A MILNET ANALYSIS
A leading Independent Defense & Intelligence Web-based information source in the United States

Bookmark www.milnet.com     Contact milnet@milnet.com

_____________________________________________________________________________________
 
 

MILNET: Email Virus Alert



Beginning in the Summer of 2001, pro-American, military or anti-terrorist web sites throughout the U.S. have been noticing a rather remarkable uptick in the number of attempts to infect mail servers and mail users using email transmitted viruses.

These viruses typically look innocuous -- the subject seems harmless or uses a message that might appeal to some (triple X movies, spice girls concert meeting to take place, media briefing, etc.). The content of the message, however, usually only contains a few words of text (or no text at all) followed by a MIDI file, a GIF image,  a PIF file or an EXE file that many email programs will automatically start to process.

The result is the virus' worm is installed into your PC and begins to peruse the address book sending out copies of itself. Anyone whom you have sent a message to or replied to will now get the virus coated email.

This uptick increased again before 9/11 and yet again days after the bombing began in Afghanistan. Whether these are new factions angered by American foreign policy or just coincidence, is a matter for future discovery.

However, there are some things in common. For instance, many of the users sending the emails have installed foreign character fonts on their PCs, the result being non-printing or nonsense characters being part of the subject.

In some cases the nonsense characters are generated on purpose, such as a "spoofed" (fake) email address, perhaps created by a random algorithm.

A significant number of the emails are generated and seem to have genuinely come through gateways supporting the .<co> type of domains -- i.e. .tw (taiwan).

An even larger percentage of the virus loaded emails are being generated by pacbell.net, yahoo.com, hotmail.com and aol.com. On rare occasions, a filter may be catching these emails and stripping the virus. For the most part, however, pacbell, yahoo, hotmail and aol appear to be doing NOTHING to rectify this situation (the volume of virus laden emails incoming to MILNET is about 20 per day, half of which are pacball, yahoo, hotmail or aol accounts).

Most of the virus emails could be innocent -- that is, someone has become infected (we are not perfect and found ourselves infected and unknowingly generating infected emails) and their address book is being used. However, after extensive interviews and analysis, we have determined at least 50% of the attacks are not innocent "infectees".

As a result, many sites (including MILNET) are filtering all email, removing yahoo.com, hotmail.com, and aol.com email messages as a defense mechanism.

The cost of removing the viruses when email users make the mistake of opening the virus loaded email is approximately 1 hour per mistake. Already, the costs in time is nearing the 200,000 hour mark nationwide since last summer. Government and other pro-government, anti-terror, or pro-Israeli sites make up about half the sites that are being attacked.

If you have a pacbell.net, yahoo.com, aol.com, or hotmail.com email account, we highly recommend you find another email

© Copyright, 2002, Michael Crawford, MILNET

____________________________________________________________________________________________________________
 

distributed worldwide by AFI Research afi@supanet.com