View Full Version : The Snow White Virus.
Slimbloke'H'
19-06-2001, 12:19 AM
Let me tell you a story. On Thursday morning before I left for work, I logged on to the web to check a couple of sites etc, and over the space of about ten seconds, the Zone Alarm firewall I have installed blocked five attempts to access my PC by an unknown source, which worried me a little. On Friday afternoon, I received the Snow White virus through my Pop 3 account, which has been pretty much redundant since I started using my Hotmail account six months ago. I have Outlook Express configured to check for mail every ten minutes, and sure enough, next time around I received another copy. Neither caused a problem, because my Norton Anti-virus dealt with them, but having never had any problems like this in nearly 14 months (except from Neil the Eagle and his kak worm, but we won’t go into that... ;) ), It did get me thinking.
This afternoon, I received yet another copy, but this time through my Hotmail account, which I would have expected to have been screened by the McAffee filter, but wasn’t, and I am now beginning to think that I am being targeted for some reason.
Does anyone know how easy it is to get a virus through Hotmail?
Am I being paranoid?
Is it possible to trace where an email virus has come from?
Your help would be much appreciated guys!
Sweetpea!
19-06-2001, 12:23 AM
Isn't Hotmail supposed to be one of the worst email facilities for security? Its what internet security consultant once told me.
Slimbloke'H'
19-06-2001, 12:30 AM
Originally posted by Sweetpea!
Isn't Hotmail supposed to be one of the worst email facilities for security? Its what internet security consultant once told me. So it's not impossible to get a virus through then?
slowdog
19-06-2001, 02:03 AM
:eek:
I logged on yesterday afternoon and my copy of ZoneAlarm popped up alert after alert. It wasn't until I started thinking it was a bit odd to get so many alerts straight after another that I paid attention, and noticed that it was the same IP address all the time. I guessed someone or something was running a port scan so I disconnected sharpish.
Do you remember what IP address it was?
Stephenson Soundbyter
19-06-2001, 02:09 AM
I bet it was Alan Shearer looking for Dave
David Murray
19-06-2001, 02:09 AM
I've had many a virus come through from a hotmail account but so far Mcaffee has managed to detect them all.
Last Monday, I spent the whole day sorting out my nephews PC - he had 7 different virus's on his PC - he had some IBM anti Virus software installed - this itself had 4 virus's in it - fun day - just about all of his virus's came via email from hotmail accounts.
slowdog
19-06-2001, 02:16 AM
If you open up the ZoneAlarm control centre (double-clicking on the taskbar icon should do the trick) then click on the 'alerts' button, you should get the alerts settings screen. At the bottom should be an option that says 'log alerts to a text file' and if you've got it enabled it will show you the path to the file.
Slimbloke'H'
19-06-2001, 02:19 AM
Originally posted by slowdog
:eek:
I logged on yesterday afternoon and my copy of ZoneAlarm popped up alert after alert. It wasn't until I started thinking it was a bit odd to get so many alerts straight after another that I paid attention, and noticed that it was the same IP address all the time. I guessed someone or something was running a port scan so I disconnected sharpish.
Do you remember what IP address it was?
No, I didn’t make a note of them. Does Zone Alarm hold a record of them?
slowdog
19-06-2001, 02:29 AM
What virus has affected the BBS so that my reply appears before the post I replied to?! :eek:
Slimbloke'H'
19-06-2001, 02:41 AM
Cheers for that Slowdog. Trouble is, it means absolutely bugger all to me!!! The only thing I can see, is that it was in fact five probes in 60 seconds, not 10! Can anyone make any sense of it?
FWIN,2001/06/15,07:43:16 +1:00 GMT,152.63.80.117:0,213.123.53.42:0,ICMP (type:3/subtype:1)
FWIN,2001/06/15,07:43:27 +1:00 GMT,194.74.65.21:0,213.123.53.42:0,ICMP (type:11/subtype:0)
FWIN,2001/06/15,07:44:07 +1:00 GMT,62.6.196.222:0,213.123.53.42:0,ICMP (type:3/subtype:1)
FWIN,2001/06/15,07:44:10 +1:00 GMT,62.6.197.137:0,213.123.53.42:0,ICMP (type:3/subtype:1)
FWIN,2001/06/15,07:44:16 +1:00 GMT,213.120.207.217:0,213.123.53.42:0,ICMP (type:3/subtype:1)
Slimbloke'H'
19-06-2001, 02:45 AM
Originally posted by slowdog
What virus has affected the BBS so that my reply appears before the post I replied to?! :eek:
Ah... That might’ve been me... ;)
slowdog
19-06-2001, 02:51 AM
Hmmm.... well, I had about 30 alerts all from the same IP address, whereas your alerts don't seem to repeat as much.
Dunno mate!
