View Full Version : Probable virus - which one?

Robin S_
28-05-2003, 01:40 AM
Today my wife has received at least 5 e-mails from postmasters etc advising "address can't be found". Although the purported sender's address was hers she had sent none of the messages originally. Interestingly, 2 of the "senders" were her address prefixed with different nicknames. I assume that this is one of the viruses that burgle addresses from people's address books and mass mail fake messages. The subjects given for her supposed mailings were -
Re: Your request for freedom
Payment Past Due
Re: account
Application Declined
Over Due Account

Assuming that this is virus activity, can anyone name the virus (this would confirm my assumption)? I have done some net searches but none came up with anything (nor did Symantec or Mcaffee).
What is the best way to deal with this? I presume that if she waits a few days, hopefully the infection in the source computer will be discovered and cleaned out and that the scourge will stop. Changing her e-mail address would be inconvenient but may be necessary as a last resort. I guess that many of the bounced e-mails resulted because others had done just that.

28-05-2003, 02:08 AM
sounds a bit like something I read the other day that a spammer had used her address to authenticate themselves.

28-05-2003, 10:06 AM
I'm guessing it is either

a) As mentioned, a spammer is using her email address to send unsolicited mail
b) Someone she knows has a virus such as Klez, and has her address in their address book. Some viruses take a random name and email address from the address book of the infected machine, and uses those to mask itself when replicating and sending itself out to lessen the chances of being detected on the right machine.

If your signature files are up to date, and you have run a virus scan which is clean, then you are most likely fine. Run a scan a day for the next few days just in case.

Robin S_
29-05-2003, 12:57 AM
Thanks respondents. There are 3 points I omitted from my original post. The first is that I suspect it is a virus that randomly selects a subject from a built-in list and I am hoping that someone will recognise the examples I included and pinpoint the virus name. The second is that 2 days before these appeared I had updated AVG and run a complete scan so we should be clean unless it is a very new release. The third point is that, very intriguingly, none of the bounced e-mails has an attachment (to transport the virus) although 1 includes a link to an apparently unrelated site which has a slightly suspicious name. A possible explanation for this is that either Eudora or our ISP has detected infected attachments and "burned" them but I am not aware that either does e-mail scanning.

29-05-2003, 01:39 PM
>A possible
> explanation for this is that either Eudora or our ISP
> has detected infected attachments and "burned" them
> but I am not aware that either does e-mail scanning.

Can you tell us who your ISP is????

29-05-2003, 06:04 PM
There is an even simpler explanation:

Virii are programs
Programs have bugs
Therefore its not only likely, but a fact that some viri do not run as they were intended on some PCs.

One common problem is that they fail to attach their "payload" and simply consist of a message.

Robin S_
30-05-2003, 12:05 AM
Stu - it is Splurge, a cheapie therefore unlikely to have virus screening.

Godfather - assuming that it is a virus, I do suspect that it is bugged, because of the lack of an attachment and the fact that 4 of the main body messages comprise only short strings of about 60 - 100 alphanumeric characters and punctuation marks with some sort of graphic in the middle. The graphic only shows as a small placeholder with a cross in it.

I am surprised, though, that no one in pf1world seems to have recognised it - there is so much experience and knowledge out there. Anyway, there have been no recurrences since Day 1 so hopefully it has gone away forever.