Worm storms

Re: Worm storms

"Julian V. Noble" <jvn-at-virginia.edu> wrote:[color=blue]
> Dear C Mavens,
>
> Anyone here getting hosts of spam with nefarious attachments,
> purporting to be from M$ or its lackeys, into your mailbox?
>
> I neglected to spoof my header, and since Hurricane Isabel
> I have gotten well over 10K such messages.[/color]

Since 2003/9/18 I have received about 4000 copies of the worm
Swen.A. That's about 600 megabytes added to my monthly quota :(

I think a lot of people on comp.lang.c are affected according to a bounce message I received:

---
The file (part0004:q8349 94.exe) attached to mail (with subject: Current Net Critical Pack) sent by
sales.dep-at-xnet.ro to jens.toerring-at-physik.fu-berlin.de, 80bluesky-at-gmx.at,
calum.bulk-at-ntlworld.com, jacob.navia-at-jacob.remcomp.f r, thomas.pfaff-at-tiscali.no,
nicole0169-at-citiz.net, christian.bau-at-cbau.freeserve. co.uk, sbiber-at-optushome.com.a u,
foo.foo-at-gmx.net, debashis_kolkat a-at-rediffmail.com, nimel-at-passagen.se, a.litowka-at-gmx.de,
gah-at-ugcs.caltech.ed u, gin-at-binky.homeunix. org, dagwyn-at-null.net, mambuhl-at-earthlink.net,
mason_verger-at-skincare.com, lawrence.jones-at-eds.com, klachemin-at-home.com,
pyf-at-mail.zjitc.net, nzanella-at-cs.mun.ca, francischeng-at-hong-kong.crosswinds .net,
jcook-at-strobedata.com, emonk-at-slingshot.co.nz .no.uce, pushkar-at-erc.msstate.edu ,
lfw-at-airmail.net, binary-at-eton.powernet.c o.uk, airia-at-acay.com.au, chris-at-sonnack.com,
kst-at-cts.com, derkgwen-at-hotpop.com, dontmail-at-address.co.uk.i nvalid, mkwahler-at-mkwahler.net,
os2guy-at-pc-rosenau.de, richmond-at-ev1.net, horpner-at-yahoo.com, nglen702-at-netscape.net,
stewart.brodie-at-ntlworld.com, ayeameen-at-yahoo.com, parinioa-at-hotmail.com,
malcolm-at-55bank.freeserv e.co.uk, joewwright-at-earthlink.net, m_donaghy50-at-hotmail.com,
robertvazan-at-privateweb.sk, kevin.bracey-at-tematic.com, dan.pop-at-cern.ch, thadsmith-at-acm.org,
nethlek-at-tokyo.com, koster_thomas-at-yahoo.com.sg, ajo-at-andrew.cmu.edu,
first.last-at-company.com, aurer-at-axis.com, palaste-at-cc.helsinki.fi, eric.sosman-at-sun.com,
msgregoryz-at-earthlink.net, kers-at-hpl.hp.com, d99alu-at-efd.lth.se, cmccormick-at-mailsnare.net,
chrisval-at-bigpond.com.au, kuyper-at-saicmodis.com, deliberately-at-made.invalid,
ak+usenet-at-freeshell.org, irrwahn-at-freenet.de, xal-at-abowers.combase .com,
s030768-at-student.dtu.dk, pfiland-at-mindspring.com, scs-at-eskimo.com, noizetogo-at-direct.ca,
glenhallick-at-sprint.ca, cdvanos-at-telus.net, n36170-at-hotmail.com, me-at-here.com,
danmc-at-shaw.ca, magpie-at-shinythings.com , keimdf-at-softek-net.com is infected with virus:
Win32/Swen.A-at-mm.
---

(@ replaced with -at- in this message to try to prevent this
email list from being picked up by spambots.)

--
Simon.