A Wooden Fish On Wheels
19-06-2001, 03:02 AM
Originally posted by Slimbloke'H'
152.63.80.117:0,213.123.53.42:0,ICMP (type:3/subtype:1)
FWIN,2001/06/15,07:43:27 +1:00
Surely that is just someone doing an icmp echo aka ping to you... wouldn't worry about it... there are leggit reasons why you might be pinged depending if you are running anything on the net at the time?Otherwise it's probably just script kiddies probing massive IP ranges... they seem to like btinternet for some reason?
2401
slowdog
19-06-2001, 03:05 AM
Arses - I've just switched to BT Internet this week, and yesterday was the first time I've been subject to what I assume was a port scan. Otherwise, yeah, you're right, it's normally been my ISP pinging me to see if I'm still there, or isolated pings.
Take a butcher's at this list then:
FWIN,2001/06/17,13:07:26 +1:00 GMT,66.20.122.179:4717,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:07:41 +1:00 GMT,66.20.122.179:4759,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:07:56 +1:00 GMT,66.20.122.179:4804,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:08:10 +1:00 GMT,66.20.122.179:4846,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:08:25 +1:00 GMT,66.20.122.179:4891,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:08:40 +1:00 GMT,66.20.122.179:4932,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:08:54 +1:00 GMT,66.20.122.179:4976,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:09:09 +1:00 GMT,66.20.122.179:1044,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:09:24 +1:00 GMT,66.20.122.179:1087,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:09:38 +1:00 GMT,66.20.122.179:1131,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:09:54 +1:00 GMT,66.20.122.179:1174,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:10:08 +1:00 GMT,66.20.122.179:1216,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:10:23 +1:00 GMT,66.20.122.179:1260,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:10:40 +1:00 GMT,66.20.122.179:1306,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:10:54 +1:00 GMT,66.20.122.179:1352,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:11:06 +1:00 GMT,66.20.122.179:1397,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:11:21 +1:00 GMT,66.20.122.179:1444,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:11:36 +1:00 GMT,66.20.122.179:1490,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:11:50 +1:00 GMT,66.20.122.179:1532,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:12:07 +1:00 GMT,66.20.122.179:1576,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:12:21 +1:00 GMT,66.20.122.179:1621,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:12:35 +1:00 GMT,66.20.122.179:1667,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:12:49 +1:00 GMT,66.20.122.179:1712,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:13:04 +1:00 GMT,66.20.122.179:1757,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:13:18 +1:00 GMT,66.20.122.179:1804,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:13:34 +1:00 GMT,66.20.122.179:1847,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:13:50 +1:00 GMT,66.20.122.179:1893,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:14:04 +1:00 GMT,66.20.122.179:1937,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:14:19 +1:00 GMT,66.20.122.179:1982,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:14:33 +1:00 GMT,66.20.122.179:2029,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:14:49 +1:00 GMT,66.20.122.179:2073,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:15:04 +1:00 GMT,66.20.122.179:2118,62.7.12.108:8080,TCP (flags:S)
FWIN,2001/06/17,13:15:19 +1:00 GMT,66.20.122.179:2164,62.7.12.108:8080,TCP (flags:S)
Slimbloke'H'
19-06-2001, 03:12 AM
Originally posted by A Wooden Fish On WHeels
Surely that is just someone doing an icmp echo aka ping to you... wouldn't worry about it... there are leggit reasons why you might be pinged depending if you are running anything on the net at the time?Otherwise it's probably just script kiddies probing massive IP ranges... they seem to like btinternet for some reason?
...And there was me thinking that it was just a bunch of incomprehensible numbers! :)
OK, so I’ve no need to be paranoid. What about finding out where the poxy viruses are coming from? Can it be done?
A Wooden Fish On Wheels
19-06-2001, 03:13 AM
Yep.. portscan. You can feed the ip addresses into http://www.demon.net/external/ to do nslookups and stuff on where the ip addresses are coming from, but e.g. abuse@btinternet will do f all as there are millions and millions and millions of these going on every day. Just make sure you have no shares active or any trojans installed - and preferably keep any important / sensitive data offline if you think it warrants it.
Stephenson Soundbyter
19-06-2001, 03:22 AM
After reading this thread I installed Zone Alarm
This is scary. I have spent more time reading about pings than reading e-mail
Originally posted by Slimbloke'H'
Cheers for that Slowdog. Trouble is, it means absolutely bugger all to me!!! The only thing I can see, is that it was in fact five probes in 60 seconds, not 10! Can anyone make any sense of it?
