these are the properties of emails i keep recieving.

Return-Path: <a.gibbo@ntlworld.com>
Received: from PHIL4PAYBACK.com ([62.155.185.193])
by mta02-svc.ntlworld.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP
id <20031225164836.ZBTU29762.mta02-svc.ntlworld.com@PHIL4PAYBACK.com>;
Thu, 25 Dec 2003 16:48:36 +0000
From: a.gibbo@ntlworld.com
To: bahamut1454@ntlworld.com
Subject: Registration confirmation
Importance: Normal
X-Mailer: Microsoft Outlook Express 4.72.3612.1700
X-MSMail-Priority: Normal
Message-ID: <762d78e2191200.970bfxsmailerV06.8@ntlworld.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=====PHIL4PAYBACK_ce9f1635d7cadabdd5"
Date: Thu, 25 Dec 2003 16:48:40 +0000



email i got:
Thanks for your registration.
( We say Sorry again, the first mail was delivered to an unknown mail address.
This was a bug in our mailing system! )


The amount of 239.- USD was deducted by your account.

Welcome,
you can now visit more than 1200 very very hot web pages!
Your registration, pages and passwords are in the attachment.

enjoy


this had a file attachent at 74.4kb
and this one:
Return-Path: <servers@adelphia.net>
Received: from PHIL4PAYBACK.net ([217.80.13.148]) by mta07-svc.ntlworld.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP
id <20031224085816.OZXG2588.mta07-svc.ntlworld.com@PHIL4PAYBACK.net>;
Wed, 24 Dec 2003 08:58:16 +0000
From: servers@adelphia.net
To: hostend@ntlworld.com
Subject: a trojan is on your computer!
Importance: Normal
X-Mailer: Axion
Message-ID: <70086910724639.14110xmailV03.28@adelphia.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="79d41cfa4e8111.46412c92f67b"
Date: Wed, 24 Dec 2003 08:58:21 +0000


had this message with the same 74.4kb attachment:

hello, I am from Norway and you'll don't believe me,
but a trojan horse in on your computer.
I've scanned the network-ports on the internet. (I know, that's illegal)
And I have found your pc. Your pc is open on the internet for everybody!
Because the services.exe trojan is running on your system.
Check this, open the task manager and try to stop that!
You'll see, you can't stop this trojan.
When you use win98/me you can't see the trojan!!

On my system was this trojan, too!
And I've found a tool to kill that bad thing.
I hope that I've helped you!

Sorry for my bad english!

greets



i had another eamil the same as above but with different details, as follows:
Return-Path: <mime@toi.t-online.de>
Received: from PHIL4PAYBACK.de ([62.155.185.143]) by mta01-svc.ntlworld.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP
id <20031222165903.WRAD26519.mta01-svc.ntlworld.com@PHIL4PAYBACK.de>;
Mon, 22 Dec 2003 16:59:03 +0000
From: mime@toi.t-online.de
To: steve.marlman@ntlworld.com
Subject: a trojan is on your computer!
X-MailScanner: Nothing was found
Importance: Normal
X-Mailer: Microsoft Outlook Express 4.72.3612.1700
X-MSMail-Priority: Normal
Message-ID: <21276848912239.93617@toi.t-online.de>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="PHIL4PAYBACK7696994266059119d1250f88e0"
Date: Mon, 22 Dec 2003 16:59:07 +0000



i think the 74.4kb file attachment is a virus as it has three different names in these emails, just want to know if anyone else is getting them and what you think. cause they seem tobe from an NTL email address.

nathan.

I'm pretty sure they are viruses. Can you tell us the names of the files? Just because they're different doesn't always mean they're randomly generated. Secondly, What makes you think they're coming from ntlworld email addresses? The first one has an ntlworld email address as a From header, but since they're obviously spammed mails I'd ignore the From and To headers anyway.

You have three choices really:

Ignore them - just don't open the attachments
Forward these details to the abuse department at t-online.de - this is the (German) ISP that those IP addresses belong to
Forward these details to ntl's abuse department at abuse@ntlworld.com - assuming ntl is your ISP - and let them do the German translation. ;)

Never a bad idea to do a full scan of your system with up-to-date definition files, too! ;)

services.exe is a system process, part of NT style OS's hence why win9x wouldn't show it.
You can bet the attachment is a virus.
Another thing, how could he track your email address from your IP address? :)

Just for confirmation:

I stumbled upon this forum when I entered a websearch to find specifics in relation to a very similar message.

The transcript below shows the text of the message I received and an addition by my antivirus software stating that the attachment was filtered out as being infected with the Sober-virus.

My reply is only to confirm that this is virus-trickery and that all previous posts were accurate.

Have a nice day.


Transcript follows:


--START-----------------------------------------------------------------
hi, I am from Denmark and you'll don't believe me,
but a trojan horse in on your computer.
I've scanned the network-ports on the internet. (I know, that's illegal)
And I have found your pc. Your pc is open on the internet for everybody!
Because the services.exe trojan is running on your system.
Check this, open the task manager and try to stop that!
You'll see, you can't stop this trojan.
When you use win98/me you can't see the trojan!!

On my system was this trojan, too!
And I've found a tool to kill that bad thing.
I hope that I've helped you!

================================================== ====================
The attachment "remove-services-patch.exe" has been removed from this message because
it was infected with a virus (Win32:Sober-C [Wrm])
================================================== ====================


greets
mvl5FB/bwbAzKH/KKLqytRkTZKR7od0P9UAYWXIBc690Kqozq34GWsa+0pKJbw8pI N5oarM=
--END-------------------------------------------------------------------

lol, definately viruses or hoax's

anyone who opens the attachment from the foreign guy must be nuts ...

if you open that you deserve the virus IMO ;)