Re: Worm storms

"Julian V. Noble" <jvn-at-virginia.edu> wrote:[color=blue]
> Dear C Mavens,
>
> Anyone here getting hosts of spam with nefarious attachments,
> purporting to be from M$ or its lackeys, into your mailbox?
>
> I neglected to spoof my header, and since Hurricane Isabel
> I have gotten well over 10K such messages.[/color]

Since 2003/9/18 I have received about 4000 copies of the worm
Swen.A. That's about 600 megabytes added to my monthly quota :(

I think a lot of people on comp.lang.c are affected according to a bounce message I received:

---
The file (part0004:q8349 94.exe) attached to mail (with subject: Current Net Critical Pack) sent by
sales.dep-at-xnet.ro to jens.toerring-at-physik.fu-berlin.de, 80bluesky-at-gmx.at,
calum.bulk-at-ntlworld.com, jacob.navia-at-jacob.remcomp.f r, thomas.pfaff-at-tiscali.no,
nicole0169-at-citiz.net, christian.bau-at-cbau.freeserve. co.uk, sbiber-at-optushome.com.a u,
foo.foo-at-gmx.net, debashis_kolkat a-at-rediffmail.com, nimel-at-passagen.se, a.litowka-at-gmx.de,
gah-at-ugcs.caltech.ed u, gin-at-binky.homeunix. org, dagwyn-at-null.net, mambuhl-at-earthlink.net,
mason_verger-at-skincare.com, lawrence.jones-at-eds.com, klachemin-at-home.com,
pyf-at-mail.zjitc.net, nzanella-at-cs.mun.ca, francischeng-at-hong-kong.crosswinds .net,
jcook-at-strobedata.com, emonk-at-slingshot.co.nz .no.uce, pushkar-at-erc.msstate.edu ,
lfw-at-airmail.net, binary-at-eton.powernet.c o.uk, airia-at-acay.com.au, chris-at-sonnack.com,
kst-at-cts.com, derkgwen-at-hotpop.com, dontmail-at-address.co.uk.i nvalid, mkwahler-at-mkwahler.net,
os2guy-at-pc-rosenau.de, richmond-at-ev1.net, horpner-at-yahoo.com, nglen702-at-netscape.net,
stewart.brodie-at-ntlworld.com, ayeameen-at-yahoo.com, parinioa-at-hotmail.com,
malcolm-at-55bank.freeserv e.co.uk, joewwright-at-earthlink.net, m_donaghy50-at-hotmail.com,
robertvazan-at-privateweb.sk, kevin.bracey-at-tematic.com, dan.pop-at-cern.ch, thadsmith-at-acm.org,
nethlek-at-tokyo.com, koster_thomas-at-yahoo.com.sg, ajo-at-andrew.cmu.edu,
first.last-at-company.com, aurer-at-axis.com, palaste-at-cc.helsinki.fi, eric.sosman-at-sun.com,
msgregoryz-at-earthlink.net, kers-at-hpl.hp.com, d99alu-at-efd.lth.se, cmccormick-at-mailsnare.net,
chrisval-at-bigpond.com.au, kuyper-at-saicmodis.com, deliberately-at-made.invalid,
ak+usenet-at-freeshell.org, irrwahn-at-freenet.de, xal-at-abowers.combase .com,
s030768-at-student.dtu.dk, pfiland-at-mindspring.com, scs-at-eskimo.com, noizetogo-at-direct.ca,
glenhallick-at-sprint.ca, cdvanos-at-telus.net, n36170-at-hotmail.com, me-at-here.com,
danmc-at-shaw.ca, magpie-at-shinythings.com , keimdf-at-softek-net.com is infected with virus:
Win32/Swen.A-at-mm.
---

(@ replaced with -at- in this message to try to prevent this
email list from being picked up by spambots.)

--
Simon.

Re: purpose and usage of 'restricted' was: Re: Worm storms

In article
<pan.2003.09.24 .21.21.18.47767 9@_CUT_2zyga.ME dyndns._OUT_org >,
"Zygmunt Krynicki" <zyga@_CUT_2zyg a.MEdyndns._OUT _org> wrote:
[color=blue]
> On Wed, 24 Sep 2003 19:22:05 +0300, Ian Tuomi wrote:
>[color=green]
> > Julian V. Noble wrote:
> >[color=darkred]
> >> Dear C Mavens,
> >>
> >> Anyone here getting hosts of spam with nefarious attachments,
> >> purporting to be from M$ or its lackeys, into your mailbox?
> >>
> >> I neglected to spoof my header, and since Hurricane Isabel
> >> I have gotten well over 10K such messages.[/color][/color]
>
> I got suprised one day as it turned out that I had ~200 messagess waiting
> for me. The bad thing is that I have *slow* connection and those messages
> were simply killing my system. I had 100+ of sendmails hanging around and
> waiting forever for the mail to arrive.[/color]