FWIN,2001/06/15,07:43:16 +1:00 GMT,152.63.80.117:0,213.123.53.42:0,ICMP (type:3/subtype:1)
FWIN,2001/06/15,07:43:27 +1:00 GMT,194.74.65.21:0,213.123.53.42:0,ICMP (type:11/subtype:0)
FWIN,2001/06/15,07:44:07 +1:00 GMT,62.6.196.222:0,213.123.53.42:0,ICMP (type:3/subtype:1)
FWIN,2001/06/15,07:44:10 +1:00 GMT,62.6.197.137:0,213.123.53.42:0,ICMP (type:3/subtype:1)
FWIN,2001/06/15,07:44:16 +1:00 GMT,213.120.207.217:0,213.123.53.42:0,ICMP (type:3/subtype:1)
Lets take this one
FWIN,2001/06/15,07:43:16 +1:00 GMT,152.63.80.117:0,213.123.53.42:0,ICMP (type:3/subtype:1)
This guy (152.63.80.117) is <193.ATM7-0.BR1.ATL5.ALTER.NET> a USA ISP he pinged (ICMP) you (213.123.53.42) and you are <host213-123-53-42.dialup.lineone.co.uk> at 15,07:43:16 on the 15th June 2001.
Nothing to worry about:
Slowdog - You should be more worried- someone is making a concentrated effort to get through your firewall.
A Wooden Fish On Wheels
19-06-2001, 03:38 AM
/me thinks dave must be used to reading the logs of lots of probes
Slimbloke'H'
19-06-2001, 03:42 AM
Originally posted by Dave
This guy (152.63.80.117) is <193.ATM7-0.BR1.ATL5.ALTER.NET> a USA ISP he pinged (ICMP) you (213.123.53.42) and you are <host213-123-53-42.dialup.lineone.co.uk> at 15,07:43:16 on the 15th June 2001.
Nothing to worry about.
That's a relief! So what did this American guy have for lunch then?
Slimbloke'H'
19-06-2001, 03:50 AM
Originally posted by A Wooden Fish On WHeels
Yep.. portscan. You can feed the ip addresses into http://www.demon.net/external/ to do nslookups and stuff on where the ip addresses are coming from, but e.g. abuse@btinternet will do f all as there are millions and millions and millions of these going on every day. Just make sure you have no shares active or any trojans installed - and preferably keep any important / sensitive data offline if you think it warrants it.
OK, so which bit of this is the info. that I need to submit?
From SIZE Mon Jun 18 06:57:06 2001
Received: from [195.92.193.18] by hotmail.com (3.2) with ESMTP id MHotMailBCF753AE0050400438D3C35CC11274630; Mon Jun 18 06:57:03 2001
Received: from [195.92.198.123] (helo=mail17.svr.pol.co.uk)
by mail1.svr.pol.co.uk with esmtp (Exim 3.13 #0)
id 15BzWX-0003Mi-00
for palacegull@hotmail.com; Mon, 18 Jun 2001 14:57:01 +0100
Received: from modem-207.eressea.dialup.pol.co.uk ([62.136.199.207] helo=crispc)
by mail17.svr.pol.co.uk with smtp (Exim 3.13 #0)
id 15BzWM-0006m5-00
for palacegull@hotmail.com; Mon, 18 Jun 2001 14:56:51 +0100
From: Hahaha <hahaha@sexyfun.net>
Subject: Snowhite and the Seven Dwarfs - The REAL story!
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VEW9URK5I3G9MZ0L674LEJKTIF01AJ"
Message-Id: <E15BzWM-0006m5-00.2001-06-18-14-56-51@mail17.svr.pol.co.uk>
Bcc:
Date: Mon, 18 Jun 2001 14:56:51 +0100
85d
slowdog
20-06-2001, 02:36 AM
Originally posted by Dave
Slowdog - You should be more worried- someone is making a concentrated effort to get through your firewall.
:eek:
Why me?!
I take it I did the right thing in pulling the connection as soon as worked out what was going on then?
Originally posted by Slimbloke'H'
Hahaha <hahaha@sexyfun.net>
Subject: Snowhite and the Seven Dwarfs - The REAL story!
[/SIZE]
Tell us more!!!:clown:
jonesy
20-06-2001, 02:51 PM
I'm just about to re-connect to the net at home after a few months off due to HD failure which after many hours I managed to sort. Im naturally a bit worried about getting a Virus or attacked so what is the best reasonably priced Firewall and Anti Virus Software I shaould install?
slowdog
20-06-2001, 10:43 PM
For firewalls, the oft-mentioned Zone Alarm is free, and seems to do the trick. Go to http://www.zonealarm.com/ to download it.
Slimbloke'H'
20-06-2001, 11:14 PM
Originally posted by tmjwat
Originally posted by Slimbloke'H'
Hahaha <hahaha@sexyfun.net>
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Tell us more!!!:clown:
:D
vBulletin v3.5.3, Copyright ©2000-2013, Jelsoft Enterprises Ltd.
0