Worm storms

[Julian V. Noble]

Dear C Mavens,

Anyone here getting hosts of spam with nefarious attachments,
purporting to be from M$ or its lackeys, into your mailbox?

I neglected to spoof my header, and since Hurricane Isabel
I have gotten well over 10K such messages.


--
Julian V. Noble
Professor Emeritus of Physics
(e-mail address removed)
^^^^^^^^^^^^^^^^^^
http://galileo.phys.virginia.edu/~jvn/

"Science knows only one commandment: contribute to science."
-- Bertolt Brecht, "Galileo".

 

[Ian Tuomi]

Dear C Mavens,

Anyone here getting hosts of spam with nefarious attachments,
purporting to be from M$ or its lackeys, into your mailbox?

I neglected to spoof my header, and since Hurricane Isabel
I have gotten well over 10K such messages.

Yes. I am getting ~200/day but I made mozilla identify them as spam and
not download any attachments bigger than 50k so they are quickly deleted

--
Ian Tuomi
Jyväskylä, Finland

"Very funny scotty, now beam down my clothes."

GCS d- s+: a--- C++>$ L+>+++$ E- W+ N+ !o>+ w---
!O- !M- t+ !5 !X R+ tv- b++ DI+ !D G e->+++ h!

NOTE: Remove NOSPAM from address

 

[=?iso-8859-1?q?Bj=F6rn_Lindstr=F6m?=]

Yes. I am getting ~200/day but I made mozilla identify them as spam
and not download any attachments bigger than 50k so they are quickly
deleted

For me, these two procmail rules got the signal/noise ratio down to
levels manageable by Gnus. (But then I was getting more like ~1000
messages/day for a few days there).

:0 B
* ^Content-Type:.application/(msword|(x-)?msdownload|vnd.ms-[aptw].*)
{
LOG="[worm] "

:0
/dev/null
}

:0 B
* ^Content-Transfer-Encoding:.*base64
* ^TVqQAAMAAAAEAAAA//8AALg
* 4fug4AtAnNIbg
{
LOG="[worm] "

:0
/dev/null
}

 

[Darrell Grainger]

Dear C Mavens,

Anyone here getting hosts of spam with nefarious attachments,
purporting to be from M$ or its lackeys, into your mailbox?

I neglected to spoof my header, and since Hurricane Isabel
I have gotten well over 10K such messages.

I used to get less than a dozen a day so I never worried about spoofing my
return address. As you can see, I now spoof my return address. I'm getting
around 500 a day now. I didn't read my email over the weekend and had over
1300 messages waiting for me.

If you are on a Unix box you can look into using procmail to filter your
incoming.

--
Julian V. Noble
Professor Emeritus of Physics
(e-mail address removed)
^^^^^^^^^^^^^^^^^^
http://galileo.phys.virginia.edu/~jvn/

"Science knows only one commandment: contribute to science."
-- Bertolt Brecht, "Galileo".

--
darrell at cs dot toronto dot edu
or
main(){int j=1234;char t[]="abcdefghijklmnopqrstuvwxyz.\n",*i=
"iqgbgxmdbjlgdv.lksrqek.n";char *strchr(const char *,int);while(
*i){j+=strchr(t,*i++)-t;j%=sizeof t-1;putchar(t[j]);} return 0;}

 

[Aggro]

Dear C Mavens,

Anyone here getting hosts of spam with nefarious attachments,
purporting to be from M$ or its lackeys, into your mailbox?

You are off topic here, but it is propably Swen that you are seeing,
read more about it for example from here:

http://www.f-secure.com/v-descs/swen.shtml

 

[Zygmunt Krynicki]

I got suprised one day as it turned out that I had ~200 messagess waiting
for me. The bad thing is that I have *slow* connection and those messages
were simply killing my system. I had 100+ of sendmails hanging around and
waiting forever for the mail to arrive.

To be topical: what is the keyword "restricted" for, how old is it? I've
noticed a couple of people giving little hints that it's for telling the
programmer/compiler it's illegal to pass the same thing more than once. I
dont know if I got it correctly or is it just my imagination working.
Anyway what is the reason for such a construct? The olny example I could
think of was something like memcpy - memove (it's a little slopy, I know
it's not exactly the same).
Fell free to correct me

Zygmunt

 

[Malcolm]

To be topical: what is the keyword "restricted" for, how old is it? I've
noticed a couple of people giving little hints that it's for telling the
programmer/compiler it's illegal to pass the same thing more than once.

Say we've got the following function

int mean(int *data, int N, int *err)
{
/* add up the data, if you get an overflow then set err */
}

The problem comes when err points to one of the data elements pointed to by
data. This is obviously pathological from the point of view of a human
programmer who knows the intent of the function, but to the compiler it is
legal C.
The need to handle pointer aliasing may make it difficult to optimise the
function. For instance, if integers are four bytes but the architecture
allows 8 bytes to be read from memory at one cycle, the compiler cannot take
advantage of this because of the possibility that a write to *err has
invalidated the second data item.

 

[Bertrand Mollinier Toublet]

Dear C Mavens,

Anyone here getting hosts of spam with nefarious attachments,
purporting to be from M$ or its lackeys, into your mailbox?

I neglected to spoof my header, and since Hurricane Isabel
I have gotten well over 10K such messages.

I do get emails from Swen infected users, to my one and only public
email address, probably collected from c.l.c when I was posting without
mangling it. For some reason, though, I do not get any unmanageable
amount :-/ Maybe 50 emails tops since last friday...

--
Bertrand Mollinier Toublet
"In regard to Ducatis vs. women, it has been said: 'One is a sexy thing
that you've just got to ride, even if it breaks down a lot, costs a lot
of money, and will probably try to kill you'. However, nowadays I can't
seem to remember which one is which." -- Peer Landa

 

[Simon Biber]

Dear C Mavens,

Anyone here getting hosts of spam with nefarious attachments,
purporting to be from M$ or its lackeys, into your mailbox?

I neglected to spoof my header, and since Hurricane Isabel
I have gotten well over 10K such messages.

Since 2003/9/18 I have received about 4000 copies of the worm
Swen.A. That's about 600 megabytes added to my monthly quota

I think a lot of people on comp.lang.c are affected according to a bounce message I received:

---
The file (part0004:q834994.exe) attached to mail (with subject: Current Net Critical Pack) sent by
sales.dep-at-xnet.ro to jens.toerring-at-physik.fu-berlin.de, 80bluesky-at-gmx.at,
calum.bulk-at-ntlworld.com, jacob.navia-at-jacob.remcomp.fr, thomas.pfaff-at-tiscali.no,
nicole0169-at-citiz.net, christian.bau-at-cbau.freeserve.co.uk, sbiber-at-optushome.com.au,
foo.foo-at-gmx.net, debashis_kolkata-at-rediffmail.com, nimel-at-passagen.se, a.litowka-at-gmx.de,
gah-at-ugcs.caltech.edu, gin-at-binky.homeunix.org, dagwyn-at-null.net, mambuhl-at-earthlink.net,
mason_verger-at-skincare.com, lawrence.jones-at-eds.com, klachemin-at-home.com,
pyf-at-mail.zjitc.net, nzanella-at-cs.mun.ca, francischeng-at-hong-kong.crosswinds.net,
jcook-at-strobedata.com, emonk-at-slingshot.co.nz.no.uce, pushkar-at-erc.msstate.edu,
lfw-at-airmail.net, binary-at-eton.powernet.co.uk, airia-at-acay.com.au, chris-at-sonnack.com,
kst-at-cts.com, derkgwen-at-hotpop.com, dontmail-at-address.co.uk.invalid, mkwahler-at-mkwahler.net,
os2guy-at-pc-rosenau.de, richmond-at-ev1.net, horpner-at-yahoo.com, nglen702-at-netscape.net,
stewart.brodie-at-ntlworld.com, ayeameen-at-yahoo.com, parinioa-at-hotmail.com,
malcolm-at-55bank.freeserve.co.uk, joewwright-at-earthlink.net, m_donaghy50-at-hotmail.com,
robertvazan-at-privateweb.sk, kevin.bracey-at-tematic.com, dan.pop-at-cern.ch, thadsmith-at-acm.org,
nethlek-at-tokyo.com, koster_thomas-at-yahoo.com.sg, ajo-at-andrew.cmu.edu,
first.last-at-company.com, aurer-at-axis.com, palaste-at-cc.helsinki.fi, eric.sosman-at-sun.com,
msgregoryz-at-earthlink.net, kers-at-hpl.hp.com, d99alu-at-efd.lth.se, cmccormick-at-mailsnare.net,
chrisval-at-bigpond.com.au, kuyper-at-saicmodis.com, deliberately-at-made.invalid,
ak+usenet-at-freeshell.org, irrwahn-at-freenet.de, xal-at-abowers.combase.com,
s030768-at-student.dtu.dk, pfiland-at-mindspring.com, scs-at-eskimo.com, noizetogo-at-direct.ca,
glenhallick-at-sprint.ca, cdvanos-at-telus.net, n36170-at-hotmail.com, me-at-here.com,
danmc-at-shaw.ca, magpie-at-shinythings.com, keimdf-at-softek-net.com is infected with virus:
Win32/Swen.A-at-mm.

 

[Christian Bau]

I got suprised one day as it turned out that I had ~200 messagess waiting
for me. The bad thing is that I have *slow* connection and those messages
were simply killing my system. I had 100+ of sendmails hanging around and
waiting forever for the mail to arrive.

Recommendation: Use Mozilla Firebird. It lets you choose "don't download
messages over xx Kilobyte", so it downloads only about 1KB of each of
these messages and then you can delete them.

To be topical: what is the keyword "restricted" for, how old is it? I've
noticed a couple of people giving little hints that it's for telling the
programmer/compiler it's illegal to pass the same thing more than once.

It is there since C99. There are two uses:

1. If you use a pointer like "int * restrict p", then it is undefined
behavior if you modify an object through an expression that is derived
from the value of p, and access it through a different pointer; and it
is also undefined behavior if you access an object through an expression
that is derived from the value of p, and access it modify it through a
different pointer.

This is important for an optimising compiler. Example:

int *restrict p;
int *q;

int x = *q, y;
*p = 2;
y = *q;

The compiler can assume that y == x because the assignment to *p cannot
change *q (if it did you would have violated the first rule).

2. If you use a pointer like "const int * restrict p", then it is
undefined behavior if you modify an object that is accessed through an
expression that is derived from the value of p. In other words, *p
cannot be modified as long as the pointer p exists. Usually, if you have
a const* pointer then the object pointed to can still be modified by
other means, or by casting the const-ness away. Not if it is a const
*restrict pointer.

 

[Irrwahn Grausewitz]

Since 2003/9/18 I have received about 4000 copies of the worm
Swen.A. That's about 600 megabytes added to my monthly quota

I think a lot of people on comp.lang.c are affected according to a bounce message I received:

<who-is-who in c.l.c snipped>

Just what I thought. I had to re-route the traffic to the address I
used when posting here to /dev/null, after receiving about forty virus-
or bounce-messages per hour. The new alias redirects to a working
spam-free account (after removing the capitals).

Irrwahn
(currently using his old 14.4K Hayes Optima on a flaky phone line)

 

[Ravi]

Yes. I am getting ~200/day but I made mozilla identify them as spam and
not download any attachments bigger than 50k so they are quickly deleted

Are you saying that inspite of mangling your address with nospam you get the spam messages?

 

[Jason]

Dear C Mavens,

Anyone here getting hosts of spam with nefarious attachments,
purporting to be from M$ or its lackeys, into your mailbox?

I neglected to spoof my header, and since Hurricane Isabel
I have gotten well over 10K such messages.

I get about 100 mails every day

 

[Christopher Benson-Manica]

1. If you use a pointer like "int * restrict p", then it is undefined
behavior if you modify an object through an expression that is derived
from the value of p, and access it through a different pointer; and it
is also undefined behavior if you access an object through an expression
that is derived from the value of p, and access it modify it through a
different pointer.

This is important for an optimising compiler. Example:

int *restrict p;
int *q;

int x = *q, y;
*p = 2;
y = *q;

(I'm assuming you ommitted the calls to malloc() for simplicity...)

The compiler can assume that y == x because the assignment to *p cannot
change *q (if it did you would have violated the first rule).