Recommendation: Use Mozilla Firebird. It lets you choose "don't download
messages over xx Kilobyte", so it downloads only about 1KB of each of
these messages and then you can delete them.
[color=blue]
> To be topical: what is the keyword "restricted " for, how old is it? I've
> noticed a couple of people giving little hints that it's for telling the
> programmer/compiler it's illegal to pass the same thing more than once.[/color]

It is there since C99. There are two uses:

1. If you use a pointer like "int * restrict p", then it is undefined
behavior if you modify an object through an expression that is derived
from the value of p, and access it through a different pointer; and it
is also undefined behavior if you access an object through an expression
that is derived from the value of p, and access it modify it through a
different pointer.

This is important for an optimising compiler. Example:

int *restrict p;
int *q;

int x = *q, y;
*p = 2;
y = *q;

The compiler can assume that y == x because the assignment to *p cannot
change *q (if it did you would have violated the first rule).

2. If you use a pointer like "const int * restrict p", then it is
undefined behavior if you modify an object that is accessed through an
expression that is derived from the value of p. In other words, *p
cannot be modified as long as the pointer p exists. Usually, if you have
a const* pointer then the object pointed to can still be modified by
other means, or by casting the const-ness away. Not if it is a const
*restrict pointer.
[color=blue]
> I dont know if I got it correctly or is it just my imagination working.
> Anyway what is the reason for such a construct? The olny example I could
> think of was something like memcpy - memove (it's a little slopy, I know
> it's not exactly the same).[/color]

Re: purpose and usage of 'restricted' was: Re: Worm storms

In article
<pan.2003.09.24 .21.21.18.47767 9@_CUT_2zyga.ME dyndns._OUT_org >,
"Zygmunt Krynicki" <zyga@_CUT_2zyg a.MEdyndns._OUT _org> wrote:
[color=blue]
> On Wed, 24 Sep 2003 19:22:05 +0300, Ian Tuomi wrote:
>[color=green]
> > Julian V. Noble wrote:
> >[color=darkred]
> >> Dear C Mavens,
> >>
> >> Anyone here getting hosts of spam with nefarious attachments,
> >> purporting to be from M$ or its lackeys, into your mailbox?
> >>
> >> I neglected to spoof my header, and since Hurricane Isabel
> >> I have gotten well over 10K such messages.[/color][/color]
>
> I got suprised one day as it turned out that I had ~200 messagess waiting
> for me. The bad thing is that I have *slow* connection and those messages
> were simply killing my system. I had 100+ of sendmails hanging around and
> waiting forever for the mail to arrive.[/color]

Recommendation: Use Mozilla Firebird. It lets you choose "don't download
messages over xx Kilobyte", so it downloads only about 1KB of each of
these messages and then you can delete them.
[color=blue]
> To be topical: what is the keyword "restricted " for, how old is it? I've
> noticed a couple of people giving little hints that it's for telling the
> programmer/compiler it's illegal to pass the same thing more than once.[/color]

It is there since C99. There are two uses:

1. If you use a pointer like "int * restrict p", then it is undefined
behavior if you modify an object through an expression that is derived
from the value of p, and access it through a different pointer; and it
is also undefined behavior if you access an object through an expression
that is derived from the value of p, and access it modify it through a
different pointer.

This is important for an optimising compiler. Example:

int *restrict p;
int *q;

int x = *q, y;
*p = 2;
y = *q;

The compiler can assume that y == x because the assignment to *p cannot
change *q (if it did you would have violated the first rule).

