From: "Thom R. Lacosta" 
Subject: [drakelist] Virus Alert: MyDoom Worm


Folks....I am getting HUNDREDS of messages telling me that the drakelist
is sending out virus-infected emails...which isn;t correct, since the
list doesn't allow attachments.

What is happening is that some folks who have the list address in their
addressbooks, etc have been infected.

The message below explains the virus...hope it helps you.

If you're already protected, not immune, etc., forgive the bandwidth...if
you need to get rid or the virus, there are links below that will be of
assistance.

73
Thom

http://www.baltimorehon.com/            Home of the Baltimore Lexicon
http://www.tlchost.net/              Web Hosting as low as 3.49/month

---------- Forwarded message ----------
Date: Tue, 27 Jan 2004 17:02:08 -0500 (EST)
From: BCPL.NET SysAdmin 
To: BCPL.NET News 
Subject: BCPL.NET NEWS: Virus Alert: MyDoom Worm

------------------------
VIRUS ALERT: MYDOOM WORM
------------------------
On January 26th a new worm called "MyDoom" began spreading very rapidly
across the Internet via e-mail and via KaZaA file sharing.  It is also
known by a variety of other names: "Novarg",
"Mimail.R", "Shimgapi",
"Shimg", and several variations on the word "MyDoom". 
We have seen a
large number of MyDoom-infected e-mails here at BCPL.NET.  Most virus
information Web sites rate the MyDoom Worm as very dangerous due to the
very rapid speed at which it is spreading.

The MyDoom Worm infects PCs running Windows 95, Windows 98, Windows 2000,
Windows NT, Windows ME, Windows XP, and Windows 2003 Server. It does not
infect DOS, Macintosh, UNIX or Windows 3.x computers.


How The MyDoom Worm Spreads
---------------------------
MyDoom is spread in the form of an e-mail file attachment that installs
the worm on the target PC if the attachment is opened.  It also spreads
via KaZaA peer-to-peer file sharing.

Via E-Mail:
----------
When a PC becomes infected, MyDoom compiles a list of target e-mail
addresses from addresses found in the address book, in saved e-mail, and
in other files on the infected computer.  It then mails infected file
attachments to all those addresses. It does this each time the infected PC
boots up and connects to the Internet.

The e-mail carrying the infected file attachment is in the following
format:

>From Address:     Selected by the virus from its list of target
                  addresses, so the message may appear to come from
                  someone you know. There is also evidence that the
                  From address is sometimes constructed from common
                  first names with the target domain name added (for
                  example john{at}bcpl.net, mary{at}bcpl.net, etc).

To Address:       In addition to addresses found on the infected PC,
                  there is also evidence that the To address is
                  sometimes constructed from common first names with
                  the target domain added (for example john{at}bcpl.net,
                  mary{at}bcpl.net, etc).

Subject:          Chosen at random from the following list:
                  -  error
                  -  hello
                  -  hi
                  -  mail delivery system
                  -  mail transaction failed
                  -  server report
                  -  status
                  -  test
                  -  [any random collection of characters]

                  The words on the Subject line may or may not be
                  capitalized.

Message Text:     Chosen at random from the following list:
                  -  test
                  -  Mail transaction failed. Partial message is
                     available.
                  -  The message contains Unicode characters and has
                     been sent as a binary attachment.
                  -  The message cannot be represented in 7-bit ASCII
                     encoding and has been sent as a binary attachment.

---