PDA

View Full Version : Virus ?


Shoreditch CPFC
27-01-2004, 01:24 PM
We've had a problem at work with a virus where someone sends an email with the title "Hi". I received an email from Staff@CPFC.ORG with the same title. I tried sending a seperate email to staff@cpfc.org and got a corrupted message with an attachment in return which I deleted.

If this wasn't a virus can whoever sent it send me a pm instead please ?

Thanks.

Dave
27-01-2004, 01:28 PM
Nobody sent you a virus from here - most viri forge email headers so the sender appears to be genuine.

I would suggest you delete the email and ask yourself why your virus scanner didn't pick it up (unless it's spam)

GOD
27-01-2004, 01:30 PM
There is a email virus we have just had it at work and WE ARE GETTING IT VIA STAFF@CPFC.ORG.


Warning don not open any attchment you are not 100% sure about.

Shoreditch CPFC
27-01-2004, 01:33 PM
ok, cheers.

GOD
27-01-2004, 03:23 PM
Has anyone else got this thing? We are getting them sent to us every few mins!!!!! :bash:

Flappy Chicken
27-01-2004, 03:25 PM
Might be something to do with the chicken flu virus from Asia :p

GOD
27-01-2004, 03:28 PM
:rolleyes: thanks Flappy, do you want to chop suey it for me mate?

HarryTheMan
27-01-2004, 03:28 PM
:clown:

Dave
27-01-2004, 03:30 PM
Originally posted by GOD
Has anyone else got this thing? We are getting them sent to us every few mins!!!!! :bash:

post the headers

GOD
27-01-2004, 03:34 PM
Subject is normally: Test or Hi
and they contain bitmap attachments or .pif files.

Dave
27-01-2004, 03:48 PM
Originally posted by GOD
Subject is normally: Test or Hi
and they contain bitmap attachments or .pif files.

I said 'headers'

GOD
27-01-2004, 03:54 PM
Originally posted by Dave
I said 'headers'
sorry I don't know what you mean?

I have got a 'stinger' from McAfee which should remove it if anyone get the virus, PM me and I will email it to you.

Dave
27-01-2004, 03:57 PM
Originally posted by GOD
sorry I don't know what you mean?
.

sigh

This shows you how to find the headers

http://www.spamcop.net/fom-serve/cache/19.html

I have got a 'stinger' from McAffe which should remove it if anyone get the virus, PM me and I will email it to you. double sigh

It might be an idea to have a virus scanner running rather than having do download a quick fix once you are infected.

Just a thought

Coulsdon Eagle
27-01-2004, 04:02 PM
I have recieved an email from CPFCRule@aol.com.
I have run antivirus scans, and my system is clean

Dave
27-01-2004, 04:03 PM
Originally posted by Coulsdon Eagle
I have recieved an email from CPFCRule@aol.com.
I have run antivirus scans, and my system is clean

How do you know it came from him? Did you check the headers?

GOD
27-01-2004, 04:07 PM
Originally posted by Dave
sigh

This shows you how to find the headers

http://www.spamcop.net/fom-serve/cache/19.html

double sigh

It might be an idea to have a virus scanner running rather than having do download a quick fix once you are infected.

Just a thought

a) You don't have to get funny!!!!! We can't all be computer wizz kids like you!

B) I have got Norton running but for this new virus it is as much use as a chocolate teapot!!

Dave
27-01-2004, 04:10 PM
Looks like about half the BBS have this

http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

Raf
27-01-2004, 04:16 PM
BBC article for those not fully conversant with tech speak;

Mydoom virus (http://news.bbc.co.uk/1/hi/technology/3432639.stm)

Coulsdon Eagle
27-01-2004, 04:17 PM
I have PC-cillin running all the time, and it is regularly updated

Dave
27-01-2004, 04:22 PM
Originally posted by Coulsdon Eagle
I have PC-cillin running all the time, and it is regularly updated

This is a new virus only symantec have updated thei software so far afaik.

Be careful everyone

Ben H
27-01-2004, 04:41 PM
Why did you people click on the attachments in the first place?

GOD
27-01-2004, 04:45 PM
I'm normally very very carefull but I clicked on one that was sent via my best mate who I was expecting an email from anyway which took me off-guard

Flappy Chicken
27-01-2004, 04:53 PM
Originally posted by GOD
and they contain big breast attachments

:eek:

Flappy Chicken
27-01-2004, 04:53 PM
Originally posted by Ben H
Why did you people click on the attachments in the first place?

