Page 2 of 3
Posted: 21 Aug 2003, 21:06
by Izzy HaveMercy
Well, it will all be over on September 10. The worm destroys itself then... Serves him right, the lil' nasty bugger...
Posted: 21 Aug 2003, 21:23
by cocoamix
I use a Mac, so I open them up for a look-see, then I forward it to everyone I know.
My Linux friends get a kick out of them too.
Posted: 21 Aug 2003, 21:36
by dead stars
hallucienate wrote:yup, I had an inbox full of those bastards yesterday morning, which is a bit of a bugger when you receive mailer-daemon mail for a few hundred domains
Don't run the executable and make sure you have your Outlook patched with all the updates. I can't believe they released a mail client that runs executable attachments on receipt
Better still: don't use Outlook at all!
Posted: 22 Aug 2003, 09:04
by Panther
Don't use outlook! And no children either (urgh!). But hopefully whichever *friend* it was has figured it out as no crap mails overnight!!!
Posted: 22 Aug 2003, 09:37
by hallucienate
May I just take this chance to that I use Pegasus Mail when I use Windows:
www.pmail.com, and that I laugh at e-mail viruses. Except when I get a few hundred of them every morning, My delete key is wearing thin.
Posted: 22 Aug 2003, 17:16
by dead stars
hallucienate wrote:May I just take this chance to that I use Pegasus Mail when I use Windows:
www.pmail.com, and that I laugh at e-mail viruses. Except when I get a few hundred of them every morning, My delete key is wearing thin.
I receive suspicious messages on hotmail but they're empty. The viruses are deleted.
Posted: 22 Aug 2003, 21:47
by Serendipityhaven
well,on the off chance i thought id run a virus scan earlier on.
make a point of never opening unsolicited emails etc anyway,but thought running check wuld do no harm anyway,and the pc had been running real slow lately.
sso this scan things currently half way thru now and annoyingly im looking at a long line of infected symbols flashing in front of every single file here.
so im not panicing.
i know nothing at all about viruses or how to rid them,but in the spirit of braving the new frontiers and not running to somebody else to come do whatever it is you do to rid yourself of it,im going to have a go on my own.
how hard can it be anyway?
but just out of curiosity tho,from the start there was an automatic scan check thing onstalled on this pc which ran every time the pc was started but had been mentioned that this can be a source for pc crashes on its own.
so it was uninstalled by someone.am wondering if this is really the case?
Posted: 23 Aug 2003, 10:56
by Serendipityhaven
apparently i dont have this virus doing the rounds,but i have picked up a mass of spyware bits and bobs and one trojan thing too(which is a minor virus i think).
all those flashing red symbols for something which is relatively minor!
currently feeling exceptionally pround of myself having managed to sort it out myself(i think).
Posted: 23 Aug 2003, 12:42
by Dan
I've been affected badly, not by the SoBig virus, but by the msblast worm. I didn't have the thing myself (I've been blocking port 135 for months), but it was causing so much extra traffic across my isp that everything was slowed right down.
-------
There is a way (sortof) to find out what idiot is sending you viruses. If you examine the full header of the email you'll see something like this-
Received: from [123.45.67.89]
Sometimes theres 2 different Received from's. It's usually the 2nd one.
Now go to samspade.org and type those 4 numbers just as they appear there, without the brackets, into the box that says "do stuff", then click the button. (Or if you use mirc just type /dns 123.45.67.89) Although this one won't work cos I made it up.)
This will resolve the senders ip, then all you need to think is "Do I know someone on that isp?". If it's something common like btopenworld or freeserve you're screwed, as it's too common, but if it's something more unusual then you may recognise it immediately.
Posted: 23 Aug 2003, 22:11
by Serendipityhaven
hmm.so begins my induction into the wonderful world of worms,trojans and weird ass terminology.
as it turned out ,i had some trojan thing which ive since been told is also known as a worm.
and this was why my pc was running super slow.
so apprently i can install the auto scan thing and this time it wont make the pc crash.
for all this protection of viruses and software available to combat it,even the best protected people i know seemed to have been caught one way or the other...
