Hi!

Yesterday I received a message with the subject "[ifip-tc6] Returned mail: Data format error".

Digging into one of its enclosures I found a reference to the MyDoom-O virus.

I passed it on to one of our e-mail security guys. This is his response.

The MyDoom-O virus uses spoofed "From" address and it may be constructed so as to appear as a bounce (i.e. returned mail). Full description of this MyDoom-O virus is available at:

http://vil.nai.com/vil/content/v_127033.htm

My analysis of the situation is that a PC with the address ifip-tc6@informatik.rwth-aachen.de in its address book has became infected. The virus try to propagate itself using "MAILER-DAEMON <noreply@informatik.rwth-aachen.de>" as the spoofed "From" address and sent a copy of itself to the mailing list ifip-tc6@informatik.rwth-aachen.de with the subject "[ifip-tc6] Returned mail: Data format error".

The server where the mailing list is on has virus protection and has disinfected the message. The disinfected message reached the list and subsequently everyone on the mailing list received a copy of this harmless disinfected message.

Congratulations are due to RWTH for disinfecting the message.

While there is no guarantee that the original message came from the PC of anyone on the TC6 mailing list, it might be worthwhile checking the state of your systems.

Regards

Peter

Peter Radford

UK Representative to IFIP TC6

T: +44 20 7446 1281

M: Peter.Radford@LogicaCMG.com

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.