Dangerous Emails-need Some Help
Results 1 to 8 of 8

Thread: Dangerous Emails-need Some Help

  1. #1
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,836

    Dangerous Emails-need Some Help

    Hi everyone,

    I'm currently on vacation in South Carolina and I can only use the comps here for a few minutes. Here's the deal: I was checking my emails and i received a SHITLOAD of emails from "Mail Delivery Subscription:, I'll copy and paste what i'm talkin about"
    Mail Delivery Subsys... Returned mail: see transcript for details Aug 21 101k
    Mail Delivery Subsys... Returned mail: User unknown Aug 21 4k
    Mail Delivery Subsys... Returned mail: Service unavailable Aug 21 4k
    Mail Delivery Subsys... Returned mail: Service unavailable Aug 21 4k
    Mail Delivery Subsys... Returned mail: see transcript for details Aug 21 100k
    Mail Delivery Subsys... Returned mail: Service unavailable Aug 21 4k
    Mail Delivery Subsys... Returned mail: see transcript for details Aug 21 100k
    These are the emails in the inbox screen. Now I haven't sent any emails out so there should be no emails to be returned. I opened teh emails and this is what I got.
    Content-Type: text/plain


    The original message was received at Wed, 20 Aug 2003 23:32:14 -0400 (EDT)
    from rrcs-midsouth-24-199-248-51.biz.rr.com [24.199.248.51]


    *** ATTENTION ***

    Your e-mail is being returned to you because there was a problem with its
    delivery. The address which was undeliverable is listed in the section
    labeled: "----- The following addresses had permanent fatal errors -----".

    The reason your mail is being returned to you is listed in the section
    labeled: "----- Transcript of Session Follows -----".

    The line beginning with "<<<" describes the specific reason your e-mail could
    not be delivered. The next line contains a second error message which is a
    general translation for other e-mail servers.

    Please direct further questions regarding this message to your e-mail
    administrator.

    --AOL Postmaster



    ----- The following addresses had permanent fatal errors -----
    <alannarw@aol.com>

    ----- Transcript of session follows -----
    ... while talking to air-xm04.mail.aol.com.:
    >>> DATA
    <<< 554 TRANSACTION FAILED - Unrepairable Virus Detected. Your mail has not been sent.
    554 <alannarw@aol.com>... Service unavailable




    Content-Type: message/delivery-status


    Reporting-MTA: dns; rly-xm02.mx.aol.com
    Arrival-Date: Wed, 20 Aug 2003 23:32:14 -0400 (EDT)

    Final-Recipient: RFC822; alannarw@aol.com
    Action: failed
    Status: 5.0.0
    Remote-MTA: DNS; air-xm04.mail.aol.com
    Diagnostic-Code: SMTP; 554 TRANSACTION FAILED - Unrepairable Virus Detected. Your mail has not
    been sent.
    Last-Attempt-Date: Wed, 20 Aug 2003 23:32:56 -0400 (EDT)




    Content-Type: text/rfc822-headers


    Attachment : attach4 (1k)

    THIS IS THE EMAIL THATS 4k IN SIZE
    ------------------------------------------------
    >THIS IS THE EMAIL WITH THE 100K size:


    Content-Type: text/plain


    The original message was received at Thu, 21 Aug 2003 00:06:18 -0400
    from rrcs-midsouth-24-199-189-226.biz.rr.com [24.199.189.226]

    ----- The following addresses had permanent fatal errors -----
    <exe82@excite.com>
    (reason: 550 <exe82@excite.com>: User unknown in local recipient table)

    ----- Transcript of session follows -----
    ... while talking to xmxpita.excite.com.:
    >>> RCPT To:<exe82@excite.com>
    <<< 550 <exe82@excite.com>: User unknown in local recipient table
    550 5.1.1 <exe82@excite.com>... User unknown




    Content-Type: message/delivery-status


    Reporting-MTA: dns; mail02.power-linx.com
    Received-From-MTA: DNS; rrcs-midsouth-24-199-189-226.biz.rr.com
    Arrival-Date: Thu, 21 Aug 2003 00:06:18 -0400

    Final-Recipient: RFC822; exe82@excite.com
    Action: failed
    Status: 5.1.1
    Remote-MTA: DNS; xmxpita.excite.com
    Diagnostic-Code: SMTP; 550 <exe82@excite.com>: User unknown in local recipient table
    Last-Attempt-Date: Thu, 21 Aug 2003 00:06:22 -0400