Maybe to open them

Ouch that Hurt!
28-01-2004, 09:16 AM
I have had loads of these over the last two days. Seemingly from BBC sources or letting agencies. Two things I expect emails from too! Very annoying.

Smurph
28-01-2004, 11:24 AM
This virus Novarg/Mydoom spoofs e-mail addresses so be careful. Make sure you've downloaded the lastest anti-virus definitions. If you haven't or you don't have AV software :eek: don't connect to your e-mail until you have. There is also a vulnerability in Kazaa and a key logger element which could capture your passwords and creddit card details...

Ben H
28-01-2004, 12:00 PM
Originally posted by Flappy Chicken
Maybe to open them

Bit if a fcuking stupid thing to do, with all due respect.

Slimbloke'H'
29-01-2004, 05:18 AM
Originally posted by Dave
sigh

This shows you how to find the headers

http://www.spamcop.net/fom-serve/cache/19.htmlNorton picked up on an email I received earlier and zapped the offending attachment, which part of the header tells me where it came from Dave?

X-Symantec-TimeoutProtection: 0
X-Symantec-TimeoutProtection: 1
X-Symantec-TimeoutProtection: 2
X-Symantec-TimeoutProtection: 3
X-Symantec-TimeoutProtection: 4
X-Symantec-TimeoutProtection: 5
X-Symantec-TimeoutProtection: 6
X-Symantec-TimeoutProtection: 7
X-Symantec-TimeoutProtection: 8
X-Symantec-TimeoutProtection: 9
X-Symantec-TimeoutProtection: 10
X-Symantec-TimeoutProtection: 11
X-Symantec-TimeoutProtection: 12
X-Symantec-TimeoutProtection: 13
X-Symantec-TimeoutProtection: 14
X-Symantec-TimeoutProtection: 15
X-Symantec-TimeoutProtection: 16
X-Symantec-TimeoutProtection: 17
X-Apparently-To: capitalgulls@yahoo.co.uk via 216.136.129.110; Wed, 28 Jan 2004 20:36:06 +0000
X-YahooFilteredBulk: 195.92.67.23
Return-Path: <t.pressman@ex.ac.uk>
Received: from 195.92.67.23 (EHLO mail18.svr.pol.co.uk) (195.92.67.23)
by mta108.mail.ukl.yahoo.com with SMTP; Wed, 28 Jan 2004 20:36:06 +0000
Received: from modem-2722.karuhiruhi.dialup.pol.co.uk ([81.78.138.162] helo=ex.ac.uk)
by mail18.svr.pol.co.uk with esmtp (Exim 4.14)
id 1AlwMk-0003Js-EI
for capitalgulls@yahoo.co.uk; Wed, 28 Jan 2004 20:32:51 +0000
From: t.pressman@ex.ac.uk
To: capitalgulls@yahoo.co.uk
Subject: Server Report
Date: Wed, 28 Jan 2004 20:32:56 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0007_BA97E851.89E00DF2"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <E1AlwMk-0003Js-EI.2004-01-28-20-32-51@mail18.svr.pol.co.uk>

This is a multi-part message in MIME format.

------=_NextPart_000_0007_BA97E851.89E00DF2
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit

c>dz-9~,; ]eݎ>m
:PT'Q`1OMS3[疟n}EzSTG7xCUyDM%
ڂS7TFw$O:f&()Hs$wh/zhR7I9c9 !ٿj,L1rMFPO#
F,f܏1:X:oAۣ6Og6Gm{o0]|pg)MU;Uq7EIbݣ9
>f!˜QegD7_&W^xV_yRbzǯb(|!͔Y7 L5s~0cjg.h:֑E<
bV'G*6ǐ,_ßD77^к<.nQr>
7uIr֑ Gy*;҄mRjϪ_",ū'hX|L:V(W`́~_GhYK\]*K_QzX6<APtC
FfJo<0dp9-[
kqHȕCRɹ
!܆ Ko,LC$ˑh,L;Nl"hӄRXy/TԞY;-#`*jUܕc3C˟k_GV鰧SABX?D cG>oV9iVw%Wi\n%G螣iØ_;ɔ\!9~ W.l)?dJ:t–E¸ϓhۋOdqy Em\h[!R[W":Ag3ȝ>)<̄IOB62EbKOz,>uʋsT>c_a{2eCxp'#4nb(^N8|H4y%|j7ӄvY., 3J0
't~
vqF{v}Vty ̫ѕ`2{Vy&
lc
b|!_wI!˥NbUp'e[tstِ^44t.^*I]d.V1E6ɤއ"b[.YƹZ{yc?)P[