2. If you use a pointer like "const int * restrict p", then it is
undefined behavior if you modify an object that is accessed through an
expression that is derived from the value of p. In other words, *p
cannot be modified as long as the pointer p exists. Usually, if you have
a const* pointer then the object pointed to can still be modified by
other means, or by casting the const-ness away. Not if it is a const
*restrict pointer.
[color=blue]
> I dont know if I got it correctly or is it just my imagination working.
> Anyway what is the reason for such a construct? The olny example I could
> think of was something like memcpy - memove (it's a little slopy, I know
> it's not exactly the same).[/color]

Re: Worm storms

"Simon Biber" <sbiber@optusho me.com.au> wrote:
[color=blue]
>"Julian V. Noble" <jvn-at-virginia.edu> wrote:[color=green]
>> Dear C Mavens,
>>
>> Anyone here getting hosts of spam with nefarious attachments,
>> purporting to be from M$ or its lackeys, into your mailbox?
>>
>> I neglected to spoof my header, and since Hurricane Isabel
>> I have gotten well over 10K such messages.[/color]
>
>Since 2003/9/18 I have received about 4000 copies of the worm
>Swen.A. That's about 600 megabytes added to my monthly quota :(
>
>I think a lot of people on comp.lang.c are affected according to a bounce message I received:
>[/color]
<who-is-who in c.l.c snipped>

Just what I thought. I had to re-route the traffic to the address I
used when posting here to /dev/null, after receiving about forty virus-
or bounce-messages per hour. The new alias redirects to a working
spam-free account (after removing the capitals).

Irrwahn
(currently using his old 14.4K Hayes Optima on a flaky phone line)
--
Close your eyes and press escape three times.

Re: Worm storms

On Wed, 24 Sep 2003 19:22:05 +0300, Ian Tuomi <ianNOSPAM@co.j yu.fi> wrote:
[color=blue]
>Julian V. Noble wrote:
>[color=green]
>> Dear C Mavens,
>>
>> Anyone here getting hosts of spam with nefarious attachments,
>> purporting to be from M$ or its lackeys, into your mailbox?
>>
>> I neglected to spoof my header, and since Hurricane Isabel
>> I have gotten well over 10K such messages.
>>[/color]
>
>Yes. I am getting ~200/day but I made mozilla identify them as spam and
>not download any attachments bigger than 50k so they are quickly deleted[/color]

Are you saying that inspite of mangling your address with nospam you get the spam messages?

--
main(){char s[19]="SbwjCAUpvhiHv z/ofu";
int i;for(i=0;i<18; putchar(s[i++]-1));}

Re: Worm storms

> Dear C Mavens,[color=blue]
>
> Anyone here getting hosts of spam with nefarious attachments,
> purporting to be from M$ or its lackeys, into your mailbox?
>
> I neglected to spoof my header, and since Hurricane Isabel
> I have gotten well over 10K such messages.
>[/color]
I get about 100 mails every day :(

Re: purpose and usage of 'restricted' was: Re: Worm storms

Christian Bau <christian.bau@ cbau.freeserve. co.uk> spoke thus:
[color=blue]
> 1. If you use a pointer like "int * restrict p", then it is undefined
> behavior if you modify an object through an expression that is derived
> from the value of p, and access it through a different pointer; and it
> is also undefined behavior if you access an object through an expression
> that is derived from the value of p, and access it modify it through a
> different pointer.[/color]
[color=blue]
> This is important for an optimising compiler. Example:[/color]
[color=blue]
> int *restrict p;
> int *q;[/color]
[color=blue]
> int x = *q, y;
> *p = 2;
> y = *q;[/color]

(I'm assuming you ommitted the calls to malloc() for simplicity...)
[color=blue]
> The compiler can assume that y == x because the assignment to *p cannot
> change *q (if it did you would have violated the first rule).[/color]

So basically the restrict keyword means that p may not share write access to a
given area of memory with another pointer?
[color=blue]
> 2. If you use a pointer like "const int * restrict p", then it is
> undefined behavior if you modify an object that is accessed through an
> expression that is derived from the value of p. In other words, *p
> cannot be modified as long as the pointer p exists. Usually, if you have
> a const* pointer then the object pointed to can still be modified by
> other means, or by casting the const-ness away. Not if it is a const
> *restrict pointer.[/color]

So restrict is a way of forcing strict const-ness?

