PDA

View Full Version : Some SOB's have sent me a possible virus



Thorin Oakenshield
29th Aug 2002, 22:29
Don't worry I haven't opened them. I think I'll be removing the contact me email address from my websites And from the readme files of my fm's:rolleyes: I've had two of these Pigs tonight alone.

email 1
Hello,This is a very powful tool
I expect you would like it.

email 2
Hello,This is a special nice game
This game is my first work.
You're the first player.
I wish you would like it.

If I find out who's behind this I'll pay them a visit and rip their heads off and shove them up their bottoms:eek:

EDIT: Sorry for the two swear words I changed them.

clayman
29th Aug 2002, 22:33
I had more junk email than normal after getting in from work today, and one quarrantined virus, courtesy of the wonderful self-updating Norton SystemWorks. Hope nothing nefarious is getting started. Sorry for your trouble, Thorin. :(

How about we give them a fire arrow enema instead ? :)

bravus
29th Aug 2002, 23:19
I'm sure you know this already, Thorin, but it could be that the people from whom the viruses appeared to come were semi-innocent victims whose 'puters did it without their knowledge (if they're worm-type viruses).

I say 'semi-innocent' because if your 'puter propagates a worm it probably means (a) you have Outlook or Express (in my books an offence in itself, but I know my book is pretty mean ;)) and (b) you haven't bothered to get a decent virus scanner and keep it updated. At this point in history, there's really no excuse for getting wormed or trojanned and passing it on....

But aside from that rant, I'd hate to see you rip off someone's head and stick it up their <b>bottom</b> and then have to apologise - their ears might be blocked! ;)

Bravus

Thorin Oakenshield
29th Aug 2002, 23:37
A: Yes I have Lookout Distress (It ain't broke) Yet! well that's my opinion.
B: Yes I have Norton AV 2002 with latest definitions.

Rule #1, I NEVER open attachments if I don't know the source. and C: I'm aware email addresses can be hijacked, take Hotmail
;)

bravus
29th Aug 2002, 23:42
I think from reading what you said that you knew I was referring to the persons who sent you the viruses, not to you, with my little rant: I *knew* you practiced safe computing, else you would have run them and been infected (eeewww). But anyway, well done on the antivirus, condolences on the Outhouse Excess... ;)

Bravus

RicknMel
30th Aug 2002, 00:06
I know this is a serious thread..........and I'm sorry to hear about your "near miss" with the virii Thorin......

but I can't help but ROTF&LMAO at:
"Outhouse Excess" LOL :D :p
you kill be sometimes bravus! :D

Caradavin1
30th Aug 2002, 03:51
I've gotten virus ridden emails from my mother before, and she swears she didn't know about it. Of course, that was a couple of years ago, after I informed her about it and how to rid oneself of those pesky critters I haven't had one from her since. (it was the I love you virus.)

.......of course, maybe my mother did know......:eek:

Komag
30th Aug 2002, 07:04
I've gotten those SAME EXACT messages, Thorin, it sucks and I always delete them as well. Maybe one of us unknowingly was the one through whom the messages got spread to the other, or something like that. C'est la vie, at least we're smart enough not to ever fall for those pieces of crap

BTW, one I got said something like:

"This is a program to protect you from viruses. Like vaccinations, it has some file structure similar to real viruses, and your anti-virus software might have an alarm about it, but ignore that and install it anyway because it's actually just to help your computer develop immunity to the virus!"

Zaccheus
30th Aug 2002, 11:45
I 'like' the e-mails that tell you to delete certain files from you C:\ drive. Note: Never ever do this.

The other strange thing I've noticed recently is I keep getting 'mail cannot be delivered' replies for e-mails I haven't sent!

Someone must be impersonating me.

SlyFoxx
30th Aug 2002, 13:17
How about we give them a fire arrow enema instead ?.........clayman



I'm w/ clayman on this one.

Mike_B
30th Aug 2002, 14:19
Originally posted by Zaccheus
'mail cannot be delivered' replies for e-mails I haven't sent!


That could mean that you have a virus...

RicknMel
30th Aug 2002, 15:50
Originally posted by @m


That could mean that you have a virus...

