PDA

View Full Version : Viruses



Brendonny
20-08-2003, 10:17 PM
Hi everyone,

Umm I was just wondering I have been getting sent a lot of viruses recently (the messages have been cleaned or deleted before I get them and I get the notifictaion) but I've been getting a lot of bounce messages to one of my personal e-mail addresses saying I've been trying to send out a virus to someone I don't know. They don't specify a virus but I'm quite concerned. I've since changed the password to the account and I'm still getting them.
Is there any way of stopping the bounce messages?? It is a yahoo.co.nz address if it helps anyone. I use Incredimail as my mail program because it isn't that common so viruses shouldn't spread through there. I don't have the address listed in any other mail program. My parents use Outlook but my address is no where in there.
But all I want is my mailbox back. Any tips?? Any suggestions would be appreciated.

Brendan

godfather
20-08-2003, 10:40 PM
Not much you can do.

Someone who has your e-mail address on thier PCalso has a virus.

It is being sent by them, but its using your address purporting to be the sender. Unless you can determine who it is and get them to cleanup their PC, not a lot can be done.

stu140103
20-08-2003, 11:05 PM
> Umm I was just wondering I have been getting sent a
> lot of viruses recently (the messages have been
> cleaned or deleted before I get them and I get the
> notifictaion) but I've been getting a lot of bounce
> messages to one of my personal e-mail addresses
> saying I've been trying to send out a virus to
> someone I don't know. They don't specify a virus but
> I'm quite concerned. I've since changed the password
> to the account and I'm still getting them.
> Is there any way of stopping the bounce messages??

Hello Brendonny

You are not alone in having this problem
The same thing is happing to me as well :(
Instead I have a hotmail dot com address (only one account so far has the e-mail I have two accounts)

Here are the herder & message I am getting:

(XXXXX is my address that I edited out :))

e-mail 1

From :
NNZHUB000*at*bnz.co.nz

To :
XXXXXXXXXXXXXXX@hotmail.com

Subject :
Security Alert - ScanMail for Lotus Notes

Date :
Wed, 20 Aug 2003 17:04:18 +1200

MIME-Version: 1.0
Received: from inet.bnz.co.nz ([202.49.97.71]) by mc4-f31.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 19 Aug 2003 22:08:36 -0700
X-Message-Info: JGTYoYF78jEHjJx36Oi8+YDSEg8qKPPD
X-Priority: 3 (Normal)
Message-ID: <OF03C88610.25B27948-ONCC256D88.001BDC5B@bnz.co.nz>
X-MIMETrack: Serialize by Router on INET/WLG/BNZ/NAG_AP(Release 5.0.12 |February 13, 2003) at 20/08/2003 17:08:37
Return-Path: NNZHUB000@bnz.co.nz
X-OriginalArrivalTime: 20 Aug 2003 05:08:38.0299 (UTC) FILETIME=[1D5BAEB0:01C366D9]


Date: 8/20/2003 17:4:18
Subject: Re: Re: My details
From: XXXXXXXXXXXXXXX@hotmail.com
To: CN=Trina Henare/OU=AKL/OU=BNZ/O=NAG_AP @ NAG

File: wicked_scr.scr
Action: quarantine
Event: File Type Blocking

The contents of this E-mail may contain information that is legally
privileged and/or contains information confidential to the recipient. This
information is not to be used by any other person and/or organisation. The
views in this document do not necessarily reflect those of the Bank of New
Zealand.

-----------------------------------------------------------------------

e-mail 2

From :
exim*at*scms.waikato.ac.nz

To :
<XXXXXXXXXXXXXXX@hotmail.com>

Subject :
Rejected: Your details

Date :
Wed, 20 Aug 2003 17:33:52 +1200

Received: from ghoul.scms.waikato.ac.nz ([130.217.241.35]) by mc8-f18.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 19 Aug 2003 22:33:55 -0700
Received: from exim by ghoul.scms.waikato.ac.nz with local (Exim 4.14)id 19pLbU-0002o9-5ifor XXXXXXXXXXXXXXX@hotmail.com; Wed, 20 Aug 2003 17:33:52 +1200
X-Message-Info: JGTYoYF78jEHjJx36Oi8+YDSEg8qKPPD
In-Reply-To: <E19pLbG-0002nT-2C@ghoul.scms.waikato.ac.nz>
Message-Id: <E19pLbU-0002o9-5i@ghoul.scms.waikato.ac.nz>
Return-Path: <>
X-OriginalArrivalTime: 20 Aug 2003 05:33:55.0691 (UTC) FILETIME=[A5CB53B0:01C366DC]

Your message was rejected because it has
an apparently executable attachment "movie0045.pif".
Please read http://www.scms.waikato.ac.nz/help/mail/policy.html

-----------------------------------------------------------------------

e-mail 3

From :
auto-filter*at*xtra.co.nz

To :
XXXXXXXXXXXXXXX@hotmail.com

Subject :
Virus Alert

Date :
Wed, 20 Aug 2003 20:45:57 +1200

MIME-Version: 1.0
Received: from mta204-rme.xtra.co.nz ([210.86.15.147]) by mc6-f5.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Wed, 20 Aug 2003 01:45:59 -0700
Received: from localhost ([210.86.15.141]) by mta204-rme.xtra.co.nz with SMTP id <20030820084557.IFCH1211.mta204-rme.xtra.co.nz@localhost> for <XXXXXXXXXXXXXXX@hotmail.com>; Wed, 20 Aug 2003 20:45:57 +1200
X-Message-Info: JGTYoYF78jEHjJx36Oi8+YDSEg8qKPPD
Message-Id: <20030820084557.IFCH1211.mta204-rme.xtra.co.nz@localhost>
Return-Path: auto-filter*at*txtra.co.nz
X-OriginalArrivalTime: 20 Aug 2003 08:45:59.0842 (UTC) FILETIME=[7AB93820:01C366F7]

An attachment called (WORM_SOBIG.F) in an email that appears
to have been sent from your email address to (tkitez@xtra.co.nz)
contained the virus (WORM_SOBIG.F), which has been deleted.

If you do not believe you were the actual sender, the Klez virus is
likely to be the culprit. The Klez virus works by forging the 'From'
address inside the virus infected email, which means you can receive a
virus alert from Xtra even if you are not necessarily the actual sender.

Information on Xtra's anti-virus email filter:
http://xtra.co.nz/anti-virus

More on the Klez virus:
http://xtra.co.nz/help/0,,6156-1347943,00.html

Help with filtering anti-virus email alerts from Xtra:
http://xtra.co.nz/help/0,,6156-1656774,00.html

Help with removing a virus from your computer:
http://xtra.co.nz/help/0,,4128-544089,00.html

If you have any other questions, please forward this email along with
your enquiry to anti-virus*at*xtra.co.nz

-----------------------------------------------------------------------

e-mail 4This one HAS the virus which I did not open becuas Hotmail told me it was the W32/Sobig.f@MM virus

From :
<roxanne*at*globe.net.nz>

To :
<XXXXXXXXXXXXXXX@hotmail.com>

Subject :
Re: Wicked screensaver

Date :
Wed, 20 Aug 2003 17:37:06 +1200

Attachment : application.pif (100k)
MIME-Version: 1.0
Received: from NLWTS01 ([219.88.104.178]) by mc7-f24.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 19 Aug 2003 22:37:13 -0700
X-Message-Info: 6sSXyD95QpWgCBWUvHx8NNdDCbTE47+p
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
Return-Path: roxanne*a*tglobe.net.nz
Message-ID: <MC7-F24iaMJKhpXnXML000c8b1d@mc7-f24.law1.hotmail.com>
X-OriginalArrivalTime: 20 Aug 2003 05:37:17.0858 (UTC) FILETIME=[1E4B9020:01C366DD]

See the attached file for details

-----------------------------------------------------------------------

Rod ger
20-08-2003, 11:07 PM
Send a bcc e-mail to all your contacts telling them what has happened and please "patch", and stop bandying your name around the internet(maybe not the last bit).

stu140103
20-08-2003, 11:11 PM
& I do not have the Virus on my computer ( I have NAV 2002 with lasted Viruses definitions)

stu140103
20-08-2003, 11:13 PM
& I do not know the above peple.

PoWa
21-08-2003, 12:18 AM
All those emails you have there stu are variants of the w32.sobig virus.

beama
21-08-2003, 12:19 AM
Stu This may help you
When you can identify a isp in the header info try emailing abuse@isp etc
with the header information they maybe able to track the customer and inform them of the virus. Most isp's keep email activity logs and their technical support should be able to identify the customer, they will not however tell you who it is.
I have recently done this for both a New Zealand isp and a overseas isp. I received a email from a unknown person (which contained a virus attachment) inside and outside New Zealand domain where the isp was clearly identifiable in the header information.
Oh if there is a ip number in the header, as source, do a whois, that will reveal a lot of information as well.

Oh by the way one of those people that sent you one of those emails seems to be on a novell network
CN=Trina Henare/OU=AKL/OU=BNZ/O=NAG_AP