PDA

View Full Version : Is it a Virus?



Jayde
16-03-2003, 11:06 AM
Hey

Whenever I receive a suspicious looking email with an attachment, I always want to know exactly what it is. I never open the attachment of course, but I'll get the name of the attachment and search well-known antivirus sites, such as TrendMicro, Symantec etc to find out what it is, what it can do etc.
This morning I received one that had an attachment called "mkemecmk.exe" 23.0 KB in size. There was no text in the email, no subject and no senders address. So I did my usual searches only to come up with no results. I'm just wondering if anyone else has received this email and knows what it might be.

Cheers

Anna

"Society prepares the crime, the criminal commits it"

roofus
16-03-2003, 11:16 AM
Is it from some one you know?

cicero
16-03-2003, 11:20 AM
>>"Society prepares the crime, the criminal commits it"


How do you make that one out?

Pheonix
16-03-2003, 11:30 AM
It is an executible file. This makes it dangerous and I would delete it anyway. If it was from someone you knew even, it could still be sent to you if their PC was infected. My theory is if in doubt, delete it. It is not worth it if the file were to cause you to lose info on your PC. If it is genuine, the sender will contact you again to ask you about the file and just get them to re-send it. Also I would advise them to add a small note with their name next time they send you something so you know it is genuine.

Jayde
16-03-2003, 10:24 PM
Yes, I am aware that if in doubt I should delete it. I was just curious to know if anyone knew what it was. I've since found out that it was
I-Worm/Hybris thanks to AVG.
I was immediately suspicious as there was no text in the email, no subject and no senders address.
Thing is because of that fact, I have no idea who sent it and therefore can't tell them that they are infected with this worm.. oh well maybe that'll learn em for opening any old attachments.

Gordon.
17-03-2003, 08:13 AM
If you still have the message or it happens again, right click the message and on the message select Properties and then Details and that might give you a idea of where it has come from though with some virus's now using forged addresses it might be of little use.

From the message header information you might be able to see which ISP was the sender, maybe even who the sender was. Even if you can only get the alleged senders ISP details you can copy and paste that information and send it to the ISP and ask that they check it out as one of there clients may be infected with a virus.

Clueless
17-03-2003, 08:23 AM
Jayde,
Have a look at the FULL headers.

By memory you go to properties > veiw source or something (assuming you are using outlook express).
You should get some clues as to who it came from by doing that.

example:
Return-Path: <xxxx@snap.net.nz>
Received: from tyler.snap.net.nz (tyler.snap.net.nz [202.37.101.20])
by drs.registerdirect.net.nz (8.11.6/8.11.0) with ESMTP id h2G9AZU85998
for <me@my.domain.net.nz>; Sun, 16 Mar 2003 21:10:35 +1200 (NZST)
(envelope-from xxx@snap.net.nz)
Received: from p246-dialip.snap.net.nz ([202.124.102.246] helo=acomputer)
by tyler.snap.net.nz with smtp (Exim 3.22 #1 )
id 18uUA1-0001Wz-00
for <me@my.domain.net.nz>; Sun, 16 Mar 2003 21:10:29 +1200
Message-ID: <000c01c2eb9c$08b684c0$f6667cca@acomputer>
From: "sender" <xxxx@snap.net.nz>
To: "person" <me@my.domain.net.nz>
Subject: jack went down.......

In this case the sender would definatly be "xxxx@snap.net.nz" (note; names & addresses changed to protect privacy, as this example is taken from the last email i got)


.Clueless

Jayde
19-03-2003, 08:21 PM
Yes I'm using Outlook and already tried that. Theres no sender address in their either.. this is all there is:

Return-Path: <>
Delivered-To: annat@backend.pop.ihug.co.nz
Received: (qmail 4488 invoked from network); 15 Mar 2003 15:26:17 -0000
Received: from grunt5.ihug.co.nz (203.109.254.45)
by percy.ihug.co.nz with SMTP; 15 Mar 2003 15:26:17 -0000
Received: from tig-nz-akl-ns-42.ihug.net (grunt5.ihug.co.nz) [203.109.252.42]
by grunt5.ihug.co.nz with esmtp (Exim 3.35 #1 (Debian))
id 18uDY9-0008D4-00; Sun, 16 Mar 2003 03:26:17 +1200
Received: from 80-235-21-82-ppp.trt.estpak.ee (rando1) [80.235.21.82]
by grunt5.ihug.co.nz with smtp (Exim 3.35 #1 (Debian))
id 18uDXj-00086S-00; Sun, 16 Mar 2003 03:25:57 +1200
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VEQVC5IR0DEF"
Message-Id: <E18uDXj-00086S-00@grunt5.ihug.co.nz>
Bcc:
Date: Sun, 16 Mar 2003 03:25:57 +1200
X-Rcpt-To: annat@es.co.nz


Cheers..

Clueless
19-03-2003, 08:42 PM
This line:

"return path<>"
makes it a dead give away. Its a virus, or its someone up to no good at all.
It originates from overseas as proven by these lines
"Received: from 80-235-21-82-ppp.trt.estpak.ee (rando1) [80.235.21.82]
by grunt5.ihug.co.nz with smtp (Exim 3.35 #1 (Debian))
id 18uDXj-00086S-00; Sun, 16 Mar 2003 03:25:57 +1200"

IHUG could trace it if it was say abusive enough to involve police, but this would probably just be a waste of time anyway.

Bloody viri! How dare they be written so that they leave minimal identifying trails! Chances are that this virus emails itself, and never asks the the machine what the return/sender address is.

.Clueless

Gordon.
20-03-2003, 07:58 AM
http://www.estpak.ee/

The IP address is Estonian based.

The link above contains for what it is worth also has a abuse link. Whether they would take any notice of any information is another matter. The abuse link is below.

abuse@estpak.ee