  :)  Dan

14) From: Jim Gundlach
I apologize for thinking Dan's computer might be infected.  I guess the 
road to hell is paged with good intentions.  I'll leave virus stuff 
alone in the future.
    Jim Gundlach
On Friday, October 4, 2002, at 09:16 AM, John wrote:
homeroast mailing listhttp://lists.sweetmarias.com/mailman/listinfo/homeroast

15) From: John
It was right to alert folks. Clearly the right thing to do - if several
of us got it, then the potential for several more was clearly there. I
will ALWAYS appreciate a heads up like this - and like Lissa, I run
Linux and I STILL want to know.  You can send me alerts direct any old
Good cupping
On Fri, 2002-10-04 at 09:54, Jim Gundlach wrote:
homeroast mailing listhttp://lists.sweetmarias.com/mailman/listinfo/homeroast

16) From: Dan Bollinger
John,  Hey, I would have thought I was the culprit, too! ;)  Dan
homeroast mailing listhttp://lists.sweetmarias.com/mailman/listinfo/homeroast

17) From: Ed Needham
I've been in Gatlinburg, Tennessee for the last four days and received a
total of four viruses from the homeroast list among 486 other emails (mostly
spam and homeroast posts).  On my PC, I use Mailwasher (http://www.mailwasher.net), an anti spam software program and it lets me
download just headers to view and delete before opening them in my email
reader (Outlook Express).  It blacklists most spam before I get a chance and
deletes it as well as sending a spoof 'bounce' notice to the spam sender
saying my email is not a working address.
It has saved me many times from downloading viruses.  Norton antivirus is my
second line of defense, and occasionally intercepts one I miss in Mailwasher.
Ed Needhamhttp://www.homeroaster.comed

HomeRoast Digest