Posted: 24 Aug 2003, 14:38
by pikkrong
I'm in trouble
I got an e-mail to my hotmail account from somebody called "quiffboy"(
)
I know and tell to anybody else: "NEVER OPEN SUSPICIOUS ATTACHMENTS, EVEN FROM YOUR FRIENDS' ADDRESSES!"
and I didn't open attachment.
Actually: THERE WASN'T ANY ATTACHMENT,
there was nothing but 2 sentences which sounded approximately that:
"This is a new good tool. Hope you enjoy (or "like") it."
I deleted it (because I remember some virus letters have such a line) and let Norton Antivirus control my PC. No viruses were founded.
But I still worry.
Could anybody explain me 2 things:
1. HOW COULD A VIRUS PROGRAM ADD THE NAME "QUIFFBOY" TO A STARNGE GERMAN E-MAIL ADDRESS WHICH HAD SENT IT TO ME?
2. WHY THE CAPACITY OF THE E-MAIL WAS MORE THAN 10 K ALTHOUGH THERE WAS ONLY 2 SENTENCE IN A NORMAL SHRIFT, NO ATTACHEMNTS, PICS, LINKS ETC?
COULD THERE BE ANY HIDDEN THING WHICH OPENED AS SOON AS I OPENED THE E-MAIL
and:
WHAT SHOULD I DO KNOW
best regards,
PikkRong
Posted: 24 Aug 2003, 14:47
by Serendipityhaven
just thought,if you moved all addressess from your main email address book to another email account+just flicked back to it whe need be,then this kind of spamming of your fiends+collegues cudnt happen could it?
@Pikkrong-
one of my friends got worm which didnt show up straight away on virus scan.maybe its the same thing?dont know.he was convinced hed picked up a bug of some kind tho+kept running scans throughout the day+eventually it picked it up.
was no harm done,just inconvenianced a little running prog that got rid of bug.
cant do any harm being extra vigilant at the moment i think.
hope is ok for you+pc.
Posted: 24 Aug 2003, 14:48
by Serendipityhaven
umm,thats "friend+collegues",not fiends+collegues,b.t.w.
Posted: 24 Aug 2003, 15:27
by Dan
pikkrong wrote:I'm in trouble
I got an e-mail to my hotmail account from somebody called "quiffboy"(
)
I know and tell to anybody else: "NEVER OPEN SUSPICIOUS ATTACHMENTS, EVEN FROM YOUR FRIENDS' ADDRESSES!"
and I didn't open attachment.
Actually: THERE WASN'T ANY ATTACHMENT,
there was nothing but 2 sentences which sounded approximately that:
"This is a new good tool. Hope you enjoy (or "like") it."
I deleted it (because I remember some virus letters have such a line) and let Norton Antivirus control my PC. No viruses were founded.
But I still worry.
Could anybody explain me 2 things:
1. HOW COULD A VIRUS PROGRAM ADD THE NAME "QUIFFBOY" TO A STARNGE GERMAN E-MAIL ADDRESS WHICH HAD SENT IT TO ME?
2. WHY THE CAPACITY OF THE E-MAIL WAS MORE THAN 10 K ALTHOUGH THERE WAS ONLY 2 SENTENCE IN A NORMAL SHRIFT, NO ATTACHEMNTS, PICS, LINKS ETC?
COULD THERE BE ANY HIDDEN THING WHICH OPENED AS SOON AS I OPENED THE E-MAIL
and:
WHAT SHOULD I DO KNOW
best regards,
PikkRong
Many viruses can have an attachment, but there's no paperclip icon.
You say the virus had the name Quiffboy in it. This means one of 2 things-
1) Quiffboy has a virus
2) Someone else who has Quiffboy in his address book has a virus. Some viruses take names from your address book, and as well as sending themselves to those addresses, they also use the addresses as the "from" address, so it looks as though one of those viruses came from that address when it didn't.
If you look at the full email header you can find the ip of the person who sent the virus, which might help who's sending it unless they have a common isp.
Posted: 24 Aug 2003, 15:36
by pikkrong
Dan wrote:
Many viruses can have an attachment, but there's no paperclip icon.
