Weird message from someone named "NIPC"

[Tim May]

Cypherpunks,

I've been getting anywhere from 10 to 30 "SirCam" worm messages a 
day. The volume is now declining. Most have attached files containing 
fragments of Microsoft Word documents, apparently extracted from the 
disk drive of the sender. Most are the usual garbage people write to 
each other, but some of the ones from corporations have been 
interesting. And this one, assuming it is real, seems to have 
orginated from within some department of the government called "NIPC."

It must be bogus.This does not seem plausible, that they would send 
me something, so I expect a hoax.

The attached filed, with the message, is 926 K, so I'm only enclosing 
a few tantalizing sections.

I really cannot imagine why I am getting these SirCam messages from 
some government agency named "NIPC," unless for some reason my e-mail 
address is in their address book. How could that happen?

(BTW, many of the SirCam messages have clock dates which are wrong. 
This one is incorrectly dated "8/24/01".)

At 2:39 PM -0400 8/24/01, NIPC Intern42 wrote:
------017B5BE9_Outlook_Express_message_boundary
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: message text

Hi! How are you=3F

I send you this file in order to have your advice

See you later=2E Thanks

------017B5BE9_Outlook_Express_message_boundary
Content-Type: application/mixed; name="DC TOOLZ.zip.bat"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;  filename="DC TOOLZ.zip.bat"


The NIPC and FedCIRC have recently received information on attempts 
to locate, obtain control of and plant new malicious code known as 
"W32-Leaves.worm" on computers previously infected with the SubSeven 
Trojan.

The default ports for SubSeven to listen for network traffic are 
16959/tcp and 27374/tcp, though the numbers can be changed. Full 
descriptions and removal instructions of a number of SubSeven 
variants can be found at various anti-virus firm Web sites, including 
the following:



A computer security unit within the U.S. Federal Bureau of 
Investigation has detected a series of intrusions into U.S. 
government networks under an investigation code named Moonlight Maze, 
and the intrusions appear to have originated from Russia, an FBI 
official told Congress this week. A spokesman for the Russian embassy 
here today quoted the head of the press service for the Russian 
foreign intelligence service, Nikita Rabusov, as saying the Russian 
special services have "no relation whatsoever" to the theft of 
information from computer networks of the U.S. federal agencies.

"American specialists have failed to establish from where this 
intrusion originated," the embassy official quoted Rabusov as saying 
in an interview with the Russian news agency Itar-Tass. "They only 
indicated that it comes from a software company said to be 
reverse-engineering the products of leading American software 
companies. Russian special services are not so stupid to undertake 
such an operation, in case the necessity arises, directly from 
Moscow."

Please report computer crime to your local FBI office 
(www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate 
authorities. Incidents may be reported online at 
www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit also 
can be reached at (202) 323-3204/3205/3206, or nipc.watch at fbi.gov.

References to ECONCOM are to be deleted ASAP from all departmental 
systems. SLAM DUNK cover to be vetted by NIPC for release to 
journalists. Oakland and Monterey offices to coordinate.


Michael Vatis, deputy assistant director and chief of the Federal 
Bureau of Investigation's National Infrastructure Protection Center 
(NIPC) created February 26, 1998, told the Senate Judiciary 
Subcommittee on Terrorism, Technology and Government Information June 
29 that 'crypto anarchists" see Washington's computers as "the final 
exam, the ultimate challenge, the enemy which must be destroyed." 
Agents are advised to seek out means of forcing these persons out of 
the public debate.


Internal Memorandum. The FRENZY Conference was a fantastic showing of 
our capabilities for covert entry into target computers. PDs across 
the country are asking how they can get their own CARNIVORE systems. 
Here is one such request:

"We've bought so many necessary items from vendors who attended the 
last FRENZY Conference ... the Conference was definitely one of the 
best I've attended. I was particularly impressed by how easy the 
Carnivore system was to set up."

Rick Smithman, Criminalistics Bureau Administrator, Lodi Police Department



With this thought in mind, The Laissez Faire City Times interviewed 
Ed Hertzog, editor of The Free Associator, an interesting e-zine that 
wants to facilitate Digital Anarchy. This interview is a little 
mirror of an underground, libertarian world, whose landmarks and 
standard-bearers are John Perry Barlow and Neal Stephenson, Nicholas 
Negroponte and Ayn Rand, Louis Rossetto and David Friedman.


NIPC has been tasked to assist in the take-down of a high-profile 
hacker terrorist at the DefCon conference next week in Las Vegas. The 
take-down is being planned for maximal public impact, as per AG 
Ashcroft's memo of 24JUN01. Full assistance will be provided by NIPC. 
Plain clothes agents will be at the conference to render assistance.