--
Christopher Benson-Manica | Jumonji giri, for honour.
ataru(at)cybers pace.org |

Re: OT: Worm storms

On 24 Sep, in message <871xu6b0w0.fsf _-_@lucien.dreami ng>
bkhl@elektrubad ur.se (Björn Lindström) wrote:
[color=blue]
>Ian Tuomi <ianNOSPAM@co.j yu.fi> writes:
>[color=green]
>> Julian V. Noble wrote:
>>[color=darkred]
>>> Anyone here getting hosts of spam with nefarious attachments,
>>> purporting to be from M$ or its lackeys, into your mailbox? I
>>> neglected to spoof my header, and since Hurricane Isabel I have
>>> gotten well over 10K such messages.[/color]
>>
>> Yes. I am getting ~200/day but I made mozilla identify them as spam
>> and not download any attachments bigger than 50k so they are quickly
>> deleted[/color]
>
>For me, these two procmail rules got the signal/noise ratio down to
>levels manageable by Gnus.[/color]

[snip]

From Message-ID <bkmdsh$fan$1@n ntp0.reith.bbc. co.uk> on
comp.sys.acorn. misc the following procmail recipe will catch the virus
itself, but not the faked bounces - I've had none since installing it on
my ISPs server.

:0
* > 140000
* < 165000
{
:0 BD
* b3IAAABBZG1pbgA AAEdFVCBodHRwOi 8vd3cyLmZjZS52d XRici5jei9iaW4v Y291bnRlci5naWY v
/dev/null
}

FYI: that string contains a base64-encoded URL of a vanity counter that
the virus apparently has hard-coded in it

Yours,

Phil L.
--
http://www.philipnet.com http://director.sourceforge.net
The From address is valid, but anything over 32k is deleted by the server
i ou a uea i e a o ie e a o a a oue oae

Re: purpose and usage of 'restricted' was: Re: Worm storms

In article <bkupfv$ot9$2@c hessie.cirr.com >,
Christopher Benson-Manica <ataru@nospam.c yberspace.org> wrote:
[color=blue]
> So basically the restrict keyword means that p may not share write access to a
> given area of memory with another pointer?[/color]

Slightly more. As you said, only one pointer is allowed to write in that
area. But if one of the pointers writes, then the other pointer is not
even allowed to read from the same area.

That allows an optimising compiler to reorder read and write accesses
through both pointers.
[color=blue][color=green]
> > 2. If you use a pointer like "const int * restrict p", then it is
> > undefined behavior if you modify an object that is accessed through an
> > expression that is derived from the value of p. In other words, *p
> > cannot be modified as long as the pointer p exists. Usually, if you have
> > a const* pointer then the object pointed to can still be modified by
> > other means, or by casting the const-ness away. Not if it is a const
> > *restrict pointer.[/color]
>
> So restrict is a way of forcing strict const-ness?[/color]

By using const + restrict, _you_ guarantee to the compiler that nothing
will try to change an object, as long as the const+restrict pointer
variable exists. As soon as the const+restrict pointer variable
disappears, you are allowed to modify the object again, unless it is
really const, of course. For example, if a function argument is a
const+restrict pointer, and you pass the address of an object to that
function, then you can modify the object again after the function call
is finished.

Re: Worm storms

in comp.lang.c i read:[color=blue][color=green]
>> Dear C Mavens,[/color][/color]
[color=blue][color=green]
>> Anyone here getting hosts of spam with nefarious attachments,
>> purporting to be from M$ or its lackeys, into your mailbox?
>>
>> I neglected to spoof my header, and since Hurricane Isabel
>> I have gotten well over 10K such messages.
>>[/color]
>I get about 100 mails every day :([/color]

a spoofed from header is against my custom. things have calmed down a
little, so i only get around 150 per minute of these swen worms.

--
a signature

Re: Worm storms

those who know me have no need of my name wrote:[color=blue]
>
> in comp.lang.c i read:[color=green][color=darkred]
> >> Dear C Mavens,[/color][/color]
>[color=green][color=darkred]
> >> Anyone here getting hosts of spam with nefarious attachments,
> >> purporting to be from M$ or its lackeys, into your mailbox?
> >>
> >> I neglected to spoof my header, and since Hurricane Isabel
> >> I have gotten well over 10K such messages.
> >>[/color]
> >I get about 100 mails every day :([/color]
>
> a spoofed from header is against my custom. things have calmed down a
> little, so i only get around 150 per minute of these swen worms.
>[/color]
I get about 50 an hour. Apparently Verisign is doing it to us. They
handle the DNS for .com and .net domains for the entire Internet. Sven
is emailed from non-existent domains and used to be effectively blocked
by anti-spam software which would look up Sven's domain, not find it and
therefore reject the email. Now that no longer works. Verisign's DNS
returns 'found' signal for all domains since early last week. Part of
their SiteFinder feature.

They are being sued. They have to be stopped.
--
Joe Wright mailto:joewwrig ht@earthlink.ne t
"Everything should be made as simple as possible, but not simpler."
--- Albert Einstein ---

Re: Worm storms

in comp.lang.c i read:

[re: the swen worm and it's bounces]
[color=blue]
>I get about 50 an hour. Apparently Verisign is doing it to us.[/color]

only indirectly. the worm doesn't synthesize a (potentially non-existent)
domain, it uses the domains present in e-mail addresses it finds in msoe's
local cache, some of which will be invalid yet within .com or .net, so some
of the messages might have been rejected by some mta's were it not for the
wildcard.

--
a signature

Re: Worm storms

In article <m18yoctipk.gnu s@usa.net>,
those who know me have no need of my name <not-a-real-address@usa.net >
wrote:
[color=blue]
> in comp.lang.c i read:[color=green][color=darkred]
> >> Dear C Mavens,[/color][/color]
>[color=green][color=darkred]
> >> Anyone here getting hosts of spam with nefarious attachments,
> >> purporting to be from M$ or its lackeys, into your mailbox?
> >>
> >> I neglected to spoof my header, and since Hurricane Isabel
> >> I have gotten well over 10K such messages.
> >>[/color]
> >I get about 100 mails every day :([/color]
>
> a spoofed from header is against my custom. things have calmed down a
> little, so i only get around 150 per minute of these swen worms.[/color]

I was thinking about doing lots of posts with forged sender address of
abuse@freeserve .com. Maybe if they get 100 or so 150KB emails per minute
they will figure out that there is a problem and what to do.

My ISPs idea is that whenever I get an Swen32 email I should complain
about it at their "abuse" email address, in which case they would then
find out who sent it (fat chance since the address is forged anyway) and
then probably do nothing about it because it's just a guy with an
infected PC.

What they could do quite easily: Find out which ones of _their own
customers_ are infected. That is quite simple; they only let you access
the Internet through their servers if you call from the right phone
number. So if one of their customers connects and starts sending 150 KB
emails, then some simple programming would direct that customer to a
webpage telling them their computer is infected the next time they try
to connect to any webpage. Install that software with every ISP, and
within a week Swen is gone.

You would think they would come up with something like that, because it
is their money too. Actually, it is only their money, it costs me only
time and nothing else.

Re: Worm storms

In article <m1k77wry3z.gnu s@usa.net>,
those who know me have no need of my name <not-a-real-address@usa.net >
wrote:
[color=blue]
> in comp.lang.c i read:
>
> [re: the swen worm and it's bounces]
>[color=green]
> >I get about 50 an hour. Apparently Verisign is doing it to us.[/color]
>
> only indirectly. the worm doesn't synthesize a (potentially non-existent)
> domain, it uses the domains present in e-mail addresses it finds in msoe's
> local cache, some of which will be invalid yet within .com or .net, so some
> of the messages might have been rejected by some mta's were it not for the
> wildcard.[/color]

I found a few messages that told me that a virus sent from _my_ email
address was caught and not delivered. Since I use a Macintosh I am quite
sure that my computer is not infected; since there are emails going it
with my address as the sender I know that the virus uses real, but
forged, email addresses.

That doesn't mean that Verisign's land grab isn't disgusting and must be
stopped. By the way, the guys are already convicted for sending forged
letters to domain owners where they claim a domain name is up for
renewal (which it usually isn't), and if you fill out the forms and send
them back then you just transferred your domain to Verisign which
charges more than your old name registrar.