    Content-Type: message/rfc822


    From :
    <kvladasi@hotmail.com>

    To :
    <exe82@excite.com>

    Subject :
    Re: Approved

    Date :
    Wed, 20 Aug 2003 23:52:43 --0400

    Attachment : wicked_scr.scr (97k)
    MIME-Version: 1.0
    Received: from BUSINESSCENTER1 (rrcs-midsouth-24-199-189-226.biz.rr.com [24.199.189.226])by mail02.power-linx.com (8.10.2/8.10.2) with ESMTP id h7L46IT26699for <exe82@excite.com>; Thu, 21 Aug 2003 00:06:18 -0400
    Return-Path:
    Message-Id: <200308210406.h7L46IT26699@mail02.power-linx.com>
    X-MailScanner: Found to be clean
    Importance: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MSMail-Priority: Normal
    X-Priority: 3 (Normal)
    Content-Type: multipart/mixed; boundary="_NextPart_000_0B26784F"
    MIME-Version: 1.0Received: from BUSINESSCENTER1 (rrcs-midsouth-24-199-189-226.biz.rr.com [24.199.189.226])by
    mail02.power-linx.com (8.10.2/8.10.2) with ESMTP id h7L46IT26699for <exe82@excite.com>; Thu, 21
    Aug 2003 00:06:18 -0400Return-Path: <>Message-Id: <200308210406.h7L46IT26699@mail02.power-linx.com>X-MailScanner: Found to be cleanImportance: NormalX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MSMail-Priority: NormalX-Priority: 3 (Normal)

    Content-Type: text/plain; charset="iso-8859-1"
    Content-Transfer-Encoding: 7bit


    Please see the attached file for details.



    Content-Type: application/octet-stream; name="wicked_scr.scr"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;filename="wicked_scr.scr"


    Attachment : wicked_scr.scr (97k)


    I'm guessing its a virus lol. At return path was my email but i deleted it to protect myself from spam bots. Also, I have no clue who exe82@excite.com is. Can you please do some search and see what u can figure out. I'll be very grateful for your help. I'd normally do it myself but i'm away and dont have my tools on me until the 25th. Maybe i have an email in my comp at home which has tried to email itself...I GOT NO CLUE . I haven't been able to connect to my hotmail through my PC at home for some weird reason but i've been able to connect through my brother's laptop which is connected to the same network.

    peace

  2. #2
    Senior Member
    Join Date
    Aug 2002
    Posts
    239
    You were right, it's a virus.

    http://securityresponse.symantec.com...obig.f@mm.html

    Update your antivirus.

    Good luck, and may the force be with you.

    It\'s 106 miles to Chicago, we\'ve got a full tank of gas, half a pack of cigarettes, it\'s dark and we\'re wearing sunglasses.

    Hit it!

  3. #3
    Senior Member
    Join Date
    May 2002
    Posts
    344
    may the force be with you
    ??

    Figure out if hotmail (or whatever mail service you are using) as a function that allows you to block emails from users. You might want to see if that works with these emails. Also, check this was in your email with the 4kb attachment or whatever:

    Unrepairable Virus Detected
    looks like AOL picked up on this virus...

    hopefully you didnt download the attachment but if you did, definetly upgrade your anti-virus software.

    also,
    X-MailScanner: Found to be clean
    Look like Microsoft Outlook Express's anti virus programs arent as good as AOL

    anyways good luck
    Support your right to arm bears.


    ^^This was the first video game which i played on an old win3.1 box

  4. #4
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    Update your anti-virus and run a scan... If you get nothing, don't freak out... Sobig.F fake sender identify when sending himself...

    Let put that simple... An Infected Computer with SoBig send an e-mail FAKING he's YOU! The Recipient anti-virus mail software see the e-mail and stop it before it's reach the recipient and send back a notice to you. But it's not you who send the e-mail, it's another computer who stealing in your identity.

    I got one of co-worker to get an Out of Office Reply when he never sends an e-mail to that guy. After a quick check up, the Out of Office guy had received a virus attachment from the co-worker. But the e-mail trace was coming from US when normally; I should only go throw the Exchange server.

    That Sobig... Its make user freaking out until they know Sobif steal/fake identity.
    -Simon \"SDK\"

  5. #5
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,836
    Thank you so much to everyone.

  6. #6
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    Attachment : wicked_scr.scr (97k)
    b

    Yeh thats a variant of the sobig worm. I'm thinkin AOL updated they're virus protection to pretty recent to help stop the worm spreading. Thats another problem though...all these emails get sent out eatin bandwidth up...then the mail delievery systems have to send these back out to whoever is sending this out. Thats twice the bandwidth. I also read that in an article somewhere too, but if the worm doestn get to the recipient, bandwidth is still used by the mail subsystem, just not as much. Yeh enough blabbing now, that "wicked screensaver.scr" is a attatchment that goes with the sobig worm along with many other attatchments. At least you know what worm u got anyways.

  7. #7
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    This thread might interest you
    Auto-Responders Should be Illegal
    -Simon \"SDK\"

  8. #8
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    Hey any of u guys got a copy of this worm saved? If so would u PM me so i could get it from u? This may sound a lil crazy and ur thinkin "whats this guy tryin to do...get infected"? but no...i just wanna check it out...i read in this article


    http://home.businesswire.com/portal/...ewID=news_view

    and wanted to check it out...pretty smart worm. So if anyone would be willing to give me a copy PM me please. Thanks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides