Results 1 to 14 of 14

Thread: E-mailed viruses

  1. #1
    Junior Member
    Join Date
    Sep 2002
    Location
    London
    Posts
    26

    E-mailed viruses

    Hi to all,

    Can anyone help me please?
    As this problem is driving me mad, with the e-mail's that i keep getting that are loaded with the Win32.Sobig:F virus.
    As over the last 5 days, i have got about 500+ e-mail's that have the Win32 Sobig F virus attached to them. (All have been deleted)
    I am using Windows XP Home (up to date), with Avast Free, SpyBot, a2, Ad-Aware Free and Spyware Blaster.
    I have checked my computer with Avast on 3 occasions, the same with the other stuff and nothing found.
    I have used a Removal tool twice, still nothing, but still i keep getting the e-mail's coming.
    I have also checked my computer twice, with an online anti-virus scanner, again nothing

    I check my e-mail's with Mailwasher, so that they don't get near my computer.
    And still each time i check my mail, i get loads of these e-mail's loaded with the virus.

    I have also done the same with my son's computer, as we are sharing a Broadband connection via a Router.

    Does anyone have any ideas about my problem, and if i am infected?
    As i have had 2 e-mail's saying that i have sent out 2 infected messages.

    A copy of what one contained is below: (which made Avast log an infected message)

    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

    jr@********.com
    This message has been rejected because it has
    a potentially executable attachment "your_document.pif"
    This form of attachment has been used by
    recent viruses or other malware.
    If you meant to send this file then please
    package it up as a zip file and resend it.

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <highwaman@****.co.uk>
    Received: from [24.61.69.156] (helo=DELL2)
    by hades.liveshere.com with esmtp (Exim 4.52)
    id 1EzKOj-0005sO-TP
    for jr@********.com; Wed, 18 Jan 2006 15:59:21 -0500
    From: <highwaman@****.co.uk>
    To: <jr@*******.com>
    Subject: Re: Your application
    Date: Fri, 21 Dec 2001 0:50:40 --0500
    X-MailScanner: Found to be clean
    Importance: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MSMail-Priority: Normal
    X-Priority: 3 (Normal)
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="_NextPart_000_018DA414"

    This is a multipart message in MIME format

    --_NextPart_000_018DA414
    Content-Type: text/plain;
    charset="iso-8859-1"
    Content-Transfer-Encoding: 7bit

    See the attached file for details
    --_NextPart_000_018DA414
    Content-Type: application/octet-stream;
    name="your_document.pif"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;
    filename="your_document.pif"

    Then there is load of characters that might as well be ancient Greek to me!!

    I have never seen or used this e-mail address above.
    And now i am even beginning to doubt the results that are before me on my own computer, after running the tests.

    Can anyone help me?
    As i have submitted a Hijack This log to another website, but the help i got did not help.
    And my questions about the answer i got, have not been replied to.

    Please help me, thanks in advance.
    Last edited by rik; January 19th, 2006 at 00:21 AM.

  2. #2
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,638
    Removed email address for your protection

  3. #3
    Junior Member
    Join Date
    Sep 2002
    Location
    London
    Posts
    26
    Hi rik,

    Many thanks for that.

    Sorry, but i did not realise that needed changing.
    As that is an address, that i am supposed to have sent a virus laden e-mail to.
    But, how can i?
    As every check and test i have done, show that i am not infected.

    Much appreciated.
    Last edited by Johkaz; January 18th, 2006 at 23:17 PM.

  4. #4
    Banned Aloone_Jonez's Avatar
    Join Date
    Dec 2005
    Posts
    58
    Are all the infected emails from the same address?

    If so inform the sender and if they're a spammer then block them.

  5. #5
    Junior Member
    Join Date
    Sep 2002
    Location
    London
    Posts
    26
    Hi Aloone_Jonez,

    This is the problem, most of the addresses i do not know, and are totally random to me.
    And most of them are new one's, although some are now getting doubled/tripled or even quadrupled up from the same address.
    And it was only when one stood out that i know 3 days ago, that made me contact the person in case they were sending them.
    As before that, i had deleted about 150 of these e-mail's as a virus intrusion onto my computer.
    And now that i know this person has scanned their computer, and found nothing.
    It makes me think that the problem lies with me, and my computer.

    But how can it?
    As every test shows that the Win32.Sobig.F virus is not on my machine.
    And now the addresses say i am infecting them, but they have the same virus attached to them according to Avast anti-virus.

    Thanks for the reply.
    Last edited by Johkaz; January 18th, 2006 at 23:53 PM.

  6. #6
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,638
    More than likely your email address has been "spoofed" http://en.wikipedia.org/wiki/Spoof_mail.

    This can happen if your address was in someone else's address book when their system became infected. The virus then keeps and combines the email addresses and emails itself out infecting other systems and harvesting more addresses.

    Bottom line is, it doesn't mean that your system is infected at all. It seems that you are protected and have acted responsibly to ensure that it is clean.

  7. #7
    Hardware guy Super Moderator FastGame's Avatar
    Join Date
    Apr 2002
    Location
    Blasters worm farm
    Posts
    3,333
    Quote Originally Posted by rik
    More than likely your email address has been "spoofed" http://en.wikipedia.org/wiki/Spoof_mail.