吅s%妛(vff璊F( „K_HB1CĘnIfI)y'9:hHJJhB% {<;)~56 .$Y
;a$\|H֍ꊁZ8G}XMRhK_* Dw.`Pi俰K7zPl
mU7ujRr"Sؐ|Z.)
zDjj!E-/Xzrͥ-!-17:z~_0jY%kL">ܟāʳ`'1WIYTm:LU`ONs?hLL|.5 o.NG$e_bH[߹!`-F^sj]ΪqsAWBxQȦoC<z {j/%虥7pæ;r::ٙ7_
Gkoz,$ǖ
Lozj졓ꋖS(G(^b|h& EiA ѢHW#*LI&ip0 (<&Vy
w%FFִQ6sC &s4
.4[RIOϦĕ7s<fDùcWٿW\HۿJ_Q
~'Hqu8CO
V{'f;o;7'ȗ˴xn3c(VPn
>
1`&N#Ǔ8
mc4oN\Kz}Yn CZdX̴WW{~?
J}yOB9փU8B(pTȫQ<д],i]V"3sYMkGJ6bφuVU^
{ "QQ6ŴQѲD&,:fL匉)W~_l$P6(B#ѻ݌^y
hoO0Myh֒j2짔Ph,BZ
n
m>?1|ls,%Bc(ȓPfa_Yfm|Qj/Wù&"bn̫W.U ʛ8v
56ބ넗cN ҐAY_(%Ñ|BqCVęew~%01 uTI#h~"ޑ3*$Χ
z(4[EVSq#t.#It|qSi>]
4
n


------=_NextPart_000_0007_BA97E851.89E00DF2
Content-Type: plain/text;
name="Norton AntiVirus Deleted1.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="Norton AntiVirus Deleted1.txt"

Tm9ydG9uIEFudGlWaXJ1cyByZW1vdmVkIHRoZSBhdHRhY2htZW 50OiB2bmVobXhkLnBpZi4N
ClRoZSBhdHRhY2htZW50IHdhcyBpbmZlY3RlZCB3aXRoIHRoZS BXMzIuTm92YXJnLkFAbW0g
dmlydXMu
------=_NextPart_000_0007_BA97E851.89E00DF2--

ozzieEagle
29-01-2004, 05:53 AM
Astlavista said as follows on tuesday


MyDoom Computer Worm Spreading Quickly
Posted on Tuesday, 27 January 2004 @ 04:05:15 EST by Webmaster





Latest outbreak dubbed biggest threat in months.

The newly discovered "MyDoom" computer worm was spreading fast across e-mail networks today in what was being called the biggest virus threat in months.

The worm, also known as "Novarg" and "MiMail.r," was rated as a "high-outbreak" by security software maker Network Associates. The designation was higher than the "SoBig" worm, which plagued computer users in August, and the highest since the "I love you" virus in 2000.

"It's spreading at an incredibly fast rate," said Vincent Gullotto, vice president of Network Associates' anti-virus unit McAfee AVERT. "I suspect we'll see into the hundreds of thousands of machines affected."

He said that McAfee had received reports from some companies receiving MyDoom e-mails at rates as great as 1,000 a minute. He added at as many as six Fortune 500 companies have been affected.

The worm uses random subject lines that include "Test" and "Status" and has varying text and attachment names. It also uses spoofed addresses -- using e-mail addresses from somebody who did not send it. MyDoom is also able to make up e-mail addresses using valid Internet site names and send those out, Gullotto said.

Original article can be found, here.

From the World Press
Fast-Spreading Worm Spells Doom
Latest Email worm has SCO-facing payload
New High-Risk Worm Floods In-Boxes
Spam-Sent MyDoom Worm Threat to PC Users
MyDoom virus hammering Windows systems
MyDoom E-Mail Worm Spreading Quickly
Mydoom worm spreading rapidly
New Windows worm spreads far and wide
Mydoom worm 'worse than Sobig'
Mydoom Virus Spreading Rapidly
Major worm attack makes email life a misery
Virus mobilises Kazaa army against SCO
Experts: Mydoom worm spreading faster than last year's Sobig-F
MyDoom Targets Linux Antagonist
Experts: 'Mydoom' virus is vicious
FBI launches probe into MyDoom virus

