PDA

View Full Version : Does this sound like the MyDoom virus?



stu140103
08-02-2004, 02:29 PM
Hello every one

I just got this e-mail X2 (copied from mail washer) (and I did NOT send any e-mail to the below e-mail address)

Does this sounds like the MyDoom virus or another one of those ones which fakes the From headers?

1.

From:MDaemon@djw.biz

To: my address, which is ************

The attached message had PERMANENT fatal delivery errors!

After one or more unsuccessful delivery attempts the attached message has
been removed from the mail queue on this server. The number and frequency
of delivery attempts are determined by local configuration parameters.

YOUR MESSAGE WAS NOT DELIVERED TO ONE OR MORE RECIPIENTS!

Failed address: bentley@beaufortcounty.com

--- Session Transcript ---
Sat 2004-02-07 18:32:02: Parsing Message <e:\mdaemon\gateways\beaufortcounty.com\pd500000251 11.msg>
Sat 2004-02-07 18:32:02: From: ****************
Sat 2004-02-07 18:32:02: To: bentley@beaufortcounty.com
Sat 2004-02-07 18:32:02: Subject: <?spam=Assassin:21.0,RBL:SPAMCOPBL DSBL,SNIFFER,LOOKUP> the best pills on the internet for low cost
Sat 2004-02-07 18:32:02: Message-ID: <wni6n3s$ykd5h-$-94@0wi.tyek2>
Sat 2004-02-07 18:32:02: MX-record resolution of in progress (DNS Server: 192.168.0.5)...
Sat 2004-02-07 18:32:02: P=100 D=beaufortcounty.com TTL=(47) MX=[mail3.devilsplayground.net] {209.115.229.204}
Sat 2004-02-07 18:32:02: Ignoring irrelevant RR, mail3.devilsplayground.net P=100
Sat 2004-02-07 18:32:02: P=090 D=beaufortcounty.com TTL=(47) MX=[mail2.devilsplayground.net] {142.179.157.171}
Sat 2004-02-07 18:32:02: P=080 D=beaufortcounty.com TTL=(47) MX=[mail1.devilsplayground.net] {209.115.229.208}
Sat 2004-02-07 18:32:02: P=075 D=beaufortcounty.com TTL=(47) MX=[mail2.downhomehost.com]
Sat 2004-02-07 18:32:02: P=010 D=beaufortcounty.com TTL=(47) MX=[beaufortcounty.com] {208.28.34.10}
Sat 2004-02-07 18:32:02: Attempting MX: P=010 D=beaufortcounty.com TTL=(47) MX=[beaufortcounty.com] {208.28.34.10}
Sat 2004-02-07 18:32:02: Attempting SMTP connection to [208.28.34.10 : 25]
Sat 2004-02-07 18:32:02: Waiting for socket connection...
Sat 2004-02-07 18:32:03: Socket connection established (209.115.229.204 : 3734 -> 208.28.34.10 : 25)
Sat 2004-02-07 18:32:03: Waiting for protocol initiation...
Sat 2004-02-07 18:32:03: <-- 220-downhomehost.com ESMTP MDaemon 7.0.0t; Sat, 07 Feb 2004 20:32:02 -0500
Sat 2004-02-07 18:32:03: <-- 220--Unless you are trying to deliver mail to a legitimate
Sat 2004-02-07 18:32:03: <-- 220--user on this system, then you are not welcome!
Sat 2004-02-07 18:32:03: <-- 220--We DO NOT relay mail and any unauthorized attempt is
Sat 2004-02-07 18:32:03: <-- 220--strictly prohibited. All transaction and IP addresses
Sat 2004-02-07 18:32:03: <-- 220--are logged. All mail coming from known spammers or the
Sat 2004-02-07 18:32:03: <-- 220--like thereof will be labeled as such and is subject to
Sat 2004-02-07 18:32:03: <-- 220 -rejection and or non-delivery!
Sat 2004-02-07 18:32:03: --> EHLO dsl-oak-209-115-229-i204-cgy.nucleus.com
Sat 2004-02-07 18:32:03: <-- 250-downhomehost.com Hello dsl-oak-209-115-229-i204-cgy.nucleus.com, pleased to meet you
Sat 2004-02-07 18:32:03: <-- 250-ETRN
Sat 2004-02-07 18:32:03: <-- 250-AUTH=LOGIN
Sat 2004-02-07 18:32:03: <-- 250-AUTH LOGIN CRAM-MD5
Sat 2004-02-07 18:32:03: <-- 250-8BITMIME
Sat 2004-02-07 18:32:03: <-- 250-STARTTLS
Sat 2004-02-07 18:32:03: <-- 250 SIZE 0
Sat 2004-02-07 18:32:03: --> MAIL From:<*************> SIZE=2511
Sat 2004-02-07 18:32:04: <-- 250 <*******************>, Sender ok
Sat 2004-02-07 18:32:04: --> RCPT To:<bentley@beaufortcounty.com>
Sat 2004-02-07 18:32:04: <-- 550 <bentley@beaufortcounty.com>, Recipient unknown
--- End Transcript ---
: Message contains [1] file attachments