And how do they spread?
Open automatically while I open the e-mail?
Posted: 24 Aug 2003, 16:16
by Dan
pikkrong wrote:Dan wrote:
Many viruses can have an attachment, but there's no paperclip icon.
And how do they spread?
Open automatically while I open the e-mail?
Yes, but you said you were using hotmail, so you're ok.
The "hidden attachment" only effects Internet Explorer, and if people with explorer are up to date with all the patches they get a message saying something like "run this attachment? (yes/no)".
Posted: 24 Aug 2003, 18:47
by pikkrong
Dan wrote:pikkrong wrote:Dan wrote:
Many viruses can have an attachment, but there's no paperclip icon.
And how do they spread?
Open automatically while I open the e-mail?
Yes, but you said you were using hotmail, so you're ok.
The "hidden attachment" only effects Internet Explorer, and if people with explorer are up to date with all the patches they get a message saying something like "run this attachment? (yes/no)".
yes, THIS time it wasn't Internet Explorer.
but my other account is...
Posted: 24 Aug 2003, 19:21
by Quiff Boy
Dan wrote:pikkrong wrote:I'm in trouble
I got an e-mail to my hotmail account from somebody called "quiffboy"(
)
I know and tell to anybody else: "NEVER OPEN SUSPICIOUS ATTACHMENTS, EVEN FROM YOUR FRIENDS' ADDRESSES!"
and I didn't open attachment.
Actually: THERE WASN'T ANY ATTACHMENT,
there was nothing but 2 sentences which sounded approximately that:
"This is a new good tool. Hope you enjoy (or "like") it."
I deleted it (because I remember some virus letters have such a line) and let Norton Antivirus control my PC. No viruses were founded.
But I still worry.
Could anybody explain me 2 things:
1. HOW COULD A VIRUS PROGRAM ADD THE NAME "QUIFFBOY" TO A STARNGE GERMAN E-MAIL ADDRESS WHICH HAD SENT IT TO ME?
2. WHY THE CAPACITY OF THE E-MAIL WAS MORE THAN 10 K ALTHOUGH THERE WAS ONLY 2 SENTENCE IN A NORMAL SHRIFT, NO ATTACHEMNTS, PICS, LINKS ETC?
COULD THERE BE ANY HIDDEN THING WHICH OPENED AS SOON AS I OPENED THE E-MAIL
and:
WHAT SHOULD I DO KNOW
best regards,
PikkRong
Many viruses can have an attachment, but there's no paperclip icon.
You say the virus had the name Quiffboy in it. This means one of 2 things-
1) Quiffboy has a virus
2) Someone else who has Quiffboy in his address book has a virus. Some viruses take names from your address book, and as well as sending themselves to those addresses, they also use the addresses as the "from" address, so it looks as though one of those viruses came from that address when it didn't.
If you look at the full email header you can find the ip of the person who sent the virus, which might help who's sending it unless they have a common isp.
dan's right with point 2.
i got one last night that claimed to come from rob fakes
which kinda points to someone here having it.
i have also received some at work, so maybe its someone who also has my work email address...?!?
someone that has my work email address, rob fakes & pikkrong in their address books.
ring a bell with anyone?
Posted: 24 Aug 2003, 21:07
by Dan
In explorer, turn your preview pane off (VIEW-LAYOUT-untick "show preview pane") - the virus can autorun simply by previewing it in the preview pane.
Now the preview pane is off, SINGLECLICK the virus email to select it but not open it. Rightclick it and select PROPERTIES. Click the DETAILS tab. Click MESSAGE SOURCE. Expand the little window to full screen to get a better look at it.
Now you have the complete mail header. Paste it here or pm me it and I can tell you the isp of the sender. As long as it's not a common one we can identify the sender.
Posted: 25 Aug 2003, 00:36
by pikkrong
Dan wrote:In explorer, turn your preview pane off (VIEW-LAYOUT-untick "show preview pane") - the virus can autorun simply by previewing it in the preview pane.
think, i've done it some times ago.
