[Esa-l]"Cloaking" version of Sircam
Brett Glass
brett at lariat.org
Wed Aug 1 15:29:18 PDT 2001
At 02:49 PM 8/1/2001, Camden Spiller wrote:
>I've also got a few Sircam's from prodigy.net.mx with headers including:
>
>Return-path: <"*^L ^A^L^A"@prodigy.net.mx>
>Received: from panam2.panam.edu ([129.113.1.3])
> by my.mail.server with esmtp (Exim 3.22 #1)
> id 15RJbj-00072V-00
>
>Does anyone recognize that "*^L ^A^L^A" part as a common exploit attempt?
It's probably just junk generated by the worm. My guess is that
the author of the worm (who is most likely a native Spanish speaker)
doesn't like Prodigy Mexico and/or TelMex. (There is actually a lot
not to like about them.... They're expensive and have poor customer
service.) The worm appears to be directing complaints their way,
while at the same time hiding the true identity of the infected
machine.
--Brett
More information about the esd-l
mailing list