View Full Version : Cybercafe Spam with virus

30-12-2002, 04:01 PM
I've just received 2 spam mails with virus intention i beleive...
nortons prevented me doing nefing and..i have preveiw in ooutlook and it wont open due to nortons prevention...and i looked in the properties of where the email came from...
it came from a cyber cafe in tauranga...
Is there anyhting i should do? like..email them and ask what their intention was?
or just delete and forget like i do with anything else i get?
this is..i admit..the first ever spam i've ever got located in New Zealand, also...a cybercafe...

this is in properties when i click on where it came from etc......

Return-Path: <mail@cybersurf.co.nz>
Received: from mail.quik.co.nz (203-167-190-11.dsl.clear.net.nz [])
by ns.quik.co.nz (8.12.5/8.12.5) with SMTP id gBU3lVpl025490
for <csinclair83@man.quik.co.nz>; Mon, 30 Dec 2002 16:47:32 +1300
Message-Id: <200212300347.gBU3lVpl025490@ns.quik.co.nz>
From: Cybersurf.Internet.Cafe, Tauranga, New Zealand<mail@cybersurf.co.nz>
To: csinclair83@man.quik.co.nz
Subject: I am in Love
Date: Mon,30 Dec 2002 16:47:56 PM
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
MIME-Version: 1.0
Content-Type: multipart/mixed;

Hope someone can tell me what the best action i could do is...nortons couldnt identify the virus in it but, it wont let me open and i wont risk it at all..


30-12-2002, 04:15 PM
I've encoutered the virus before, Ive got it saved in my hotmail account somewhere, dunno what the name is, but you should just delete it, then inform the cafe that they have a virus and should goto:

Then laugh your head off at them :p

30-12-2002, 04:21 PM
Sorry.. Ive deleted the messages...

It usually came as Goldfish.eml

It also contained something like

Have a look
Thanks Dear!

In the message, that is if its the one Im thinking of, I might be totally wrong here!

30-12-2002, 04:24 PM
check the attached love screensaver
and feel the fragrance of true love..

love.scr is name of the file..

thats my email lol...

30-12-2002, 04:28 PM
Don't be too quick to jump to conclusions re the sender.

It has in all probability come from someone who has your address in their address bock, and also the cybercafe address. Many Virii simply grab an address at random and spoof it as the "from" address.

The IP may be real, but traceroute simply shows it as an Auckland Telstra Clear address, could be anyone.

I had one recently sent to a little used address on my domain name, purporting to be from the CEO of a NZ company. I knew someone who would have that CEO address, and the e-mail address belonging to my domain, in their address book. One phone call confirmed that they were on-line at the exact time I received the virus email, and investigation showed their PC was infected.

It was not the CEO or his company that had sent it. It was simply someone that had both addresses.

Graham L
30-12-2002, 04:34 PM
Bouncing spam and complaining to ISPs is all very well, but it just uses more network bandwidth. Most of the time it does not affect the culprit.

It's usually best just to dump the stuff and do something useful. (Or even something useless :D , but something you choose to do, not something in response to the malicious scum).

30-12-2002, 08:34 PM
i've just jumped back online..and received 4 more...but this time 3 of them had a request for a send back 2 sender thingy to say i have readed it......

30-12-2002, 08:52 PM
If you are at all suspicious then just delete them.

You could also try mailwasher.

I use Mailwasher, Norton Antivirus 2003 and Norton Internet Security 2002. Outlook 2002 as Email client.

Haven't got a virus yet.

30-12-2002, 08:59 PM
Yep, it'll be a virus that has rearranged the from header. Just as well you had nortons eh!

31-12-2002, 08:23 AM
Good Morning,
just thought i'd update this..
have woken up to 5 new ones..but this time 2 have come from a friend...
and i honestly dont know anyone in Tauranga...and the the only thing i have entered my email address into lately is EASPorts and to some people at NZOOM.com enquirying about some cricket thing...but i dont think they would give it out to people...

Should I contact the ISP where these emails are coming from and...see whats going on?