    This can happen if your address was in someone else's address book when their system became infected. The virus then keeps and combines the email addresses and emails itself out infecting other systems and harvesting more addresses.

    Bottom line is, it doesn't mean that your system is infected at all. It seems that you are protected and have acted responsibly to ensure that it is clean.
    Yep, you're on the unlucky end now

    Options:

    Keep adding them to Mailwasher block list (what a pain)

    Contact ISP and see if you can get new email address.

    Get new online email (Hotmail, Yahoo....)

    If your ISP gives you new account don't use this for anything except trusted (and limited) contacts, use the online account for everything else.

    Email everyone on your contact list (before you get new accounts) and tell them someone has the Win32:Sobig worm.

    In avast! options, make sure you include the avast! clean note in your message body, your contacts will know you're not the one sending virus

    Your son will need to do all the above also.

    BTW, if one of your contacts is infected and you add them to your new accounts, all this will be for not

  8. #8
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    Once your email address gets into the Virus system you will keep getting them, eventually they will stop when the machines that are infected and have your email addy get cleaned or break down completely.

    It's a bummer and it happens all the time, but there is no cure until the mail is blocked by the ISP or the infected machines stop being infected.

    I wouldn't recommend emailing everyone in your contact list (not as a bcc or cc single email anyway) because some malwares can read the email headers and collect all the email addresses - making it worse.
    I'm using Windows 7 - you got a problem with that?

  9. #9
    Hardware guy Super Moderator FastGame's Avatar
    Join Date
    Apr 2002
    Location
    Blasters worm farm
    Posts
    3,333
    Quote Originally Posted by Curio
    I wouldn't recommend emailing everyone in your contact list (not as a bcc or cc single email anyway) because some malwares can read the email headers and collect all the email addresses - making it worse.
    So in other words he's held hostage and can't email anyone, for any reason ?

  10. #10
    Junior Member
    Join Date
    Sep 2002
    Location
    London
    Posts
    26
    Hi,

    Many thanks for the replies and the help, much appreciated.
    To clarify if i may, the account that is being hit is my Yahoo account.
    As what i have done for several years now, is not given out my main ISP address to anyone, but very close friends and family.
    Mainly, in case this happened to it.
    So instead, i have given out the Yahoo account address.

    I am not sure if this is a way of testing my computer.
    But, i have sent out test messages from Outlook Express, to my other mail accounts.
    Which i have received back in Outlook Express, as un-infected e-mail's.
    Does this prove that my Yahoo account and computer, are clean as rik has said?

    As what i am thinking of doing is abandoning the Yahoo account, and opening another one up.
    The only problem is, that i will have to get in touch with all of my contacts now.
    To notify them of the change of address, as well as telling them the reason for it.

    Finally, one last thing.
    Can this or any virus read e-mail addresses from inside my e-mail folders in Outlook Express?
    As i have i think 3 years worth of them inside it, as well as a backup of them in 2 places on my other hard drives.
    Although, the Address Book i use has no entries in it, as i just open up a previous e-mail from a person in my folders.
    Copy the address and then create a new e-mail to that person.
    I know this seems a long winded way of doing things, but i have just got into the habit of doing my mail this way.

    Many thanks again for the help.

  11. #11
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,638
    From the SARC website:

    W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in the files that have the following extensions:


    .dbx
    .eml
    .hlp
    .htm
    .html
    .mht
    .wab
    .txt

    The worm uses its own SMTP engine to propagate. It also attempts to create a copy of itself on accessible network shares, but fails due to bugs in the code.


    Email routine details
    The email message has the following characteristics:

    From: Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address, admin@internet.com, as the sender.

    NOTES:
    The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server to contact.
    The choice of the internet.com domain appears to be arbitrary and does not have any connection to the actual domain or its parent company.

    *W32.Sobig.F@mm uses a technique known as "email spoofing," by which the worm randomly selects an address it finds on an infected computer.

    http://securityresponse.symantec.com...obig.f@mm.html

  12. #12
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    Quote Originally Posted by FastGame
    So in other words he's held hostage and can't email anyone, for any reason ?
    Pretty much. Don't change your habits i.e. sending out an extra email with evryone bcc/cc'd on it - no point.

    His email address has been spoofed by the virus - it has nothing to do with him except that it is his email address. It may not be anything to do with anyone in his contact list either, it just got his email addy from somewhere - from someone with his addy in their list or from a file on someones PC somewhere in the Interweb.

    Ignore it.
    I'm using Windows 7 - you got a problem with that?

  13. #13
    Junior Member
    Join Date
    Sep 2002
    Location
    London
    Posts
    26
    Hi,

    Pardon me saying but with using Mailwasher, i am now bouncing the e-mail's back to the sender.
    And for the first time in 7 days, i am getting my normal e-mail on my Yahoo account.
    Without, having to wade through loads of virus infected e-mail's.
    And the amount of e-mail's to me have droped significanly.
    Even the virus laden crap about unable to send messages for 4 hours, what ever that means.

    Gary

  14. #14
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    Like I said previously that is the usual pattern of events. Sooner or later the ISPs start blocking them or the infected machine becomes no longer infected. All you can do is what you did - ie block them with a spam filter and wait for it to die down.
    I'm using Windows 7 - you got a problem with that?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •