pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs: 
| reply to kpatz
Re: W32.Sober.O@mm/Sober.P
I got one!  came from admin@yahoo.com. I was on my way out to work so I didnt bother with examining the headers.
--
babbling | mvm |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Congratulations, pcdebb  
I've received a total of four so far, across 3 different email addresses. Nothing compared to some of last year's outbreaks but the most hits I've seen this year so far.
Two that came into my own domain, I was able to figure out the sender by matching the IP address in the headers to some legitimate emails that came from the same IP. So I sent them an email telling them that they were infected. It's not very often that I'm able to do that; usually when I get hit with a worm it comes from an IP that I have no record of otherwise.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
GKJUG
@algx.net | reply to kpatz
Got five more in my email honeypot this morning.
New Subject titles are generated to try and fool the recipient. The dead give away is the file size that stays the same - they were all 73Kb. |
|
norwegian
Premium
join:2005-02-15
Outback
 ·WestNet Broadband
| reply to kpatz
seeing as i got 17 in one hit, ill pass on the names
dixakagin(at)gundamfan(dot)com
admin(at)hotmail(dot)com
info(at)hotmail(dot)com
raym(at)eiw(dot)com.au
symondeb(at)eiw(dot)com.au
symondeb(at)eiw(dot)com.au
ifjpk(at)gay-personals(dot)com
3ddlyall(at)kalgold(dot)com.au
webmaster(at)mail.daily-horoscopes(dot)com
hostmaster(at)hotmail(dot)com
service(at)hotmail(dot)com
postmaster(at)boc(dot)com
postmaster(at)zoog02(dot)com
register(at)emerge(dot)net.au
these were all in there today
some are ones about virus scans all clear, acct details and passwords, you name it, it was there lets hope no one opens them up, or sans might go rainbow colors
|
|
skyroket
join:2001-06-11
Colorado, US
| All fine and dandy, we're protected from this virus, and malicious email attachments both...but what if the virus is sending itself to other people using MY email address as the sender's address. I'm getting a crapload of undeliverables. It seems obvious to me that there's nothing one can do about this. Is that an accurate assumption?
--
These guys are cool; and by cool, I mean totally sweet. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| said by skyroket :I'm getting a crapload of undeliverables. It seems obvious to me that there's nothing one can do about this. Is that an accurate assumption? About the only thing you can do is see if the original sender's IP address is in any of the bounced messages, see if it looks familiar, or matches someone you've legitimately received emails from, and notify them that they are infected.
Or you could ascertain the IP, do a whois on it, notify their ISP's abuse department and hope they do something. Don't hold your breath though, you'll turn blue and pass out. 
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
macbloghaus
Im from Cuba MANG
Premium
join:2004-07-08
Massena, NY | Thank god i have amac.
One reason why i switch is all the damn virus that you have to look out for..
I have a dell laptop and won't cut it on and connect due to virus.
So good luck guys and long live mac |
|
kamootee
join:2004-11-15
Glendale, CA
| reply to kpatz
mail_info.zip, account_info-text.zip, error-mail_info.zip, and secu....
Admin@food4hungry.org
Itaccount_info-text.zip
Item ID 14543
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in account_info-text.zip\Winzipped-Text_Data.txt .exe
________________________________________________________________________________
postmaster@aol.com
5/5/2005 1:50:33 AM
Item Name: mail_info.zip
Item ID 14517
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in mail_info.zip\Winzipped-Text_Data.txt .pif
________________________________________________________________________________
5/5/2005 1:34:45 AM
Item Name: account_info-text.zip
Item ID 14516
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in account_info-text.zip\Winzipped-Text_Data.txt .pif
_______________________________________________________________________________
postmaster@dhs.ca.gov
5/5/2005 1:19:06 AM
Item Name mail_info.zip
Item ID 14515
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in mail_info.zip\Winzipped-Text_Data.txt .pif
_______________________________________________________________________________
register@dph.sbcounty.gov
5/4/2005 10:35:00 PM
Item Name account_info-text.zip
Item ID 14514
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in account_info-text.zip\Winzipped-Text_Data.txt .pif
________________________________________________________________________________
hostmaster@neucom.com
5/5/2005 9:29:05 AM
Item Name account_info-text.zip
Item ID 14542
Action Quarantined
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in account_info-text.zip\Winzipped-Text_Data.txt .exe
_______________________________________________________________________________
register@clickmarks.com
5/4/2005 8:34:03 PM
Item Name account_info-text.zip
Item ID 14513
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in account_info-text.zip\Winzipped-Text_Data.txt .pif
Admin@comcast.net
mail_info.zip
Item ID 14512
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in mail_info.zip\Winzipped-Text_Data.txt .pif
info@axiom-systems.com
5/5/2005 5:59:35 AM
Item Name account_info.zip
Item ID 14518
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in account_info.zip\Winzipped-Text_Data.txt .pif
Recipient To webmaster@mars.pl
account_info-text.zip
Item ID 14511
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in account_info-text.zip\Winzipped-Text_Data.txt .pif
service@imckesson.com
Item Name mail_info.zip
Item ID 14510
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in mail_info.zip\Winzipped-Text_Data.txt .exe
dtaitt@chcs.org
5/4/2005 5:09:26 PM
Item Name our_secret.zip
Item ID 14509
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in our_secret.zip\Winzipped-Text_Data.txt .exe
hostmaster@poweronemedia.com
5/4/2005 4:53:54 PM
Item Name error-mail_info.zip
Item ID 14497
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in error-mail_info.zip\Winzipped-Text_Data.txt .exe
register@mrmib.ca.gov
5/4/2005 4:35:37 PM
Item Name error-mail_info.zip
Item ID 14495
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in error-mail_info.zip\Winzipped-Text_Data.txt .exe
___________________________________________
webmaster@molinamedical.com
5/4/2005 4:17:54 PM
Item Name error-mail_info.zip
Item ID 14494
Action Quarantined
User Name
User Email
Last Error Norman found Sober.O@mm
More Info Sober.O@mm found in error-mail_info.zip\Winzipped-Text_Data.txt .exe |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
1 edit | reply to kpatz
Four copies in my mom's Yahoo email, all of course went
right into her bulk mail folder.
