Thread: Increased E-Mails With Viruses Attached
View Single Post
Old 09-03-2004, 18:10   #5
El Diablo
cf.muppet
 
Join Date: Jun 2003
Location: Oxford
Posts: 125
El Diablo is an unknown quantity at this point
Re: Increased E-Mails With Viruses Attached
Quote:
Originally Posted by ntluser
Has anyone else noticed that they have been receiving an increased number of e-mails with MyDoom or other viruses attached?

Fortunately, I have the AVG e-mail scanner which deals with most of them e.g. from "Elene" and others but now I'm getting others apparently from NTL subscribers e.g. john.simms@ntlworld.com. I'm not sure if these are from genuine NTL customers with infected machines, or whether they are being sent deliberately or what, but even using the scanner and the rules wizard it's becoming a pain. I know I'm not infected as I have two firewalls and run the MyDoom security checks to make certain I do not have it or other viruses.

I'm also getting viruses from yahoo and hotmail.com as well as from the Netherlands,Italy,France etc. Has anyone else had a similar experience?


================================================== =======
Yup, I'm seeing a large amount of these to published e-mail addresses at work, probably ~30 a day. The to and from fields of these e-mails are spoofed, so your reference to john.simms@ntlworld.com, just means that the virus has chosen to use that as the "from" address. In the same sense, it's completely feasible to receive responses whereby a mail purporting to be from your own email address has been bounced from a destination mail server. The mail server may then return you a copy of the mail, advising that it has been quarantined. This doesn't mean that you've sent it and if you can read the mail headers, you'll see that you clearly didn't send it.

It was interesting to see that with MyDoom, the virus would not replicate to mail addresses belonging to domains containing certain strings - such as ripe, arin, iana, ietf, sopho, gov, google, mil etc... which seems quite bizarre.... almost as if there's some trace of conscience within the malicous little b*stard that wrote it after all.... although maybe it's just ass covering, to an extent. Also interesting to see with this one is that it also attemps a dos attack on www.symantec.com...

Viruses like this tend to retrieve mail addresses from your Temp. Internet Files folder and also your Windows address book. Thus the mail may purport to originate from any address that it picks up along the way, whether it's via web pages browsed or within the mail client on the compromised system.

You may find the following link useful, as it explains the basics of valid mail headers, and thus provides some clue when determining the origin of e-mails:

http://pobox.com/valid1.html
El Diablo is offline   Reply With Quote