[Dshield] Blaster Cleanup Virus

Johannes B. Ullrich jullrich at sans.org
Sun Aug 17 14:45:30 GMT 2003

This message was converted from multipart/signed to ascii armored
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

> I appear to have gotten this, but it claims to be from 
> comcast.online at comcast.m0.net.  

This may have been a legitimate e-mail, even though poorly
done. 'm0.net' is part of Digital Impact, a commercial 
mass mailing firm. Comcast may have outsourced the task of
notifying their customers to this company.

Either way: Better safe then sorry. While it is common for
companies (e.g. Microsoft) to e-mail URLs to download 
patches, still be very careful about the URLs included in
such e-mails. It is easy to hide / obfuscate the actual

> There are links that claim to be for the 
> Windows patch page, and for the Symantec utility that tests for the 
> worm, but that actually point back to pages from comcast.m0.net.  The 
> instructions that were sent ape very closely the page that Comcast did 
> put up on their web site, and on a superficial level the Symantec 
> utility from m0 looks like what you'd get if you downloaded it from 
> Symanted (file size, all the info in right-clich -> properties is the 
> same), though I haven't run either utility.
> Unsurprisingly, there's been no response from either 
> 'support at comcast.net' or 'abuse at comcast.net', both of whom got seperate 
> e-mails yesterday with a forwarded copy of the mail I got.
> -Mike
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
SANS - Internet Storm Center
PGP Key: http://isc.sans.org/jullrich.txt

Version: GnuPG v1.2.1 (GNU/Linux)

WyD727POsk9ydGSih13AEpY-----END PGP SIGNATURE-----


More information about the list mailing list