(i'm a very suspicious old man, don't trust that 'puter stuff).
does it mean that after doing that the last e-mail doesn't open without double-click? if so, i've done it.
Posted: 25 Aug 2003, 12:33
by Quiff Boy
i dont know what virus this is, but the maili mentioned above (the robF one) has these headers:
Return-path: <
Meier-Schloss@t-online.de>
Envelope-to:
quiffboy@myheartland.co.uk
Delivery-date: Sun, 24 Aug 2003 11:33:18 +0200
Received: from [
194.25.134.81] (helo=mailout03.sul.t-online.com)
by mxng12.kundenserver.de with esmtp (Exim 3.35 #1)
id 19qrFI-0006dj-00
for
quiffboy@myheartland.co.uk; Sun, 24 Aug 2003 11:33:12 +0200
Received: from
fwd07.aul.t-online.de
by
mailout03.sul.t-online.com with smtp
id 19qrFI-0008Lv-00; Sun, 24 Aug 2003 11:33:12 +0200
Received: from Lkfzlxcf (ZwAJWQZBgeCuTxGXLAhoy8txHd+tkduyPM8iMUEoYUxJ5E121buqgr@[
217.86.47.190]) by fwd07.sul.t-online.com
with smtp id 19qrEw-1psinI0; Sun, 24 Aug 2003 11:32:50 +0200
From:
Meier-Schloss@t-online.de (postmaster)
To:
quiffboy@myheartland.co.uk
Subject: Undeliverable mail--"onMouseout"
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=VCZ1291pm31yL3rim178qz70179iOLW
Date: Sun, 24 Aug 2003 11:32:50 +0200
Message-ID: <
19qrEw-1psinI0@fwd07.sul.t-online.com>
X-Seen: false
X-ID: ZwAJWQZBgeCuTxGXLAhoy8txHd+tkduyPM8iMUEoYUxJ5E121buqgr
--VCZ1291pm31yL3rim178qz70179iOLW
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY>
<FONT>The following mail can't be sent to
robjfakes@hotmail.com:<br>
<br>
From:
quiffboy@myheartland.co.uk<br>
To:
robjfakes@hotmail.com<br>
Subject: onMouseout<br>
The file is the original mail</FONT></BODY></HTML>
mxng12.kundenserver.de is myheartland's mailserver...
i assume fwd07.aul.t-online.de is the senders' mailserver.
.de is german, yet a lookup on 194.25.134.81 and 217.86.47.190 seems to indicate they are dutch...
but i cant quite follow the flow of information - is the sender dutch, yet they were trying to use t-online.de's outgoing mailsever?
the email had an attachment which was a html page from the t-online.de website. the attached page had some javascript in it, but it was only image-rollover stuff - nothing dodgy.
now i'm confused...
Posted: 25 Aug 2003, 13:34
by Dan
The 2nd ip is the sender.
*** Resolved 217.86.47.190 to pD9562FBE.dip.t-dialin.net
I tried going to
www.t-dialin.net and it redirects to
www.t-online.de so it looks like it's just some normal spam from
Meier-Schloss@t-online.de and not a virus. As to how he got your email address, you're probably one of thousands he spammed that day and your email address mush have found it's way onto an email/spam list.
Posted: 25 Aug 2003, 13:38
by Quiff Boy
Dan wrote:The 2nd ip is the sender.
*** Resolved 217.86.47.190 to pD9562FBE.dip.t-dialin.net
I tried going to
www.t-dialin.net and it redirects to
www.t-online.de so it looks like it's just some normal spam from
Meier-Schloss@t-online.de and not a virus. As to how he got your email address, you're probably one of thousands he spammed that day and your email address mush have found it's way onto an email/spam list.
cheers
Posted: 25 Aug 2003, 13:44
by Dan
In a mail header, it's almost always the last ip that's the sender. Even emails sent through hotmail (which some people think makes them anonymous) includes the persons real ip in it's headers.
Posted: 25 Aug 2003, 13:55
by hallucienate
All the IPs should be timestamped, so take the oldest one, remember to include the time zones.
Hotmail put in a X-orginating IP, which is exactly what it says.
2198 deleted items since this morning