This is a re-post with a different subject line since those discussing this may not have since the original post This e-mail spoofs the sender so it only looks like it comes from security.microsoft.com. The real originator from the last copy I received was a Verizon DSL user using an account in Everett, Washington. The block of Ip addresses is owned by Genuity but is apparently being distributed by Verizon. The publicly visible address was 4.47.73.9 but the individual actual address may be natted. I say this on the possibility that the infected machine is one of our regular responders. You can check your PC by running ipconfig (Win2K and above) from the dos line or winipcfg (win 9x) and looking at the gateway address. Your PC may be assigned a private address like 192.168.1.x but the DSL modem/router translates that address into its publicly visible address. If your gateway address begins with 4.47.x.x then your PC may be the actual source of the Microsoft Patch now emails that have been hitting the CRIME mailing list. Craig A Schiller, CISSP Global Information Security Officer RadiSys Corporation craig.schiller@private 503.615.1646 This electronic message contains information which may be confidential, privileged or otherwise protected from disclosure. The information is intended to be used solely by the named recipient(s). If you are not a named recipient, any review, disclosure, copying, distribution or use of this transmission or its contents is prohibited. If you have received this transmission in error, please notify me immediately. |---------+----------------------------> | | "Todd Ellner" | | | <tellner@cedarlak| | | e.com> | | | Sent by: | | | owner-crime@private| | | x.edu | | | | | | | | | 10/16/2003 11:54| | | AM | | | | |---------+----------------------------> >-------------------------------------------------------------------------------------------------------------------------------| | | | To: <sarnold@private>, <crime@private> | | cc: | | Subject: Re: CRIME [VIRUS] Don't Use this patch immediately ! | >-------------------------------------------------------------------------------------------------------------------------------| [snip] Check the headers: Received: (from Majordomo@localhost) by rigel.cs.pdx.edu (8.12.10/8.12.3/Submit) id h9G2fZt3027348 for crime-outgoing; Wed, 15 Oct 2003 19:41:35 -0700 (PDT) X-Authentication-Warning: rigel.cs.pdx.edu: Majordomo set sender to owner-crime@private using -f Received: from tuttle.oit.pdx.edu (tuttle.oit.pdx.edu [131.252.120.29]) by rigel.cs.pdx.edu (8.12.10/8.12.10) with ESMTP id h9G2fOK1027326 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for <crime@private>; Wed, 15 Oct 2003 19:41:25 -0700 (PDT) Received: from localhost (evrtwa1-ar4-4-47-073-009.evrtwa1.dsl-verizon.net [4.47.73.9]) by tuttle.oit.pdx.edu (8.12.10/8.12.10) with SMTP id h9G2fMx8000787 for <crime@private>; Wed, 15 Oct 2003 19:41:22 -0700 (PDT) Looks like 4.47.73.9 sent it. That netblock is owned by Genuity. Best of luck convincing them it is worth their time to track down a single windows user who didn't care enough to buy an antivirus tool. [snip] "We were wondering whom to send the bill from our IT consultant to. The virus we got from your machine looks like it will cost us umpty-ump thousand dollars in lost data, emergency hourly work, and compromised law enforcement and anti terrorist computers. Just want to make sure the invoice ends up on the right desk. Ta ta, Ima Bofh"
This archive was generated by hypermail 2b30 : Thu Oct 16 2003 - 17:04:59 PDT