RE: MyDoom Email targets

["Jos Osborne" <Jos () meltemi co uk>]

We've has Sales@ hit repeatedly. Not sure if that's cos it's in people's address books or not - there definitely 
haven't been any e-mails sent out from Sales recently.

Jos



-----Original Message-----
From: madsaxon [mailto:madsaxon () direcway com]
Sent: 27 January 2004 18:03
To: full-disclosure () netsys com
Subject: Re: [Full-disclosure] MyDoom Email targets


At 09:26 AM 1/27/2004 -0800, Scott Manley wrote:

> I've noticed I'm getting a load of messages to my catch all domains with 
> addresses like adam@.... joe@.... sandra@.... - it's highly unlikely that 
> this would be part of anyone's address book - is there some mechanism in 
> the worm to try and propagate to random e-mail within a domain?

Yeah, here's a list of the names it can use, from a copy I got
and UPX/ROT-13 decoded:

sandra
linda
julie
jimmy
jerry
helen
debby
claudia
brenda
anna
alice
brent
adam
ted
fred
jack
bill
stan
smith
steve
matt
dave
dan
joe
jane
bob
robert
peter
tom
ray
mary
serg
brian
jim
maria
leo
jose
andrew
sam
george
david
kevin
mike
james
michael
alex
john
accoun
certific
list
servntivi
support
icrosoft
admin
page
the.bat
gold-certs
cafeste
submit
not
help
service
privacy
somebody
nosoft
contacts
iterating
bugs
me
you
your
someone
anyone
nothing
nobody
noone
webmaster
postmaster
samples
info
root
be_loyal:
mozilla

There are a lot of interesting strings in this thing.

;-)

m5x

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html