Discussion in 'New Member Introductions' started by nope, Nov 24, 2005.

  1. nope

    nope Monkey+++ Founding Member

    Alert: Seems that someone is using one of my email addresses as a return addy to send out Virus'. One came back to me and I was able to grab the headers. Al is working on it and so far the IP resolves back to St. Louis MO. I do not send attachments. If you get an email from me with an attachment, Delete it as it's just some clown trying to mess with us...

    This may explain your dilema:

    Dear Trend Micro customer,

    As of November 24, 2005 2:34 AM (Pacific Standard Time, GMT -8:00),
    TrendLabs has declared a Medium Risk Virus Alert to control the spread
    of WORM_MYTOB.MX. TrendLabs has received several infection reports
    indicating that this malware is spreading in Eastern Europe, Japan, India,
    China, Sweden, France, Spain, Austria, and Germany.

    This memory-resident worm spreads copies of itself as an attachment to
    email messages, which it sends to target addresses, using its own
    Simple Mail Transfer Protocol (SMTP) engine. Through this SMTP engine, it is
    able to easily send the said email message even without using other
    mailing applications, such as Microsoft Outlook.

    The email message that it sends has the following details:

    From: (Spoofed)

    Subject: (any of the following)
    ? DETECTED Online User Violation
    ? Important Notification
    ? Notice Account limitation
    ? Security Measures
    ? You have successfully updated your password
    ? Your Account is Suspended
    ? Your Account is Suspended For Security Reasons
    ? Your password has been successfully updated
    ? Your Password has been updated

    Message Body: (any of the following)
    Dear {User Profile} Member,

    Your e-mail account was used to send a huge amount of unsolicited spam
    messages during the recent week. If you could please take 5-10 minutes
    out of your online experience and confirm the attached document so you
    will not run into any future problems with the online service.

    If you choose to ignore our request, you leave us no choice but to
    cancel your membership.

    Virtually yours,
    The {User Profile}, Support Team


    Dear user {User Profile},

    It has come to our attention that your {User Profile}, ( x ) records
    are out of date. For further details see the attached document.

    Thank you for using {User Profile}!
    The {User Profile} Support Team
    +++ Attachment: No Virus (Clean)
    +++ "Name" Antivirus - www.{User Profile}.com


    Dear user {User Profile},

    You have successfully updated the password of your {User Profile}

    If you did not authorize this change or if you need assistance with
    your account, please contact customer service at: register@{User

    Thank you for using {User Profile}!
    The {User Profile} Support Team
    +++ Attachment: No Virus (Clean)
    +++ "Name" Antivirus - www. {User Profile}.com


    Dear {User Profile} Member,

    We have temporarily suspended your email account {User Profile}.
    This might be due to either of the following reasons:
    1. A recent change in your personal information (i.e. change of
    2. Submiting invalid information during the initial sign up process.
    3. An innability to accurately verify your selected option of
    subscription due to an internal error within our processors.
    See the details to reactivate your {User Profile} account.
    Sincerely,The Support Team
    +++ Attachment: No Virus (Clean)
    +++ {User Profile}Antivirus www.{User Profile}

    NOTE: {User Profile}, is equal to the computer's Domain User Name

    Attachment: (any of the following file names)
    ? accepted-password
    ? account-details
    ? account-info
    ? account-password
    ? account-report
    ? approved-password
    ? documeng
    ? email-details
    ? email-password
    ? important-details
    ? new-password
    ? password
    ? readme
    ? updated-password

    This worm also propagates via network shares. It searches for available
    shared folders within the network and attempts to drop copies of itself
    into these shares. It also generates random IP addresses and attempts
    to drop copies of itself into the said addresses' default shares. It
    uses the account details of the currently logged user to gain access to
    password-protected shares.

    It has backdoor capabilities, which enable a remote malicious user to
    perform commands on the affected system, thus compromising system

    It runs on Windows NT, 2000, and XP.
  2. nope

    nope Monkey+++ Founding Member


    Virus companies are saying this virus as well as other version of Worm have been rampent sice Last week and will only get worse the closer to holidays we get. So if people are sending virus's and it has your email addy on it, it's not personal as hackers could careless who you are and don't even know you exist.
  3. nope

    nope Monkey+++ Founding Member


    There are many variations of this virus and now there is also a trojan horse as well. So beware, update your anti-virus and scan for spyware often. But the IP of this virus can resolve anywhere doesn't mean that's who sent it, this is why hackers are so hard to catch.
  4. melbo

    melbo Hunter Gatherer Administrator Founding Member

    Thanks for the info. Been out of town since last Weds.

