PDA

View Full Version : virus in emails!!???


bigboab5
05-09-2003, 11:18
Ok guys, a wee question,

We have 5 email accounts, I have 4 and my wife 1. My email is clear. BUT. My wife keeps getting emails informing her of "Your message could not be delivered" or "underliverable mail" all from alleged Postmasters or Mail administrators (daemon, Telus, postmaster etc), this has been going on for just over a week. Each suspect email has the original attatchments and upon further inspection the virus has been removed by Norton, that virus being W32.Sobig.F@mm. The email is formatted like it is a returned email originally sent through her account. And i know the virus can do this but I am buggered if I can find it. I have looked with both the symantec removal tool and with norton anti virus(which is fully up to date!!). In each case it says we don't have it. So do we have the virus or not, or is this an email with the virus purporting to be sent from her addy and not really, but she is getting a lot of them. rough count about 50 or 60, maybe more. AND more importantly, i have not had one in any of my email accounts. strange eh!!!

edit - Just noticed, returns from Yahoo groups now!!

Oh and is there a way to discover if we were in fact the originator of the email??



Any thoughts?

bigboab5

Lord Nikon
05-09-2003, 11:28
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html

Specifically this part :-


Email spoofing
W32.Sobig.F@mm uses a technique known as "spoofing," by which the worm randomly selects an address it finds on an infected computer. The worm uses this address as the "From" address when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to another individual.

For example, Linda Anderson is using a computer infected with W32.Sobig.F@mm. Linda is neither using an antivirus program nor has the current virus definitions. When W32.Sobig.F@mm performs its email routine, it finds the email address of Harold Logan. The worm inserts Harold's email address into the "From" portion of an infected message, which it then sends to Janet Bishop. Then, Janet contacts Harold and complains that he sent her an infected message; however, when Harold scans his computer, Norton AntiVirus does not find anything, because his computer is not infected.

Nemesis
05-09-2003, 11:45
I have received numerous calls about this one .....

Frustrating to say the least :mad:

To absolutely check for no infection, download the removal tool form Symantec.

bigboab5
05-09-2003, 12:19
Ok guys,

Thanks for the replies, that has put my mind at rest, but what i do find strange is, are these prob coming from one source, ie someone we know, or is it from several sources!!!

and yes i have scanned with the removal tool,, several times in fact. TY

Bigboab

trebor
05-09-2003, 13:03
if you look at the message headers it will give you some idea of where the message came from and the route it took.
just be aware that this information can be spoofed just like the from address field.
right click the message, select properties, then the details tab.

Chris
05-09-2003, 13:11
Originally posted by bigboab5
Ok guys,

Thanks for the replies, that has put my mind at rest, but what i do find strange is, are these prob coming from one source, ie someone we know, or is it from several sources!!!

and yes i have scanned with the removal tool,, several times in fact. TY

Bigboab

It's frustrating - we went through a phase of getting p0rno email attachments, apparently from the minister who married us, thanks to a virus that was spoofing his address. The virus in question was randomly attaching files from the infected PC, which apparently also had the minister's email addy in its address book! :eek:

bigboab5
07-09-2003, 22:26
Originally posted by towny
The virus in question was randomly attaching files from the infected PC, which apparently also had the minister's email addy in its address book! :eek:

Oohhh er, how embarrassing!!!


bigboab