-----------------------------------------------------------------------------------------

[B]2.

From:MDaemon@djw.biz

To: my address, which is ************

The attached message had PERMANENT fatal delivery errors!

After one or more unsuccessful delivery attempts the attached message has
been removed from the mail queue on this server. The number and frequency
of delivery attempts are determined by local configuration parameters.

YOUR MESSAGE WAS NOT DELIVERED TO ONE OR MORE RECIPIENTS!

Failed address: stormy@beaufortcounty.com

--- Session Transcript ---
Sat 2004-02-07 18:32:02: Parsing Message <e:\mdaemon\gateways\beaufortcounty.com\pd500000251 12.msg>
Sat 2004-02-07 18:32:02: From: roboisnice@orcon.net.nz
Sat 2004-02-07 18:32:02: To: stormy@beaufortcounty.com
Sat 2004-02-07 18:32:02: Subject: <?spam=Assassin:21.0,RBL:SPAMCOPBL DSBL,SNIFFER,LOOKUP> the best pills on the internet for low cost
Sat 2004-02-07 18:32:02: Message-ID: <wni6n3s$ykd5h-$-94@0wi.tyek2>
Sat 2004-02-07 18:32:02: MX-record resolution of [beaufortcounty.com] in progress (DNS Server: 192.168.0.5)...
Sat 2004-02-07 18:32:03: P=100 D=beaufortcounty.com TTL=(47) MX=[mail3.devilsplayground.net] {209.115.229.204}
Sat 2004-02-07 18:32:03: Ignoring irrelevant RR, mail3.devilsplayground.net P=100
Sat 2004-02-07 18:32:03: P=090 D=beaufortcounty.com TTL=(47) MX=[mail2.devilsplayground.net] {142.179.157.171}
Sat 2004-02-07 18:32:03: P=080 D=beaufortcounty.com TTL=(47) MX=[mail1.devilsplayground.net] {209.115.229.208}
Sat 2004-02-07 18:32:03: P=075 D=beaufortcounty.com TTL=(47) MX=[mail2.downhomehost.com]
Sat 2004-02-07 18:32:03: P=010 D=beaufortcounty.com TTL=(47) MX=[beaufortcounty.com] {208.28.34.10}
Sat 2004-02-07 18:32:03: Attempting MX: P=010 D=beaufortcounty.com TTL=(47) MX=[beaufortcounty.com] {208.28.34.10}
Sat 2004-02-07 18:32:03: Attempting SMTP connection to [208.28.34.10 : 25]
Sat 2004-02-07 18:32:03: Waiting for socket connection...
Sat 2004-02-07 18:32:03: Socket connection established (209.115.229.204 : 3735 -> 208.28.34.10 : 25)
Sat 2004-02-07 18:32:03: Waiting for protocol initiation...
Sat 2004-02-07 18:32:03: <-- 220-downhomehost.com ESMTP MDaemon 7.0.0t; Sat, 07 Feb 2004 20:32:02 -0500
Sat 2004-02-07 18:32:03: <-- 220--Unless you are trying to deliver mail to a legitimate
Sat 2004-02-07 18:32:03: <-- 220--user on this system, then you are not welcome!
Sat 2004-02-07 18:32:03: <-- 220--We DO NOT relay mail and any unauthorized attempt is
Sat 2004-02-07 18:32:03: <-- 220--strictly prohibited. All transaction and IP addresses
Sat 2004-02-07 18:32:03: <-- 220--are logged. All mail coming from known spammers or the
Sat 2004-02-07 18:32:03: <-- 220--like thereof will be labeled as such and is subject to
Sat 2004-02-07 18:32:03: <-- 220 -rejection and or non-delivery!
Sat 2004-02-07 18:32:03: --> EHLO dsl-oak-209-115-229-i204-cgy.nucleus.com
Sat 2004-02-07 18:32:03: <-- 250-downhomehost.com Hello dsl-oak-209-115-229-i204-cgy.nucleus.com, pleased to meet you
Sat 2004-02-07 18:32:03: <-- 250-ETRN
Sat 2004-02-07 18:32:03: <-- 250-AUTH=LOGIN
Sat 2004-02-07 18:32:03: <-- 250-AUTH LOGIN CRAM-MD5
Sat 2004-02-07 18:32:03: <-- 250-8BITMIME
Sat 2004-02-07 18:32:03: <-- 250-STARTTLS
Sat 2004-02-07 18:32:03: <-- 250 SIZE 0
Sat 2004-02-07 18:32:03: --> MAIL From:<stuartw@orcon.net.nz> SIZE=2507
Sat 2004-02-07 18:32:04: <-- 250 <roboisnice@orcon.net.nz>, Sender ok
Sat 2004-02-07 18:32:04: --> RCPT To:<stormy@beaufortcounty.com>
Sat 2004-02-07 18:32:04: <-- 550 <stormy@beaufortcounty.com>, Recipient unknown
--- End Transcript ---
: Message contains [1] file attachments