    The reason I feel this one is supiciously malicious and planned to make me look bad is that it only went out to 4 that I know while my Contact list has hundreds in it. These 4 were also people that I don't necessarily get along very well with these days and they all sent me "Plese stop sending me this Virus" emails in return. I also got a couple bounce backs from emails that were sent to local business' in my area but that I have never had any contact with, email or otherwise.

    This case was deliberate. Thanks also for the Anonymouse Tip. I love to anonymize.

  5. melbo

    melbo Hunter Gatherer Administrator Founding Member

    This is the email:
    hi, ive a new mail address

    Had the file ATT00057.dat (160 bytes) attached
  6. nope

    nope Monkey+++ Founding Member

    I guess your not so special

    Virus Alert! “SOBER.X” has just gone to “medium risk” at Secunia. Updated definition files are available from most anti-virus vendors. Watch out for the following in any new emails you receive:

    Subject: hi, ive a new mail address
    hey its me, my old address dont work at time. i dont know why?!
    in the last days ive got some mails. i’ think thaz your mails but im not sure!

    plz read and check …

    This was posted on

    People cannot take virus's personal, they are meant for EVERYONE no matter how personal. Sorry to hear about your trouble's but your on a list of about 6 million that have received this "personal" attack. If ever your suspicious enter the text into a search box and it will usually lead you to a virus alert or prove it was personal.

    Nice site BTW and yeah anonymouse is nice to keep cookies, spybots and other pests away. Good luck with everything and again I hope this helps.
  7. melbo

    melbo Hunter Gatherer Administrator Founding Member

    Thank You CitizenX

    I never thought of searching on the text before. Thanks.

    I guess noe that means that I or someone with me in thier contact list has this Virus... I just ran 5 scans and came up with nothing. So I guess that means that someone who emails me has it.

    CitizenX, you sound like a very 'in the know' person. We could use some inside advice in the Tech forum... I am into privacy also. (I run anonymizer), If you'd like to register using Anonymouse, You can. Just use a scooby doo email on registration and I'll go in and activate your account.

    Very glad to have the info

  8. nope

    nope Monkey+++ Founding Member

    Don't understand

    Thanks for the invite however at this time I must decline as I am very busy with my "day" job.

    I still don't understand why you insist that "someone" is purposely sending this virus out using your name or somehow trying to "get" you? It could be your mom has that email adress in her contact list and just so happens it sent it out and her antivirus caught it before it was able to send out to everyone in the conatct list. Just because someone has a contact list of hundreds or even millions doesn't mean it sends it out to all on the list. It's like poker, some get the good hand (no virus) and some lose it all (get the virus).

    Bad information being spread is just as bad as the virus itself b/c it makes virus trackers job that much more difficult. A virus almost NEVER will be personal b/c almost all antivirus programs will catch it before it can even be sent out and email programs as well. So again this was probably a fluke. Again I hope this information helps.

    Maybe when work slows a bit I will join but until then update, update, update update and update.

    Oh yeah update. :D
  9. Brokor

    Brokor Live Free or Cry Moderator Site Supporter+++ Founding Member

    I take everything personally. I really do. [peep]
  10. melbo

    melbo Hunter Gatherer Administrator Founding Member

    After reading the link you provided, it is NOT personal. The virus is on someone else's system that is 'spoofing' my email addy. It was wierd when it only went to a few I know but then it may be lurking in one of there systems.

    I understand the time constraints CitizenX, If you ever do want to register under Anonymity, I can help.

    Thanks again for helping me clear this up... [beer]
  11. melbo

    melbo Hunter Gatherer Administrator Founding Member

    and, how did you find our 1 forum where guests can post? :D
  12. nope

    nope Monkey+++ Founding Member

    Brokor by the looks of your avatar everything takes you personal. ;)

    I found this area while browsing the rest of the forum and saw where it said guests could post w/out registering and looked like you needed some help. So tada here I am. Interesting what you find when you read.

    Here's a bit more for me to add to virus info.;Viruses are never personal, they're like IED, addressed to Whom it may concern. Todays Malcode are very tricky, as they have built in SMPT engines so they don't need a mail server, spoof the 'from' address to make it harder to track back, and in addition to using the 'address book', will also harvest email addresses from Web Caches/ Temp internet folders so even with out having an address in your address book, if you've visited a site with email addresses listed, it can mail out to them.
  13. ghrit

    ghrit Bad company Administrator Founding Member

    CitizenX, I like the cut of your jib. Stick with us.

    melbo, how's chances of the software allowing X to post in the Tech forum without registering? Methinks there are some questions he/she/it might be able to handle for us proles. :?: :)
  14. melbo

    melbo Hunter Gatherer Administrator Founding Member

    good Idea. I can open it up
  15. melbo

    melbo Hunter Gatherer Administrator Founding Member

  16. Quigley_Sharps

    Quigley_Sharps The Badministrator Administrator Founding Member

survivalmonkey SSL seal warrant canary