This is a re-post with a different subject line since those discussing this
may not have since the original post
This e-mail spoofs the sender so it only looks like it comes from
security.microsoft.com. The real originator from the last copy I received
was a Verizon DSL user using an account in Everett, Washington. The block
of Ip addresses is owned by Genuity but is apparently being distributed by
Verizon.
The publicly visible address was 4.47.73.9 but the individual actual
address
may be natted. I say this on the possibility that the infected machine is
one of our regular responders. You can check your PC by running ipconfig
(Win2K and above)
from the dos line or winipcfg (win 9x) and looking at the gateway address.
Your PC may be assigned a private address like 192.168.1.x but the DSL
modem/router translates that address into its publicly visible address. If
your gateway address begins with 4.47.x.x then your PC may be the actual
source of the Microsoft Patch now emails that have been hitting the CRIME
mailing list.
Craig A Schiller, CISSP
Global Information Security Officer
RadiSys Corporation
craig.schiller@private
503.615.1646
This electronic message contains information which may be confidential,
privileged or otherwise protected from disclosure. The information is
intended to be used solely by the named recipient(s). If you are not a
named recipient, any review, disclosure, copying, distribution or use
of this transmission or its contents is prohibited. If you have received
this transmission in error, please notify me immediately.
|---------+---------------------------->
| | "Todd Ellner" |
| | <tellner@cedarlak|
| | e.com> |
| | Sent by: |
| | owner-crime@private|
| | x.edu |
| | |
| | |
| | 10/16/2003 11:54|
| | AM |
| | |
|---------+---------------------------->
>-------------------------------------------------------------------------------------------------------------------------------|
| |
| To: <sarnold@private>, <crime@private> |
| cc: |
| Subject: Re: CRIME [VIRUS] Don't Use this patch immediately ! |
>-------------------------------------------------------------------------------------------------------------------------------|
[snip]
Check the headers:
Received: (from Majordomo@localhost)
by rigel.cs.pdx.edu (8.12.10/8.12.3/Submit) id h9G2fZt3027348
for crime-outgoing; Wed, 15 Oct 2003 19:41:35 -0700 (PDT)
X-Authentication-Warning: rigel.cs.pdx.edu: Majordomo set sender to
owner-crime@private using -f
Received: from tuttle.oit.pdx.edu (tuttle.oit.pdx.edu [131.252.120.29])
by rigel.cs.pdx.edu (8.12.10/8.12.10) with ESMTP id
h9G2fOK1027326
(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168
verify=NO)
for <crime@private>; Wed, 15 Oct 2003 19:41:25 -0700 (PDT)
Received: from localhost (evrtwa1-ar4-4-47-073-009.evrtwa1.dsl-verizon.net
[4.47.73.9])
by tuttle.oit.pdx.edu (8.12.10/8.12.10) with SMTP id
h9G2fMx8000787
for <crime@private>; Wed, 15 Oct 2003 19:41:22 -0700 (PDT)
Looks like 4.47.73.9 sent it.
That netblock is owned by Genuity. Best of luck convincing them it is
worth their time to track down a single windows user who didn't care
enough to buy an antivirus tool.
[snip]
"We were wondering whom to send the bill from our IT consultant to. The
virus we got from your machine looks like it will cost us umpty-ump
thousand dollars in lost data, emergency hourly work, and compromised law
enforcement and anti terrorist computers.
Just want to make sure the invoice ends up on the right desk.
Ta ta,
Ima Bofh"
This archive was generated by hypermail 2b30 : Thu Oct 16 2003 - 17:04:59 PDT