I couldn't really think of a better place to send this... A couple of days ago we noticed some of our customers seem to have been infected by the w95.fix2001 worm. In brief, this is a small windows executable that infects '95 and '98 machines when run (yes, some people do run executables without checking...). It watches for outgoing email and send copies of itself to the addresses it sees there from <admin__(a)local.domain> with a message-id of <Fix2001(a)microsoft.com>; under some circumstances it will replace command.com with malicious code that will toast the hard-disk when next booted. Note, this is not a new worm, most anti-virus vendors should have been able to detect this since mid-September 1999, but obviously, not everyone runs AV software. For more details, please see: http://www.symantec.com/avcenter/venc/data/w95.fix2001.html Now, as I mentioned, it has been doing the rounds -- grep you maillogs for (or the message ID) admin__ and you should see it if it has come you way, certainly before we put a `block' in (see below) I saw a number of incoming messages to our customers and several outgoing to people at other NZ ISPs. Blocking this is pretty easy if you assume nobody actually uses admin__(a)some.domain as an email address, below is what our sendmail guru Olof <oolsson(a)clear.co.nz> did here to block it, which is working very well -- I hope this is of some use to someone. ###################################################################### # CLEAR Net CHECK_MAIL rule set ###################################################################### Scheck_mail # Canonify R$* $: $>3 $1 # Temporary fix to stop w95.fix2001 (remove this one at some stage) R admin__ <@ $* > $* $#error $@ 5.7.1 $: "Mail refused due to worm infection; refer to http://www.symantec.com/avcenter/venc/data/w95.fix2001.html" -cw -- Chris Wedgwood chris.wedgwood(a)clear.co.nz --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog