Re: "Virus Security Alert"... (1 Viewer)

[Butterfly_Wings]

I've just read the notice on here about the new virus and am I little confused...

Basically, over the last couple of days I've been getting a few emails saying that mail I have sent has not been able to be delivered...only I had not sent emails to any of these addresses. One of the notices came back saying that my message had been returned because it contained the Worm.SCO.A virus. SO I figured my computer must have this virus, if I am somehow sending infected messages to random places.
However, although one of the messages I got sent an attachment which had "status" as it's address line, I did not open the attachment. None of the other weird emails I got had attachments. (although i did open the emails...I'm not sure if it can still do anything that way, though? ) I also searched my computer for the file as instructed in the notice on here (thankyou, winston), and it came up clear. Also-I have only gotton like 5 or 6 weird messages, and when I searched for info on this, people infected with the virus are saying they're getting like 400+ a day, so it seems a bit uncharacteristic.
So I have no idea whats going on...if I don't have the virus, how are emails getting sent out from my account to places I don't know? And is there any way I can in fact be infected with it and it not come up when I do the search?
I'm sure this all sounds very stupid, but I don't know the first thing about computer viruses and stuff like that. Can anyone please explain any of this to me?

 

[Fosweb]

These emails are in fact SENDING YOU THE VIRUS!

DO NOT OPEN THE ATTACHMENT.

It does NOT mean that you have the virus, it is simply trying to fool people who dont know what they are doing into opening the attachment, thus infecting their computer.

So I have no idea whats going on...if I don't have the virus, how are emails getting sent out from my account to places I don't know?

They arent being sent to these people at all. Don't worry about it, just hit the 'Delete' key.
The reason it appears to be like this, is they are able to (falsely)put your email address into the 'from' part of a message header, thus making it appear to have come from your account.

I get about 10 of these a day in some accounts.

To stop yourself being infected: Dont open attachments, get the latest virus definitions for your virus checker, dont give your email address to people you dont want to have it. If you have to post on a forum/newsgroup where an email address is rqd, put it as something like:

emailname@emailplace.com**NOSPAM**
or:
emailnameATemailplaceDOTcom

People who want to email you will be able to tell that they just delete the **NOSPAM** bit or replace the AT and DOT with the symbols, but computers scannign the web for email addresses cant tell the difference.

 

[Butterfly_Wings]

Ahh, OK that makes sense.
Thanks a lot!

 

[Winston]

Butterfly_Wings do you have an anti-virus installed? i'd advise you to update your definitions and do a full scan, the reason for such e-mails bounce backs is because you're infected by a worm, which automaticallly sends e-mails via the setup e-mail accounts on your system, generally it randomizes e-mail address and thats why sometimes you get a e-mail send error because maybe the randomized e-mail didn't exist.

 

[Winston]

I just updated the announcment because Microsoft released a removal tool for Mydoom, check it out in the Annoucement thread, and if you're infected by any other Worms visit the security response website at Symantec, http://securityresponse.symantec.com/

they have removal tools for all kinds of worms.

 

[Fosweb]

Originally posted by Winston
Butterfly_Wings do you have an anti-virus installed? i'd advise you to update your definitions and do a full scan, the reason for such e-mails bounce backs is because you're infected by a worm, which automaticallly sends e-mails via the setup e-mail accounts on your system, generally it randomizes e-mail address and thats why sometimes you get a e-mail send error because maybe the randomized e-mail didn't exist.

Winston, you are incorrect here. You do not have to be infected by a worm to get these emails. They are just spam with virii attachments. I'll post a couple of messages to watch out for.

Egs of messages containing virii:

The message cannot be represented in 7-bit ASCII encoding and has been sent as a
binary attachment.


Filename: test.zip
Size: 31188
Type: application/octet-stream
Download / Stream

I also get this one with attachments: document.pif, test.pif, document.zip and similar.

I've got your mail, but its came on my mail address???
i've read this mail ,,, sorry about that


cya


Filename: yourmail.txt.com
Size: 101350
Type: application/octet-stream
Download / Stream

I deleted most of the fake server reports, i'll post one when i get it.

 

[Fosweb]

Just because you are getting these messages, does not mean you are infected with a worm.

V I R U S A L E R T

Our viruschecker found a VIRUS in your email to "postmaster@localhost".
We stopped delivery of this email!

Now it is on you to check your system for viruses

For further information about this viruschecker see:
http://amavis.org/
AMaViS - A Mail Virus Scanner, licenced GPL



For your reference, here are the headers from your email:

------------------------- BEGIN HEADERS -----------------------------
Received: (qmail 4807 invoked by uid 0); 6 Feb 2004 01:35:39 +0100
Received: from unknown (HELO localhost) (127.0.0.1)
by tuxgate.atr-online.de with SMTP; 6 Feb 2004 01:35:39 +0100
Received: from atr-online.de
by localhost with POP3 (fetchmail-6.2.0)
for postmaster@localhost (multi-drop); Fri, 06 Feb 2004 01:35:39 +0100
(CET)
Received: from romeo.unimessage.net (romeo.unimessage.net [212.6.90.199])
by web02.manitu.net (8.10.2-SOL3/8.10.2) with ESMTP id i15JNSw10882
for <info@atr-online.de>; Thu, 5 Feb 2004 20:23:28 +0100
Received: from shakespeare.unimessage.net (inetsrn.unimessage.net [212.6.90.104])
by romeo.unimessage.net (8.11.2/8.11.2/Debian 8.11.0-6) with ESMTP id
i15JNWH06906
for <info@atr-online.de>; Thu, 5 Feb 2004 20:23:32 +0100
Received: by shakespeare.unimessage.net (Postfix, from userid 0)
id B46D765115; Thu, 5 Feb 2004 20:23:34 +0100 (MET)
X-CanBoxFlow: CanboxSwitch 1.17 Thu Feb 5 19:23:34 2004
X-CanBoxSwitch: FORWARDIT:info@atr-online.de
Delivered-To: st-wendelfirst@shakespeare.unimessage.net
Received: from mailgate2-ffm-vpn-p.adm.arcor.net (ol-l4-vpn01 [10.40.1.1])
by shakespeare.unimessage.net (Postfix) with ESMTP id F349865110
for <st-wendel@firstreisebuero.de>; Thu, 5 Feb 2004 20:23:33 +0100 (MET)
Received: from optusnet.com.au (p508AA177.dip.t-dialin.net [80.138.161.119])
by mailgate2-ffm-vpn-p.adm.arcor.net (Arcor-CN-MailRelay) with ESMTP id
CFB6C1750
for <st-wendel@firstreisebuero.de>; Thu, 5 Feb 2004 20:23:31 +0100 (MET)
From: <<EDITED>>
To: <<EDITED>>
Subject: [SPAM] hi
Date: Thu, 5 Feb 2004 20:23:31 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0009_A7680110.712EE5E3"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040205192331.CFB6C1750@mailgate2-ffm-vpn-p.adm.arcor.net>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on
spamfilter01.manitu.net
X-Spam-Level: *******
X-Spam-Status: Yes, hits=7.7 required=5.0 tests=BAYES_44,
BODY_WORM_BINARYATTACHMENT,MISSING_MIMEOLE,NO_REAL_NAME,
PRIORITY_NO_NAME,RCVD_IN_NJABL,RCVD_IN_SORBS autolearn=no version=2.61
X-Spam-Report:
* 0.2 NO_REAL_NAME From: does not include a real name
* 4.5 BODY_WORM_BINARYATTACHMENT BODY: Mail was generated by a worm
* -0.0 BAYES_44 BODY: Bayesian spam probability is 44 to 50%
* [score: 0.4838]
* 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
* [80.138.161.119 listed in dnsbl.sorbs.net]
* 0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org
* [80.138.161.119 listed in dnsbl.njabl.org]
* 1.6 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
* 1.2 PRIORITY_NO_NAME Message has priority setting, but no X-Mailer
X-UIDL: (`k!!nE["!3g0!!%:K!!
X-Fetchmail-Warning: recipient address st-wendelfirst@shakespeare.unimessage.net
didn't match any local name
X-AntiVirus: scanned for viruses on tuxgate.atr-online.de
-------------------------- END HEADERS ------------------------------

Etc. They are like this, with things like: 'Mail Delivery Subsystem: Error' in the From header.
Just delete them.

 

[Winston]

No actually Fosweb, i actually was infected by a worm once, because i had an account setup in Outlook Express, what happened was the worm automatically sent e-mails to randomized e-mails every 2 second intervals, because my NAV went crazy scanning all the outgoing e-mails.

 

[Fosweb]

Yeah but what i'm saying is, that you dont have to be infected to get these emails. They are just generated and then mailed out as a way of spreading.

I get them, and have no virus/worm etc... Its just because some of my accounts (ie the affected ones) have publically available addresses (like from my website/newsgroups), which people spider and then spam...

 

[Winston]

Originally posted by Fosweb
Yeah but what i'm saying is, that you dont have to be infected to get these emails. They are just generated and then mailed out as a way of spreading.

I get them, and have no virus/worm etc... Its just because some of my accounts (ie the affected ones) have publically available addresses (like from my website/newsgroups), which people spider and then spam...

Yeah... i guess there's a variety of ways of such e-mail errors occuring...