RE: [Full-Disclosure] MyDoom.b samples taken down

• Previous message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] MyDoom.b samples taken down"
• Maybe in reply to: Mike: "RE: [Full-Disclosure] MyDoom.b samples taken down"
• Next in thread: Todd Burroughs: "RE: [Full-Disclosure] MyDoom.b samples taken down"
• Reply: Todd Burroughs: "RE: [Full-Disclosure] MyDoom.b samples taken down"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Bill Royds" <full-disclosure@royds.net>, <full-disclosure@lists.netsys.com>
Date: Mon, 2 Feb 2004 01:38:47 -0500

Bill....

You make some good points, but as to your comment that "Mydoom.B was not
as successful as mMydoom.A because people had already been warned about
clicking on messages with that format. It has nothing to do with the
lethality of the virus. What makes a virus dangerous today is much less
the actual virus code (as Nick says there are very much alike), but the
social engineering of the message and the smarts about where it gets the
email addresses to propagate"...

I don't think there's any way you can support your conjecture of the
success of A over B. I haven't checked since Friday evening, but before
then I didn't see the volume of messages received at our gateway
diminish, which pretty strongly indicates that either a) we've got the
same base infection rate as when it first hit (and therefore, systems
that got hit don't know that they got hit, and aren't aware that they
might have been hit and thus haven't been reading anything about how
they should deal with this specific message if it comes in,and therefore
are likely to click on Mydoom.B if they received it) , or b) new systems
are getting infected as soon as existing systems are getting cleaned up.
While I don't think educational efforts are fruitless (and in fact far
from it, I think the fact that they have simply been inadequate), I
don't think there's any reason to think that anyone has "learned" about
this one and thus abstains. I know quite definitively that when the
"FriendGreetings" malware was circulating a couple of years ago, we had
users continue to click on links (despite it having exactly the same
message format) as each new linked site was added, despite clear
information that was sent to them immediately upon the first site
becoming known.

What no one here seems to be interested in how this thing got so big, so
fast, and its apparent kinship in that respect to it's Sobig predecessor
(in terms of volume, and probably also in terms of ultimate goal). It
seems an important thing for this forum to consider, yet no one has
(other than to assume that there is something special about the code,
which there is not).

G

**********************************************************************
This e-mail is sent by a law firm and contains information
that may be privileged and confidential. If you are not the
intended recipient, please delete the e-mail and notify us
immediately.
***********************************************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] MyDoom.b samples taken down"
• Maybe in reply to: Mike: "RE: [Full-Disclosure] MyDoom.b samples taken down"
• Next in thread: Todd Burroughs: "RE: [Full-Disclosure] MyDoom.b samples taken down"
• Reply: Todd Burroughs: "RE: [Full-Disclosure] MyDoom.b samples taken down"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]