suspicious Email from Robin

[Ted Constantine]

Robin I just received an email from your account that looks questionable.



Subject: 20020520155607

No text

2 attachments: 1. 43. scr and imgb0044[1].jpg



Is this a now virus or am I being paranoid?



Ted

 

[JPittman]

I also received a weird email from Turbodieselregister, I emailed Robin and they were looking into it. They never sent it, but it did come from their server. I also had a email from the Cummins Powerstore, returning an email they said I sent, well it was sent at a time I was asleep and the computer was off. I have also gotten these weird emails from people that I don't know.



My ISP says it's the Klez virus that people are either knowingly senting or they don't they have it and are sending it. Just don't open any attachments.



Maybe others can add to this.

 

[Bob Wagner]

^^^Ditto^^^



I have received 4 seperate virus infected emails which I deleted

 

[Batman]

Sounds like the Klez to me also. We have an updated AV software here at work, but this nasty little bugger shows up daily.

 

[fest3er]

Originally posted by Ted Constantine
Robin I just received an email from your account that looks questionable.

Subject: 20020520155607
No text
2 attachments: 1. 43. scr and imgb0044[1].jpg

Is this a now virus or am I being paranoid?

Ted

The *large* clue is the '. scr' file extension, saying the attachment is a script. If you get something that appears to be a script, *don't* open or run it! Normally, people do not send Windows scripts in email.

Unless TDR have unleashed a diabolical punishment scheme for people who violate forum posting rules. "All New! TDR Update! Members will no longer banned for grossly violating TDR Forum posting rules. Instead, TDRAdmin will send them a nasty virus that will prevent them from posting to any fora. That they will no longer be able to use their computers at all is just a 'side effect'. "

Hmmm. No, they wouldn't do that. Perhaps a fly-by-night BBS run by persons of questionable repute (or script kiddies like me and StakeMan) would, but not TDR.

And to be perfectly clear on the intended humor of the previous two paragraphs:

Fest3er

 

[rrausch]

I got KLEZ'ED too. Now I know who sent it... that darn Robin!

So I got Norton Internet Securities. It is AMAZING how many attempts have been made to "web share" or "File transfer" to/from my computer... 40 in the last week alone! One came from Germany. I sent them this e-mail: "Achtung!! DerSchnoopen' and DerSchpyin' ist VERBOTEN!" (With Norton you can send them e-mails demanding they stop trying to access your 'puter. )

I thought of some more...



'Yo... Git yo stinkin' paws off my 'puter!" Or how about this one:

"Hey Sucker... you put a dent in my harddrive and I'll put a dent in your head!"



By the way, does anybody know what they are trying to do when they attempt to "web share" or "file transfer".

 

[barryg41]

I always thought that anything in windows with a SCR extension was something to do with a screen saver.



I have heard of sending a virus with screen saver prograns. Its kind of like the normal worm virus. But, It stays hidden until you are not looking or activates the screen saver.

 

[HEMI®Dart]

Robin must be mad at you guys for somthin

 

[TDRadmin]

Not Me

Well, I can't explain it, but I've had every computer I use updated and tested for any sort of virus. None found. We'll keep a close eye for viruses here, but so far, we're clean.



I've been told that it is possible for an infected computer to forge the headers of the e-mail so that it likes like the e-mail came from someone else - sorry, I may be using the wrong technical terms. Anybody else know more about this?



Looks like I'm clean on this one, but it threw me for a scare. I am the queen of anti-virus software and the thought of spreading a virus is unacceptable to me.



Always let me know if you receive anything questionable from any of our e-mail accounts.



Robin

TDR Admin

 

[fest3er]

Re: Not Me

Originally posted by TDRadmin
...
I've been told that it is possible for an infected computer to forge the headers of the e-mail so that it likes like the e-mail came from someone else - sorry, I may be using the wrong technical terms. Anybody else know more about this?... .

The *headers* can be forged, but the actual route the mail takes cannot. In Windows, select the message, then File->Properties and look at the headers. For that matter, Ted, do that and post the contents here. The 'Received-From' headers will show you the complete route the message took between the sender and you. It includes IP addresses and/or hostnames.

Fest3er

 

[Mingoglia]

Just remember that even if you look at the header it doesn't necessarily mean that you need to contact the owner of the IP block and kick and scream... many companies on the Internet have not locked down their servers ability to be an anonymous relay. The header information will only tell you who relayed the message, not who necessarily sent it.

 

[RottnDogue]

Originally posted by Batman

Sounds like the Klez to me also. We have an updated AV software here at work, but this nasty little bugger shows up daily.

Did it come from robin or ..... BATMAN?

 

[Ted Constantine]

Fest3er,



Return-Path: <kevin@4wheelpartsmemphis.com>

Received: from jones. siteprotect.com ([64. 41. 120. 37] verified)

by wyoming.com (CommuniGate Pro SMTP 3. 4. 8)

with ESMTP id 67643505 for -- email address removed --; Tue, 21 May 2002 00:44:23 -0600

Received: from Bazlhh (adsl-80-168-120. mem. bellsouth.net [65. 80. 168. 120])

by jones. siteprotect.com (8. 9. 3/8. 9. 3) with SMTP id BAA09977

for <tconstan@wyoming.com>; Tue, 21 May 2002 01:44:12 -0500

Date: Tue, 21 May 2002 01:44:12 -0500

Message-Id: <200205210644. BAA09977@jones. siteprotect.com>

From: rpatton <rpatton@turbodieselregister.com>

To: -- email address removed --

Subject: 20020520155607

MIME-Version: 1. 0

Content-Type: multipart/alternative;

boundary=G7V5E1Q9154



The body of the message in the source code is just a huge about of garbage.



What do yo think?



Ted

 

[Batman]

LOL @ Rottndogue:{

 

[Mingoglia]

Here goes:



The person who wrote the email, sent it from the IP address 65. 80. 168. 120. At the time, the machine had the hostname adsl-80-168-120. mem. bellsouth.net. I did a reverse dns lookup on the IP address and I got the same hostname. This means that the person that sent it wasn't trying to feed a bogus hostname. The person that sent it definately sent it from bellsouth.net. When I did the nslookup, they had an email address of 'abuse@bellsouth.net' if you want to send it an email.



Bellsouth.net didn't relay the message... he probably just has a ADSL high speed connection through them. The actual SMTP relay was jones. siteprotect.com. I attempted to bounce anonymous mail through this relay without success. This means that he has an account through jones. siteprotect.com that allows him to send mail through them. I looked up the administrative contact for that domain and it is 'administrator@siteprotect.com'. Unfortunately they will have little luck trying to track down who bounced the mail off them because they had a valid account and they probably don't track that. Your best bet is to send the email to -- email address removed -- because they can easily track the guy down by the hostname because these are usually static.



Mike

 

[Ted Constantine]

Mike thank you very much for the detective work. I will get an email out to bell south asap.



Thanks

Ted

 

[rrausch]

I had the same "bell south" address show up several times, including today.

My Norton Internet Securities "denied access" log showed 132 attempts just in the couple of hours I was on the TDR site today. 132 times these idiots tried to access my computer today. In 2 hours! What is going on?