http://www.newsbytes.com/news/02/175003.html By Brian McWilliams, Newsbytes SAN FRANCISCO, CALIFORNIA, U.S.A., 06 Mar 2002, 9:46 AM CST A server operated by Internet pioneer John Gilmore is being used by a new Internet worm to perform its mass-mailing routine, according to virus researchers. The address of the server, Toad.com, is one of 25 open mail relays hard-coded by its unidentified author into the W32.Yaha worm, according to analyses by anti-virus firms Symantec and Sophos. While most of the open servers are located in China and Korea, Toad.com is a system installed in Gilmore's home in San Francisco. Besides co-founding the Electronic Frontier Foundation and the Cypherpunks cryptography discussion list, Gilmore takes credit for helping establish the "alt" Usenet discussion groups. Last March, Gilmore's Internet service provider, Verio, threatened to cut off his service unless he secured Toad.com so that it could not be used by third parties to relay junk e-mail or "spam." Since its discovery around Valentine's Day, Yaha, also known as "Valscr," has wormed its way past Nimda, Hybris and Funlove to the number eight position on the current list of virus threats tracked by managed e-mail provider MessageLabs. Symantec has assigned Yaha a level-2 risk rating. The worm arrives with a subject line, "Melt the Heart of your Valentine with this beautiful screen saver." It comes with an attachment named "valentin.scr." If executed, the attachment will install the worm and unleash its only payload: mass-mailing copies of infected messages to addresses in the Windows address book and e-mail addresses found in cached HTML files on the victim's hard disk. Gilmore, a life member of the Libertarian party, has accused Verio of censorship and said he configured the mail server to accept and forward e-mail from anyone in part so that friends could use it while traveling around the world. Gilmore was not immediately available for comment. According to Gilmore's Web site, Verio agreed last August not to terminate his service if he modified his mailer software to avoid forwarding large quantities of e-mail from single addresses over short periods of time. Jay Dyson, a security consultant with California-based Treachery Unlimited, confirmed that Toad.com remains "a wide-open relay." According to Dyson, numerous methods exist for authenticating whether users are authorized to relay mail through a server. "I think Gilmore is being a stubborn old fool for leaving his mail systems as open relays," he said. Gilmore's home page is http://www.toad.com/gnu/ Symantec's description of Yaha is at http://securityresponse.symantec.com/avcenter/venc/data/w32.yahaat_private Sophos's write-up is at http://www.sophos.com/virusinfo/analyses/w32yahaa.html The MessageLabs Threat List is at http://www.messagelabs.com/viruseye/threatlist.asp - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Mar 07 2002 - 03:25:26 PST