31-12-2002, 08:41 AM
The virus will be coming from somebody that has your e-mail address on their system. Are you saying that nobody has your e-mail address?

Anyone you have ever sent an e-mail to will be a suspect.

Realise that these viruses grab ANY e-mail address from the infected system address book or received e-mails to use as the header (dummy "from" address) and send themselves to EVERY e-mail address on the system.

It will be someone you know, that is infected. The virus also disables antivirus software on the infected machine usually.

Just remember its unlikely that the "from" address is really where they are "from" at all.

Heather P
31-12-2002, 08:51 AM
It used to be simple - receive a virus and reply to sender that they have a virus and it's about time they ran/updated an anti-virus program.

Now some of them redirect through an alternative address. Sometimes it's possible to identify who actually has the virus, sometimes it isn't. If, at a quick glance, you are certain who sent it - tell them they have a virus, if you are uncertain - delete it and move on.

A while back there was a virus that picked up random files from a computer and forwarded it. One "appeared" to come from an Asian address but by content I knew exactly who had the virus - the international student dept at the local school. Others with the same virus were less easy to identify - an email about a months old motorcycle trip to my husband springs to mind. It could have been one of a number of people.

Just keep the anti-virus programs up-to-date and don't forward them yourself.

31-12-2002, 09:32 AM
Hi Chris,

Go to this Symantec page, to do a system scan.


If you are infected it will let you download a tool to clean the nasties. There are also links on the page on how to trace a virus, but as the others have said, it will probably be impossible to trace.


31-12-2002, 09:48 AM
Hi guys..I've decided on my action...
am going to do a total update of antivirus..even thou i do this every day...just check liveupdate everynight...so yeah..
and will email everyone i have on my addressbook and tell them 2 update antivirus and do a scan...
And will email the people who i got the virus from and tell them...
and i might..email the ISP where they are coming from and tell them...just as a friendly warning that someone using their ISP is wandering around with a virus...

Mm I just did a trace on the email host address...
and this is what i got..

inetnum: -
descr: Web InterNet
descr: Auckland
country: NZ
admin-c: DG44-AP
tech-c: AJ18-AP
notify: nic@netgate.net.nz
source: APNIC
changed: ks61@netgate.net.nz 20020918

Does that mean anything?

Heather P
31-12-2002, 10:03 AM
Well that should keep you entertained for a few hours. Is it raining in your part of the island or have you nothing better to do?

The simple fact is that viruses happen. If everyone kept their virus definitions up-to-date then there would be less of them but new ones will still sneak through.

The best thing you can do is keep the anti-virus definitions up-to-date, don't open suspect attachments, pass on a warning when you are 100% certain of the sender and ignore and delete the rest.

There is so much information in the world these days that people are selective as to what they take in. Virus paranoia only affects people who have been struck by viruses. Until it happens they won't do it. (A bit like my daughter not seeing the need to cut a spare car key. Yesterday her keys ended up in a glovebox 100km away. Much stress later I think she sees the point in it now).

31-12-2002, 10:28 AM
Chris, what is needed is a bit of detective work on your part.

Firstly, can you make a list of all people likely to have your e-mail address in their address book?

Then make some educated guesses as to which of those people could also have the addresses in the "from" field on the virus e-mails you receive.

I have successfully identified the culprit this way in the past.

As to telling your friends to update the anti-virus, the action of these viruses is to sneakily disable the virus scanner while letting people think its up to date and working, so they may update to no effect at all.

In these cases an on-line scan is effective though.

Again I stress its highly unlikely that the e-mails are coming from who they say they are, so notifying those people will be annoyance, not advice?

31-12-2002, 11:20 AM
the "from" feild in the virus emails are all from cybersurf.co.nz and i tried that as a website and it took me to tauranga cybersurf...a internet cybercafe...and i dont think any of my friends would have their cybersurf.co.nz at the end of their email address...

have emailed all the people i have in my address book, businesses...and friends..and told them about the email and what happens and yeah to update antivirus..