Additional Information
Symantec - (Description | Removal Tool Info | Download Removal Tool)
BitDefender - (Description | Removal Tool Info | Download Removal Tool)
TrendMicro - (Description | Removal Tool Info | Download Removal Tool)
Network Associates - (Description | Removal Tool Info | Download Removal Tool)
Panda Software - (Description | Removal Tool Info | Download Removal Tool)
Sophos - (Description | Removal Tool Info | Download Removal Tool)
CA - (Description | Removal Tool Info | Download Removal Tool)
F-Secure - (Description | Removal Tool Info | Download Removal Tool)
ISS X-Force Research - (Description | Removal Tool Info | Download Removal Tool)

Files & Proof of Concept Code
W32.Novarg.A@mm.rar

NOTE: Please be aware that the disclaimer(s) as set forth in our Terms of Service apply in your perusal of these tools. The Proof of Concept Code is available to our Premium Account holders only.





Options
[ Printer Friendly Page | Send Article | PDF | Bookmark This Story ]







"MyDoom Computer Worm Spreading Quickly" | Login/Create an Account | 0 comments

ozzieEagle
29-01-2004, 06:00 AM
People seem to be confusing Mydoom, with the following older virus. So makesure you have the right patch.

Home Directory News Underground eStore Gallery




News > Virus alert: Beware of dodgy Bagle - Spreading rapidly...

Virus alert: Beware of dodgy Bagle - Spreading rapidly...


20.01.2004 09:08:44

Computer security experts fear a new worm - Bagle-A - which began spreading rapidly across Australian email overnight could be a rehearsal for a more concerted worldwide attack in coming weeks.

According to Daniel Zatz, security director for Computer Associates Australia, Bagle-A carries an expiry date, possibly indicating more robust versions of the worm could be slated for release soon - drawing comparison to the Sobig worm. According to Zatz, while Bagle-A is already successful, responsible for an alarming 80 per cent jump in queries to CA's help desk and in virus submissions to rival computer security company Sophos, the current version of the worm contains bugs.

Bagle plunders address books for e-mail addresses and uses an in-built mail program to send itself to new victims. It also tells its creator about an infected computer and tries to open a backdoor that a malicious hacker could use to take control of the machine.

"We have seen over 60,000 copies of Bagle, and this number is rising at an alarming rate," said Paul Wood, chief security analyst at MessageLabs.

MessageLabs said that currently 1 in every 136 e-mails it was stopping was bearing the virus. Mr Wood said the Windows virus was spreading quickly despite using crude techniques to manipulate people into opening it. The Bagle worm can be spotted in e-mail inboxes as it always has a subject line that reads simply: "Hi"

The text of the message makes the message look like it is a test from technical support. Sometimes the attached file bears an icon that makes it look like it is a calculator. Users' machines will only be infected if they open and run the attachment bearing the worm. Like many other recent viruses, Bagle travels with its own e-mail software that help it despatch itself to all the addresses it steals from an infected machine.


Astalavista's Comment:



Nothing serious in here, the buggy worm doesn't exploit any special vulnerability, instead it tries to disseminate itself by
attacking the majority of naive Internet users, come on guys, I think you already have a calculator installed on your computer,
why do you need another one?

Dave
29-01-2004, 08:56 AM
Norton picked up on an email I received earlier and zapped the offending attachment, which part of the header tells me where it came from Dave?

On the email it tells you

From: t.pressman@ex.ac.uk
To: capitalgulls@yahoo.co.uk

The from address is the spoofed part - looking at the headers

Received: from modem-2722.karuhiruhi.dialup.pol.co.uk ([81.78.138.162] helo=ex.ac.uk)

we see that rather than t.pressman@ex.ac.uk sending the email it's these guys karuhiruhi.dialup.pol.co.uk - which is a freeserve adsl account and is infecterd.

Justin
31-01-2004, 09:59 AM
I have a company e mail address that I can access either at work or at home. It is hosted by easyspace. Although I was meant to have up to date virus protection this virus appears to have hit me in both locations. At home I just keep getting e mails with the virus in it and my virus protector alerts me to the presence of a virus and so I just delete them. Although this is frustrating it isn't really a problem. However at work when somenone trys to send me an email with the virus in it it freezes up my whole e mail system and legitimate e mails can't get through. The only solution I have found so far is to go onto the server at easy space, via webmail, and delete the infected e mail and this allows the uninfected e mail to get through. This is proving to be a real pain but the only solution suggested so far is to rebuild my PC. Has anyone got any thoughts how I may solve the problem? Thanks!