Billy T
08-02-2004, 02:38 PM
Yep, sure sounds and looks like it.

I've had around 1500+ now on my son's account and just out of interest, that particular email address is one I have seen before. If the attachment is still there the MyDoom/SCO virus emails are usually between 31.1 and 32Kb.

They are gradually reducing in daily numbers and bouncing them all is starting to showing up repeat sender. Initially I just deleted them in Mailwasher but decided I needed to fight back.

I've had about 20 to my business account and bouncing all of them has reduced the traffic to next to nothing.

Cheers

Billy 8-{)

Graham L
08-02-2004, 02:43 PM
The ones you bounce are going to people who have the misfortune to be in an address list of someone who has the virus. This is fighting back?

No wonder this damn virus is using a huge amount of the Internet bandwidth.

Unless you [know who actually sent you a piece of email, bouncing it is irresponsible.

metla
08-02-2004, 02:45 PM
So far i have recieved it 3 times,actually the virus had been stripped from the first 2 but the 3rd contained a loaded payload.

agent
08-02-2004, 02:57 PM
> Unless you know who actually sent you a piece of email, bouncing it is irresponsible

Agreed.

But it makes some people feel better.

stu140103
08-02-2004, 03:04 PM
Thank every one for they reply

Note to mod: Please check your e-mails ;) in a few mins

Billy T
08-02-2004, 05:57 PM
> But it makes some people feel better.

No, it doesn't make me feel better, but it has reduced the number of viruses I receive, and if there is not valid email address to bounce to, it doesn't go at all.

Nine times out of ten it goes back to a valid address that belongs to somebody like me with a compromised email address. I check every time for known addresses so that I can pick which person(s) have been compromised, and they get notified separately, but in 1500+ messages I have only identified two that might be infected without knowing.

What is irresponsible is ISPs who don't bother to filter their throughput for viruses. Say what you like about Xtra, but not one live virus has appeared here via an Xtra address.

In a perfect world people wouldn't need or wish to bounce messages, but then, in a perfect world otherwise responsible people wouldn't post on PF1 admiring the work of virus writers. That kind of adulation is irresponsible too.

Cheers

Billy 8-{) :|

agent
08-02-2004, 06:02 PM
Well in your case it appears to be fine; but some people unwittingly bounce email to addresses that were forged as the source of spam and/or viruses.