You beat me to it. You should perform a thorough scan soon.

Also....and I don't know if it's true, but I did it anyways...
Something about creating a "contact" in your address book named !000. (exclamation, zero, zero, zero)
Supposedly, anytime a virus tries to mass produce itself from your computer through your address book, it will try to send a mail to !000 first, then detect a bad address, and get confused...and quit.
Like I said...I don't know if it works, but I did it. :)

Mike_B
30th Aug 2002, 15:53
Originally posted by RicknMel


You beat me to it. You should perform a thorough scan soon.

Also....and I don't know if it's true, but I did it anyways...
Something about creating a "contact" in your address book named !000. (exclamation, zero, zero, zero)
Supposedly, anytime a virus tries to mass produce itself from your computer through your address book, it will try to send a mail to !000 first, then detect a bad address, and get confused...and quit.
Like I said...I don't know if it works, but I did it. :)

I read that somewhere too and also added it in my address book, unfortunately newer (worm)viruses can circumvent this trick :(

Fafhrd
30th Aug 2002, 16:39
"This is a program to protect you from viruses. Like vaccinations, it has some file structure similar to real viruses, and your anti-virus software might have an alarm about it, but ignore that and install it anyway because it's actually just to help your computer develop immunity to the virus!"

roflmao... I have to give whoever did that 10/10 for guts... :) I'd also have to give anyone who fell for it a couple of whacks upside the head...

Thorin Oakenshield
30th Aug 2002, 19:00
Bravus I hadn't heard of that one before (OutHouse Excess) :D LMAO:D I bet there are more!!!

I got your point though, I knew you meant the others.


Fafhrd Lol :D I totally agree!

Peter_Smith
30th Aug 2002, 20:25
When I get a virus e-mail from someone, I always examine the complete header. If the sender is masquerading as someone else, you can tell by looking at the address or domain of the machine that actually sent it. Then I determine what ISP it was sent from, and I send an e-mail complaining about it to abuse@senderisp and security@senderisp, where senderisp is the sender's isp's domain. Send them a copy of the complete header.

There is also a freeware program out there called Sam Spade that helps to track down the owner of offending IP addresses.

If the hacker is spoofing IP addresses, the header may contain invalid information. Hopefully these abuse / security guys will be able verify it.

theBlackman
30th Aug 2002, 22:30
Originally posted by Peter Smith
There is also a freeware program out there called Sam Spade that helps to track down the owner of offending IP addresses.


Sam Spade may be found on the DOWNLOAD page here:

www.PCPLUS.CO.UK

Zaccheus
31st Aug 2002, 18:17
No virus on my computer.

Besides, my e-mail is purely web-based, and I know of no virus that could send an e-mail from a custom website like that.

No, I think someone is simply giving my address as the originator/return address, which is just so simple to do:

My Gravity/Velocity simulation webpage (http://www.rcl-software.org.uk/gravel) contains a text box that lets you send some feedback directly to my e-mail. The return address is set to www@... so I can see that it came from my web site's feedback box.
Using that script, you could send an e-mail to anyone, with any return address you wish. But in the e-mail header, the true source of the e-mail is still recorded.

Thorin Oakenshield
5th Sep 2002, 18:08
I just got this today posted to thorinSPAMOFF @mseyre.co.uk

virus: blanche.zlq (W95Hybris.worm)

Received: from field.videotron.net [205.151.222.108] by imail.zetnet.co.uk with ESMTP
(SMTPD32-7.12) id A0F21D4600DC; Thu, 05 Sep 2002 01:10:26 +0100
Received: from client ([207.253.182.41]) by field.videotron.net (Sun Internet Mail Server sims.3.5.1999.12.14.10.29.p8)
with SMTP id <0H1X0052JVCSIT@field.videotron.net> for thorin@mseyre.co.uk; Wed, 4 Sep 2002 20:14:54 -0400 (EDT)
Date: Wed, 04 Sep 2002 20:14:54 -0400 (EDT)
Date-warning: Date header was inserted by field.videotron.net
From: Hahaha <hahaha@sexyfun.net>
Subject: Blanche neige et ...les sexe nains
Message-id: <0H1X0052KVCSIT@field.videotron.net>
MIME-version: 1.0
Content-type: MULTIPART/MIXED; BOUNDARY="Boundary_(ID_InF58570P8yrb6Hh4jOcPg)"
X-RCPT-TO: <thorin@mseyre.co.uk>
Status: U
X-UIDL: 306893977