So basically the restrict keyword means that p may not share write access to a
given area of memory with another pointer?

2. If you use a pointer like "const int * restrict p", then it is
undefined behavior if you modify an object that is accessed through an
expression that is derived from the value of p. In other words, *p
cannot be modified as long as the pointer p exists. Usually, if you have
a const* pointer then the object pointed to can still be modified by
other means, or by casting the const-ness away. Not if it is a const
*restrict pointer.

So restrict is a way of forcing strict const-ness?

 

[Philip Ludlam]

For me, these two procmail rules got the signal/noise ratio down to
levels manageable by Gnus.

[snip]

From Message-ID <[email protected]> on
comp.sys.acorn.misc the following procmail recipe will catch the virus
itself, but not the faked bounces - I've had none since installing it on
my ISPs server.

:0
* > 140000
* < 165000
{
:0 BD
* b3IAAABBZG1pbgAAAEdFVCBodHRwOi8vd3cyLmZjZS52dXRici5jei9iaW4vY291bnRlci5naWYv
/dev/null
}

FYI: that string contains a base64-encoded URL of a vanity counter that
the virus apparently has hard-coded in it

Yours,

Phil L.

 

[Christian Bau]

So basically the restrict keyword means that p may not share write access to a
given area of memory with another pointer?

Slightly more. As you said, only one pointer is allowed to write in that
area. But if one of the pointers writes, then the other pointer is not
even allowed to read from the same area.

That allows an optimising compiler to reorder read and write accesses
through both pointers.

So restrict is a way of forcing strict const-ness?

By using const + restrict, _you_ guarantee to the compiler that nothing
will try to change an object, as long as the const+restrict pointer
variable exists. As soon as the const+restrict pointer variable
disappears, you are allowed to modify the object again, unless it is
really const, of course. For example, if a function argument is a
const+restrict pointer, and you pass the address of an object to that
function, then you can modify the object again after the function call
is finished.

 

[those who know me have no need of my name]

in comp.lang.c i read:

I get about 100 mails every day

a spoofed from header is against my custom. things have calmed down a
little, so i only get around 150 per minute of these swen worms.

 

[Joe Wright]

in comp.lang.c i read:

a spoofed from header is against my custom. things have calmed down a
little, so i only get around 150 per minute of these swen worms.

I get about 50 an hour. Apparently Verisign is doing it to us. They
handle the DNS for .com and .net domains for the entire Internet. Sven
is emailed from non-existent domains and used to be effectively blocked
by anti-spam software which would look up Sven's domain, not find it and
therefore reject the email. Now that no longer works. Verisign's DNS
returns 'found' signal for all domains since early last week. Part of
their SiteFinder feature.

They are being sued. They have to be stopped.

 

[those who know me have no need of my name]

in comp.lang.c i read:

[re: the swen worm and it's bounces]

I get about 50 an hour. Apparently Verisign is doing it to us.

only indirectly. the worm doesn't synthesize a (potentially non-existent)
domain, it uses the domains present in e-mail addresses it finds in msoe's
local cache, some of which will be invalid yet within .com or .net, so some
of the messages might have been rejected by some mta's were it not for the
wildcard.

 

[Christian Bau]

in comp.lang.c i read:

a spoofed from header is against my custom. things have calmed down a
little, so i only get around 150 per minute of these swen worms.

I was thinking about doing lots of posts with forged sender address of
(e-mail address removed). Maybe if they get 100 or so 150KB emails per minute
they will figure out that there is a problem and what to do.

My ISPs idea is that whenever I get an Swen32 email I should complain
about it at their "abuse" email address, in which case they would then
find out who sent it (fat chance since the address is forged anyway) and
then probably do nothing about it because it's just a guy with an
infected PC.

What they could do quite easily: Find out which ones of _their own
customers_ are infected. That is quite simple; they only let you access
the Internet through their servers if you call from the right phone
number. So if one of their customers connects and starts sending 150 KB
emails, then some simple programming would direct that customer to a
webpage telling them their computer is infected the next time they try
to connect to any webpage. Install that software with every ISP, and
within a week Swen is gone.

You would think they would come up with something like that, because it
is their money too. Actually, it is only their money, it costs me only
time and nothing else.