All it does in that case is cause headaches for other people.

whiskeytangofoxtrot
08-02-2004, 11:02 PM
Well we all know how much I like to rain on peoples parades so here we go again:

1. Nice job of blurring your address with asterisks, of course you've left it in further down the track as well...

2. So far it appears no one has bothered to read the actual error message. This looks nothing like the MyDoom virus. The headers as copied below quite clearly display the subject line of the message, which is related to "the best pills on the internet"

It actually appears your address has been used as a spoofed addresss for spam, which has gone to a non-deliverable address, hence you receiving the bouncebacks.

Reading the error messages would have told you (and anyone else that posted in this thread) that.

***********************************

--- Session Transcript ---
Sat 2004-02-07 18:32:02: Parsing Message <e:\mdaemon\gateways\beaufortcounty.com\pd500000251 11.msg>
Sat 2004-02-07 18:32:02: From: ****************
Sat 2004-02-07 18:32:02: To: bentley@beaufortcounty.com
Sat 2004-02-07 18:32:02: Subject: <?spam=Assassin:21.0,RBL:SPAMCOPBL DSBL,SNIFFER,LOOKUP> the best pills on the internet for low cost
Sat 2004-02-07 18:32:02: Message-ID: <wni6n3s$ykd5h-$-94@0wi.tyek2>

*******************************************

--- Session Transcript ---
Sat 2004-02-07 18:32:02: Parsing Message <e:\mdaemon\gateways\beaufortcounty.com\pd500000251 12.msg>
Sat 2004-02-07 18:32:02: From: roboisnice@orcon.net.nz
Sat 2004-02-07 18:32:02: To: stormy@beaufortcounty.com
Sat 2004-02-07 18:32:02: Subject: <?spam=Assassin:21.0,RBL:SPAMCOPBL DSBL,SNIFFER,LOOKUP> the best pills on the internet for low cost

metla
08-02-2004, 11:18 PM
Wtf,your miles away,what stu has posted is very close to the email i recieved loaded with the virus.

whiskeytangofoxtrot
08-02-2004, 11:45 PM
> Wtf,your miles away,what stu has posted is very close
> to the email i recieved loaded with the virus.
>

If you look again, the message has been bounced as tagged spam by spam assassin, not antivirus software.

You'll also find that the subject line does not match the list of subjects used by MyDoom.A or MyDoom.B.

It is true that MyDoom used Mailer Daemon style messages as a way of disguising itself, however they were extremely distinct. the above-posted ones do not match the criteria for MyDoom.

Billy T
09-02-2004, 08:12 AM
The range of subject lines used by MyDoom has increased significantly WTF and that is no longer an indicator. If in doubt I rely on Norton to ID the virus, but nothing new or different has turned up. After intercepting around 1600 at the last count I think I have a feel for the variations.

Viagra ads and other typical spam info turn up quite regularly as low-life smarties try to forward the virus with a new disguise.

Mutation is the name of the game, and there are as many mutanrt senders out there as there are mutant viruses.

Cheers

Billy 8-{) :(

stu140103
09-02-2004, 11:48 AM
> 1. Nice job of blurring your address with
> asterisks, of course you've left it in further down
> the track as well...

Where are the mod"s when you what them?!? ?:| :D

Billy T
09-02-2004, 12:52 PM
Email Bruce Stu

Cheers

Billy 8-{)

stu140103
09-02-2004, 01:20 PM
> Email Bruce Stu

I have, did you not see the message

"Mods: check your e-mails" ;)

Graham L
09-02-2004, 02:12 PM
Bouncing hasn't reduced the number of viruses you receive, Billy. Correlation is not causation. The number has reduced because ISPs are trying harder to shoot the damn things. They don't like that traffic. It costs them money.

Billy T
09-02-2004, 05:23 PM
> The number has reduced because ISPs are
> trying harder to shoot the damn things.

*cough*

So who are all these ISPs who are trying to shoot them down Graham? Apart from Xtra and a couple of ther NZ ISPs, who else is seriously stripping viruses from the traffic? I'm sure that more than a few Netizens would like to know who to switch to for virus screening protection.

I've seen what I estimate to be upward of 1000 ISPs (allowing for some duplications) who are cheerfully forwarding MyDoom and its siblings.

Cheers

Billy 8-{) :|