Someone on the list has the virus Sobig.f and sent it to wine-devel on Wed Aug 20 2003 - 23:18:18 CDT
We MUST remove the infected message from the wine-devel archive.
Cordialement,
PETREOLLE Sylvain #DMIT/DATO/OPS (exploit@gefco.fr ) (+33-1 49 05) 29 29
On Fri, 2003-08-22 at 00:42, PETREOLLE Sylvain wrote:
Someone on the list has the virus Sobig.f and sent it to wine-devel on Wed Aug 20 2003 - 23:18:18 CDT
We MUST remove the infected message from the wine-devel archive.
I'd be happy to remove it. On a quick scan however, I was not able to find any infected messages in the archive.
"Jeremy Newman" jnewman@codeweavers.com wrote:
Someone on the list has the virus Sobig.f and sent it to wine-devel on Wed Aug 20 2003 - 23:18:18 CDT
We MUST remove the infected message from the wine-devel archive.
I'd be happy to remove it. On a quick scan however, I was not able to find any infected messages in the archive.
They must be in the wine-patchces list. My ISP sent to me cured versions of the infected messages. They were sent from the address from which there were no list activity more than an year.
Yup, here is the message. http://winehq.com/hypermail/wine-patches/2003/08/0203.html
I'll remove that attachment. Should we contact that author and let him know he is infected, or simply remove him from the list?
On Fri, 2003-08-22 at 09:32, Dmitry Timoshkov wrote:
"Jeremy Newman" jnewman@codeweavers.com wrote:
Someone on the list has the virus Sobig.f and sent it to wine-devel on Wed Aug 20 2003 - 23:18:18 CDT
We MUST remove the infected message from the wine-devel archive.
I'd be happy to remove it. On a quick scan however, I was not able to find any infected messages in the archive.
They must be in the wine-patchces list. My ISP sent to me cured versions of the infected messages. They were sent from the address from which there were no list activity more than an year.
"Jeremy Newman" jnewman@codeweavers.com wrote:
Yup, here is the message. http://winehq.com/hypermail/wine-patches/2003/08/0203.html
I'll remove that attachment. Should we contact that author and let him know he is infected, or simply remove him from the list?
Probably remove him from the list, then inform him and ask to subscribe if he is still interested.
Should we contact that author and let him know he is infected, or simply remove him from the list?
Probably remove him from the list, then inform him and ask to subscribe if he is still interested.
You need to be careful, the 'From:' in the mail is probably wrong, so you need to check the IP address reported by the first (known) MTA.
I've been receiving a lot of bonce messages for this virus, and my NetBSD system isn't compromised (I'm not actually running wine!)
David
Yup, here is the message. http://winehq.com/hypermail/wine-patches/2003/08/0203.html
I'll remove that attachment. Should we contact that author and let him know he is infected, or simply remove him from the list?
Btw. Does SoBig.F run under wine? If yes, how bad can it get?
On Fri, 2003-08-22 at 09:32, Dmitry Timoshkov wrote:
"Jeremy Newman" jnewman@codeweavers.com wrote:
Someone on the list has the virus Sobig.f and sent it to wine-devel on Wed Aug 20 2003 - 23:18:18 CDT
We MUST remove the infected message from the wine-devel archive.
I'd be happy to remove it. On a quick scan however, I was not able to find any infected messages in the archive.
They must be in the wine-patchces list. My ISP sent to me cured versions of the infected messages. They were sent from the address from which there were no list activity more than an year.
On Fri, Aug 22, 2003 at 06:13:39PM +0300, P. Christeas wrote:
Yup, here is the message. http://winehq.com/hypermail/wine-patches/2003/08/0203.html
I'll remove that attachment. Should we contact that author and let him know he is infected, or simply remove him from the list?
Btw. Does SoBig.F run under wine? If yes, how bad can it get?
It crashes for me.
Ciao, Marcus
LOL. When will we see a virus writer complain on the list that his virus doesnt work under Wine ?:)
Btw. Does SoBig.F run under wine? If yes, how bad can it get?
It crashes for me.
Ciao, Marcus
===== Sylvain Petreolle (spetreolle_at_users_dot_sourceforge_dot_net) ICQ #170597259
alias upsf='false ; while [ $? -ne 0 ] ; do cvs update -APd ; done 2>&1 |tee cvslog'
"What if tomorrow the War could be over ?" Morpheus, in "Reloaded".
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
Marcus Meissner wrote:
On Fri, Aug 22, 2003 at 06:13:39PM +0300, P. Christeas wrote:
Yup, here is the message. http://winehq.com/hypermail/wine-patches/2003/08/0203.html
I'll remove that attachment. Should we contact that author and let him know he is infected, or simply remove him from the list?
Btw. Does SoBig.F run under wine? If yes, how bad can it get?
It crashes for me.
Ciao, Marcus
OK, we 'll fix wine .. ;)
On the serious side: wine could actually be the perfect platform for security tests. Having a virus spread on a pseydo-system is noteworthy..
P. Christeas wrote:
Marcus Meissner wrote:
On Fri, Aug 22, 2003 at 06:13:39PM +0300, P. Christeas wrote:
Yup, here is the message. http://winehq.com/hypermail/wine-patches/2003/08/0203.html
I'll remove that attachment. Should we contact that author and let him know he is infected, or simply remove him from the list?
Btw. Does SoBig.F run under wine? If yes, how bad can it get?
It crashes for me.
Ciao, Marcus
OK, we 'll fix wine .. ;)
On the serious side: wine could actually be the perfect platform for security tests. Having a virus spread on a pseydo-system is noteworthy..
We've been through this discussion before too. Wine is not a VM, and the isolation between Win32 and Unix code is the result of application's ignorance, rather than a deliberate design decision. As such, it is highly NOT recommended for cases where hostile code of unknown qualities is tested.
For all you know, sobig may be checking whether it is runnning on wine, and then issuing the correct interrupts (static linking dlopen) and infecting your Unix system.
Shachar
*oops* They were on wine-patches. Thanks for removal.
About that author, he isnt probably the sender, since Sobig.f spoofs the FROM field,using its own smtp engine. See Sophos alert for more info : http://www.us.sophos.com/support/disinfection/sobigf.html
--- Jeremy Newman jnewman@codeweavers.com a écrit :
Yup, here is the message. http://winehq.com/hypermail/wine-patches/2003/08/0203.html
I'll remove that attachment. Should we contact that author and let
him
know he is infected, or simply remove him from the list?
===== Sylvain Petreolle (spetreolle_at_users_dot_sourceforge_dot_net) ICQ #170597259
alias upsf='false ; while [ $? -ne 0 ] ; do cvs update -APd ; done 2>&1 |tee cvslog'
"What if tomorrow the War could be over ?" Morpheus, in "Reloaded".
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
Jeremy Newman wrote:
Yup, here is the message. http://winehq.com/hypermail/wine-patches/2003/08/0203.html
I'll remove that attachment. Should we contact that author and let him know he is infected, or simply remove him from the list?
Please don't remove anyone from the lists. The "From" is always forged, so you should ignore it. The Wine lists are currently getting about 1000 Sobig.F viruses per day, some of them supposedly from Alexandre ;)
I have temporarily changed the maximum message size on wine-patches to 40KB. So any emails with valid forged "From" headers will be caught for moderation. Since all the other lists were already set at 40KB by default, no viruses were able to make it through.
-
David Laight -
Dmitry Timoshkov -
Duane Clark -
Jeremy Newman -
Marcus Meissner -
P. Christeas -
PETREOLLE Sylvain -
Shachar Shemesh -
Sylvain Petreolle