Several email viruses try to locate email addresses within text files on the victims computer, the viruses are usually not too bright when it comes to determining what is a valid email address. the @ sign followed by something with a dot in it was probably enough for this particular virus to identify that string as an email, and to attempt send a copy of itself there. Scott Phelps Dreamwright Studios -----Original Message----- From: Joao Gouveia [mailto:tharbadat_private] Sent: Tuesday, December 17, 2002 9:37 PM To: incidentsat_private Subject: IRC -> smtp worm? Hello list, Is anyone aware of some kind of IRC worm that uses SMTP servers to act as a spy client or something like that? While taking a look on a IDS log of a client, I saw several alerts that were triggered and classified as "IRC traffic" directed to a SMTP server on port 25. Nothing odd about that at a first glance, as it could be just a simple copy/paste of a IRC log sent via mail. But on this particular situation ( that is causing hundreds of alerts/day ), the format of the mail is everything but "normal". Here is a sample (IRC user data changed): <quote> HELO x4i8x4 RSET MAIL FROM: <> RCPT TO: <mask!__at_private PRIVMSG #channel :LOL> </quote> Obviously the server is responding with a "501 5.5.4 Invalid Address". Not that i consider this a serious issue ( from the server side of course ), but I'm curious on what's causing this behaviour. Sorry if this is a well known issue, but i've done a some what limited search and came up with nothing that applies. Regards, Joao Gouveia ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 21 2003 - 15:33:37 PST