[ISN] Virus Borrows Internet Pioneer's Server To Spread

From: InfoSec News (isnat_private)
Date: Thu Mar 07 2002 - 00:45:50 PST

  • Next message: InfoSec News: "RE: [ISN] Internet-based Counterintelligence against the CIA"

    By Brian McWilliams, Newsbytes
    06 Mar 2002, 9:46 AM CST
    A server operated by Internet pioneer John Gilmore is being used by a
    new Internet worm to perform its mass-mailing routine, according to
    virus researchers.
    The address of the server, Toad.com, is one of 25 open mail relays
    hard-coded by its unidentified author into the W32.Yaha worm,
    according to analyses by anti-virus firms Symantec and Sophos.
    While most of the open servers are located in China and Korea,
    Toad.com is a system installed in Gilmore's home in San Francisco.
    Besides co-founding the Electronic Frontier Foundation and the
    Cypherpunks cryptography discussion list, Gilmore takes credit for
    helping establish the "alt" Usenet discussion groups.
    Last March, Gilmore's Internet service provider, Verio, threatened to
    cut off his service unless he secured Toad.com so that it could not be
    used by third parties to relay junk e-mail or "spam."
    Since its discovery around Valentine's Day, Yaha, also known as
    "Valscr," has wormed its way past Nimda, Hybris and Funlove to the
    number eight position on the current list of virus threats tracked by
    managed e-mail provider MessageLabs.
    Symantec has assigned Yaha a level-2 risk rating. The worm arrives
    with a subject line, "Melt the Heart of your Valentine with this
    beautiful screen saver." It comes with an attachment named
    If executed, the attachment will install the worm and unleash its only
    payload: mass-mailing copies of infected messages to addresses in the
    Windows address book and e-mail addresses found in cached HTML files
    on the victim's hard disk.
    Gilmore, a life member of the Libertarian party, has accused Verio of
    censorship and said he configured the mail server to accept and
    forward e-mail from anyone in part so that friends could use it while
    traveling around the world.
    Gilmore was not immediately available for comment.
    According to Gilmore's Web site, Verio agreed last August not to
    terminate his service if he modified his mailer software to avoid
    forwarding large quantities of e-mail from single addresses over short
    periods of time.
    Jay Dyson, a security consultant with California-based Treachery
    Unlimited, confirmed that Toad.com remains "a wide-open relay."
    According to Dyson, numerous methods exist for authenticating whether
    users are authorized to relay mail through a server.
    "I think Gilmore is being a stubborn old fool for leaving his mail
    systems as open relays," he said.
    Gilmore's home page is http://www.toad.com/gnu/
    Symantec's description of Yaha is at
    Sophos's write-up is at
    The MessageLabs Threat List is at 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Mar 07 2002 - 03:25:26 PST