--Boundary_(ID_InF58570P8yrb6Hh4jOcPg)
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 8BIT

C'etait un jour avant son dix huitieme anniversaire. Les 7 nains, qui avaient
aidé 'blanche neige' toutes ces années après qu'elle se soit enfuit de chez
sa belle mère, lui avaient promis une *grosse* surprise. A 5 heures comme
toujours, ils sont rentrés du travail. Mais cette fois ils avaient un air
coquin...



--Boundary_(ID_InF58570P8yrb6Hh4jOcPg)--


Is there a way to find the actual sender?

Peter_Smith
6th Sep 2002, 03:13
It is possible using a little detective work.:)

Using a reverse DNS service I found on Google, ( http://remote.12dt.com/rns/ ) I found that the sender's domain name is as follows:

IP Address 207.253.182.41 resolves to:
doc-182-41.ccapcable.com


EDIT: Sam Spade [i]does provide this information in the Basics menu. I jjust didn't know how to use it. I advise downloading Sam Space and trying it out.

Using another service that identifies the domain owner ( http://registerfly.com/scripts/whois.php ) ,

ccapcable.com is registered at whois.RegisterFly.com

Registration Service Provided By: Domain Registry of Canada
Contact: support@droc.ca
Visit: http://www.droc.ca

Domain name: ccapcable.com

Registrant Info:
Cooperative de Cablodistribution de larriere-pays
Arseneau Stephane (info@ccapcable.com)
418-849-7125
FAX: 418-849-7128
860, Ave Notre-Dame
Charlesbourg, QC G2N 1P7
CA

The above is evidently a cable TV company that provides cable internet service. See http://www.ccapcable.com/

You can complain to these people by sending them the complete header. It includes a unique message ID that they can use to identify the sender if they want to. That is the key: if they want to.

Evidently IP 207.253.182.41 was using a server named field.videotron.net to actually transmit the messsage. Here is the domain lookup for videotron.net:

Registrant:
Le Groupe Videotron Ltee (VIDEOTRON2-DOM)
2155 Boul Pie-IX
Montreal, QC H1V 2E4
CA

Domain Name: VIDEOTRON.NET

Administrative Contact:
VTL, Admin Contact (VA488-ORG) dnsmaster@VIDEOTRON.NET
Videotron Telecom Ltee
a/s Pierre Nepveu
2155, boul Pie-IX
Montreal, QC H1V 2E4
CANADA
+1 514 899-8400 or 1-800-368-9314
Fax- - +1 514 380-8452
Technical Contact:
VTL, Network Administrators (VN493-ORG) netadmin@VIDEOTRON.NET
Videotron Telecom Ltee
2155 Boul Pie-IX
Montreal, Qc H1V 2E4
CA
+1 (514) 899-8400 or (800) 368-9314
Fax- +1 (514) 899-8452

Record expires on 19-Aug-2003.
Record created on 18-Aug-1995.
Database last updated on 5-Sep-2002 23:00:03 EDT.

Domain servers in listed order:

DNS1.VIDEOTRON.NET 205.151.222.253
DNS2.VIDEOTRON.NET 205.151.222.254

Zaccheus
6th Sep 2002, 09:30
Nice work there, Peter.

Thorin Oakenshield
6th Sep 2002, 18:15
Thanks Peter,
Wow a lot of info:eek:

OK if I complain How do I send the header:confused:
Is it what I posted above?
I right clicked the email and selected properties, then the details tab and finally clicked the message source button.

Peter_Smith
7th Sep 2002, 02:25
You are welcome. Yes, the header is the stuff you posted above. You must go through those steps to to get the complete header. On Eudora, I just click a button that says "Blah blah". Also include the information about the virus, of course, and a copy of the message text.:)