Watch out! was: Re: Very Wierd someone is masquarading as the mail list?

From: Christian Fandt <>
Date: Mon Dec 20 13:34:12 1999

Upon the date 11:17 AM 12/20/99 -0800, Zane H. Healy said something like:
>Has anyone gotten a eMail message that appears to have come from the
>mailing list with the header "Re: Help identify a Control Data piece", when
>in reality it looks to have come from "
>[]" if I'm reading the headers right.
>Included in the message was a Windows executable that is supposedly a
>recent animation from the site their advertising. Somehow I suspect a
>Trojan Horse, but doens't really matter I'm using Eudora on a Mac.

DON'T open any email attachments you may have gotten in the past days _unless_
you knew of a particular one coming beforehand. I just got a spam msg, with an
attachment connected, sent directly to my mailbox purported to be from
ClassicCmp. The attachment is a worm. It was promptly erased from my hard
disk's Eudora email attachment folder as I normally do with unknown

To compare notes on this and to perhaps give leads to our spam trackers (Bruce
Lane, et al), I posted a copy of the text without the attachment as follows. It
was in HTML but I am posting it in plain-text. I expanded the header to show
that it came from and _not_ ClassicCmp. To wit:

>>>>BEGIN copy

> Received: from ( [])
> by (8.9.3/8.9.3) with SMTP id MAA15291
> for; Mon, 20 Dec 1999 12:51:48 -0500
> Date: Mon, 20 Dec 1999 12:51:48 -0500
> From:
> Message-Id: <>
> To:
> Subject: Re: PDP-8/L and TTY stuff (was Re: TTY and current loop questions)
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----=_NextPart_000_0007_01AF0E92.A4E9CDO0"
> X-UIDL: cb45a46697b9dcf0ad694e2c44714d08
> <>
> index.html
> Hypercool Happy New Year 2000 funny programs and animations...
> We attached our recent animation from this site in our mail ! Check it out !

>>>>END copy

Note the msg subject was not what Zane reported.

Okay Bruce and others, it seems somebody may have been either lurking on the
list and harvesting email addresses or broken into's server
and spoofed their server into the classiccmp list.

The same problem has been happening with another list I'm a member of. A
leadoff message in a thread discussing it is copied below and can fill you in
some info already known of this:

>>>>BEGIN copy
> Date: Sun, 19 Dec 1999 17:22:25 -0600
> Reply-To: John Farrington <jfarr_at_LIVINGSTON.NET>
> Sender: Heathkit Owners and Collectors List <HEATH_at_LISTSERV.TEMPE.GOV>
> From: John Farrington <jfarr_at_LIVINGSTON.NET>
> Subject: More viruses being sent directly to list users
> Comments: cc: AI7R-PK <>
> Virus attachments to E-mails continue to be E-mailed directly to users
> of this list (not via the list): ^^^^^^^^
> ^^^^^^^^^^^^^^^^
> On 12/18/99 Dave (AI7R, List Admin) mentioned that:
> > Myself and at least one other person has gotten a message from an
> > unknown source that contained what looked like a copy of the bboy.exe
> > (Bubble Boy) virus. We didn't open it to find out of course, and
> > that's exactly what you have to do if you get one...not open it.
> Today I received a similar worm attachment named "HOG.EXE", so be
> warned that someone with access to this list is sending destructive
> virus/worm files directly to our E-mail addresses copied from the
> list. There is a notice about these worms and others on Symantec's
> site at:
> The E-mail message will have a subject line from messages posted on
> the Heath list, and the return address may be forged to make it look
> like it originated from yourself via your local ISP.
> The attached worm file may be named something like these:
> g-zilla.exe, cooler3.exe, cooler1.exe, copier.exe, video.exe,
> pirate.exe, goal1.exe, hog.exe, party.exe, saddam.exe, monica.exe,
> boss.exe, farter.exe, cheeseburst.exe, panther.exe, theobbq.exe,
> goal.exe, baby.exe, bboy.exe, cupid2.exe, fborfw.exe, casper.exe,
> irnglant.exe, or gadget.exe.
> In this case the bogus E-mail came from or via, which
> belongs to:
> Net Access Corp., 110 S. Jefferson Rd, Newton, NJ, 07860,
> and/or 104 Broadway, Denville, NJ, 07834,
> Coordinator Ryan Pavely (201) 983-0725
> paradox_at_NAC.NET,
> so perhaps someone on our list has local access to that phone number
> and could inform Mr. Pavely that one of NAC's addresses is being used
> to forward virus files. Maybe they have the means to trace it.
> 73
> John Farrington KE5ZB
> A worm named HOG.EXE
> Sponsored by the City of Tempe
> Listserver Submissions:
> Listserver Subscription: - "subscribe heath
> 'name' 'call'"
> Listserver Unsubscribe: - -"signoff heath"

>>>> END copy

Notice there are many names other than cooler3.exe said to be used for this
worm. HOG.EXE may be another one according to the msg from the Heath list.

Dammit, these slimeballs are getting craftier as time goes by.

-- --
Christian Fandt, Electronic/Electrical Historian
Jamestown, NY USA
        Member of Antique Wireless Association
Received on Mon Dec 20 1999 - 13:34:12 GMT

This archive was generated by hypermail 2.3.0 : Fri Oct 10 2014 - 23:31:55 BST