That's the only place I've seen any of them. |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
 ·Comcast
| reply to macbloghaus
said by macbloghaus :Thank god i have amac. One reason why i switch is all the damn virus that you have to look out for.. I have a dell laptop and won't cut it on and connect due to virus. So good luck guys and long live mac Sorry to say, just because a person uses Linux or MacOS does not make them anymore then a "carrier". It is the reason that no matter what OS a person uses, they should still use strict rules in not opening any unknown sender emails.
--
One man's customer loyalty is another man's misguided arrogance. |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
·Comcast
| reply to kamootee
Look at long headers kamootee. Posting the short headers will not disclose what server is actually sending this crap out to the outside world. Knology.net is where this crap is coming from.
--
One man's customer loyalty is another man's misguided arrogance. |
|
Chris 313
Come get some
Premium
join:2004-07-18
Houma, LA
clubs:
·Comcast
·Comcast
·Charter Pipeline
 ·Comcast Digital Vo..
·AT&T CallVantage
| It looks like i got one.
Does this look it?
It was sent to my junkmail folder. |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
| said by Chris 313 :It looks like i got one. Does this look it? It was sent to my junkmail folder. Let's hope that the Zip file was cleaned before it was downloaded...
My son got one earlier that included the zip attachment however we found it had been cleaned by RR before he ever downloaded the message...
|
|
91439306
15,000 Watts of Bass Power
join:2002-10-16
New Milford, CT
| reply to GKJUG
I noticed that at the beginning of the week when this started here, I was finding that they had originated from the .nl domain extention. I guess it spread to Germany and then the US about the same time. Nasty, because unlike previous worms, Earthlink's Spaminator is not blocking the e-mails. It'd AV is stripping out the virus, at least here on my account. Volume is getting annoying though.
--
Take care,
Mark & Mary Ann Weiss
Hear my Kurzweil Creations at: »www.dv-clips.com/theater.htm
'»www.mwcomms.com/auctions.htm
'»www.mwcomms.com
'»www.adventuresinanimemusic.com
|
|
Chris 313
Come get some
Premium
join:2004-07-18
Houma, LA
clubs: | reply to amysheehan
I'm ok. I didn't even touch the zip file. |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
| said by Chris 313 :I'm ok. I didn't even touch the zip file. I was just curious to know whether MSN actually had stripped the contents of that zip file since the text of the email said it was clean...
Someone else I know had that kind of text in the email and the file had NOT been cleaned - they didn't open the zip but scanned it only to find it was not cleaned as MSN had 'suggested'...
More worried about others who are more worried about not deleting it as junk and opening the zip without a thought...:) |
|
Chris 313
Come get some
Premium
join:2004-07-18
Houma, LA
clubs:
·Comcast
·Comcast
·Charter Pipeline
·Comcast Digital Vo..
·AT&T CallVantage
| said by amysheehan :said by Chris 313 :I'm ok. I didn't even touch the zip file. I was just curious to know whether MSN actually had stripped the contents of that zip file since the text of the email said it was clean... Someone else I know had that kind of text in the email and the file had NOT been cleaned - they didn't open the zip but scanned it only to find it was not cleaned as MSN had 'suggested'... More worried about others who are more worried about not deleting it as junk and opening the zip without a thought...:) I don't know weather the file was actually clean as I dumped everything in my Junk folder after making the screenshot.
Being worried about others is where a good crash course in today's internet threats and protection and prevention comes in.
I personally got sick of seeing all the crap being mixed in with my legit mail and set up my protection to only receive from addresses i know, all else is sent to junk and i sort it out daily. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
1 edit | reply to amysheehan
said by amysheehan :I was just curious to know whether MSN actually had stripped the contents of that zip file since the text of the email said it was clean... The text stating the attachment is "clean" or "no virus found" is generated by the worm itself and is meaningless. It's just another one of its social engineering tactics, to get people to "trust" the attachment.
However, I did notice that your zip file was only .05K in size, meaning it was probably stripped before it even reached your hotmail/MSN account. Perhaps it passed through an outbound scanner before it reached you.
EDIT: It says .05M so it could still contain the worm which is roughly 73K in size encoded. Nice way of measuring attachment size there, Microsoft...
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA | reply to kpatz
actually kaptz, the file is 0.05MB not kb, and so the size will be around 53kb, so i think the worm wasnt stripped of its potency. |
|
ravencajun
Premium
join:2004-08-12
Houston, TX
| reply to kpatz
I am getting about 40-60 or so a day for the past few days all to my junk mail folder on my hotmail account. None on my gmail, none on my yahoo, no other email addys are getting hit. I just have to keep deleteing the junk mail from the folder several times a day to get rid of all of them. The size is a good tale tell sign for sure.
Apparently someone is opening the things for them to be so rampant. |
|
