-
August 22nd, 2003, 01:09 AM
#1
Dangerous Emails-need Some Help
Hi everyone,
I'm currently on vacation in South Carolina and I can only use the comps here for a few minutes. Here's the deal: I was checking my emails and i received a SHITLOAD of emails from "Mail Delivery Subscription:, I'll copy and paste what i'm talkin about"
Mail Delivery Subsys... Returned mail: see transcript for details Aug 21 101k
Mail Delivery Subsys... Returned mail: User unknown Aug 21 4k
Mail Delivery Subsys... Returned mail: Service unavailable Aug 21 4k
Mail Delivery Subsys... Returned mail: Service unavailable Aug 21 4k
Mail Delivery Subsys... Returned mail: see transcript for details Aug 21 100k
Mail Delivery Subsys... Returned mail: Service unavailable Aug 21 4k
Mail Delivery Subsys... Returned mail: see transcript for details Aug 21 100k
These are the emails in the inbox screen. Now I haven't sent any emails out so there should be no emails to be returned. I opened teh emails and this is what I got.
Content-Type: text/plain
The original message was received at Wed, 20 Aug 2003 23:32:14 -0400 (EDT)
from rrcs-midsouth-24-199-248-51.biz.rr.com [24.199.248.51]
*** ATTENTION ***
Your e-mail is being returned to you because there was a problem with its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".
The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".
The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.
Please direct further questions regarding this message to your e-mail
administrator.
--AOL Postmaster
----- The following addresses had permanent fatal errors -----
<alannarw@aol.com>
----- Transcript of session follows -----
... while talking to air-xm04.mail.aol.com.:
>>> DATA
<<< 554 TRANSACTION FAILED - Unrepairable Virus Detected. Your mail has not been sent.
554 <alannarw@aol.com>... Service unavailable
Content-Type: message/delivery-status
Reporting-MTA: dns; rly-xm02.mx.aol.com
Arrival-Date: Wed, 20 Aug 2003 23:32:14 -0400 (EDT)
Final-Recipient: RFC822; alannarw@aol.com
Action: failed
Status: 5.0.0
Remote-MTA: DNS; air-xm04.mail.aol.com
Diagnostic-Code: SMTP; 554 TRANSACTION FAILED - Unrepairable Virus Detected. Your mail has not
been sent.
Last-Attempt-Date: Wed, 20 Aug 2003 23:32:56 -0400 (EDT)
Content-Type: text/rfc822-headers
Attachment : attach4 (1k)
THIS IS THE EMAIL THATS 4k IN SIZE
------------------------------------------------
>THIS IS THE EMAIL WITH THE 100K size:
Content-Type: text/plain
The original message was received at Thu, 21 Aug 2003 00:06:18 -0400
from rrcs-midsouth-24-199-189-226.biz.rr.com [24.199.189.226]
----- The following addresses had permanent fatal errors -----
<exe82@excite.com>
(reason: 550 <exe82@excite.com>: User unknown in local recipient table)
----- Transcript of session follows -----
... while talking to xmxpita.excite.com.:
>>> RCPT To:<exe82@excite.com>
<<< 550 <exe82@excite.com>: User unknown in local recipient table
550 5.1.1 <exe82@excite.com>... User unknown
Content-Type: message/delivery-status
Reporting-MTA: dns; mail02.power-linx.com
Received-From-MTA: DNS; rrcs-midsouth-24-199-189-226.biz.rr.com
Arrival-Date: Thu, 21 Aug 2003 00:06:18 -0400
Final-Recipient: RFC822; exe82@excite.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; xmxpita.excite.com
Diagnostic-Code: SMTP; 550 <exe82@excite.com>: User unknown in local recipient table
Last-Attempt-Date: Thu, 21 Aug 2003 00:06:22 -0400
Content-Type: message/rfc822
From :
<kvladasi@hotmail.com>
To :
<exe82@excite.com>
Subject :
Re: Approved
Date :
Wed, 20 Aug 2003 23:52:43 --0400
Attachment : wicked_scr.scr (97k)
MIME-Version: 1.0
Received: from BUSINESSCENTER1 (rrcs-midsouth-24-199-189-226.biz.rr.com [24.199.189.226])by mail02.power-linx.com (8.10.2/8.10.2) with ESMTP id h7L46IT26699for <exe82@excite.com>; Thu, 21 Aug 2003 00:06:18 -0400
Return-Path:
Message-Id: <200308210406.h7L46IT26699@mail02.power-linx.com>
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
Content-Type: multipart/mixed; boundary="_NextPart_000_0B26784F"
MIME-Version: 1.0Received: from BUSINESSCENTER1 (rrcs-midsouth-24-199-189-226.biz.rr.com [24.199.189.226])by
mail02.power-linx.com (8.10.2/8.10.2) with ESMTP id h7L46IT26699for <exe82@excite.com>; Thu, 21
Aug 2003 00:06:18 -0400Return-Path: <>Message-Id: <200308210406.h7L46IT26699@mail02.power-linx.com>X-MailScanner: Found to be cleanImportance: NormalX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MSMail-Priority: NormalX-Priority: 3 (Normal)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Please see the attached file for details.
Content-Type: application/octet-stream; name="wicked_scr.scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;filename="wicked_scr.scr"
Attachment : wicked_scr.scr (97k)
I'm guessing its a virus lol. At return path was my email but i deleted it to protect myself from spam bots. Also, I have no clue who exe82@excite.com is. Can you please do some search and see what u can figure out. I'll be very grateful for your help. I'd normally do it myself but i'm away and dont have my tools on me until the 25th. Maybe i have an email in my comp at home which has tried to email itself...I GOT NO CLUE . I haven't been able to connect to my hotmail through my PC at home for some weird reason but i've been able to connect through my brother's laptop which is connected to the same network.
peace
-
August 22nd, 2003, 01:14 AM
#2
You were right, it's a virus.
http://securityresponse.symantec.com...obig.f@mm.html
Update your antivirus.
Good luck, and may the force be with you.
It\'s 106 miles to Chicago, we\'ve got a full tank of gas, half a pack of cigarettes, it\'s dark and we\'re wearing sunglasses.
Hit it!
-
August 22nd, 2003, 03:40 AM
#3
may the force be with you
??
Figure out if hotmail (or whatever mail service you are using) as a function that allows you to block emails from users. You might want to see if that works with these emails. Also, check this was in your email with the 4kb attachment or whatever:
Unrepairable Virus Detected
looks like AOL picked up on this virus...
hopefully you didnt download the attachment but if you did, definetly upgrade your anti-virus software.
also,
X-MailScanner: Found to be clean
Look like Microsoft Outlook Express's anti virus programs arent as good as AOL
anyways good luck
Support your right to arm bears.
^^This was the first video game which i played on an old win3.1 box
-
August 22nd, 2003, 04:14 AM
#4
Update your anti-virus and run a scan... If you get nothing, don't freak out... Sobig.F fake sender identify when sending himself...
Let put that simple... An Infected Computer with SoBig send an e-mail FAKING he's YOU! The Recipient anti-virus mail software see the e-mail and stop it before it's reach the recipient and send back a notice to you. But it's not you who send the e-mail, it's another computer who stealing in your identity.
I got one of co-worker to get an Out of Office Reply when he never sends an e-mail to that guy. After a quick check up, the Out of Office guy had received a virus attachment from the co-worker. But the e-mail trace was coming from US when normally; I should only go throw the Exchange server.
That Sobig... Its make user freaking out until they know Sobif steal/fake identity.
-
August 22nd, 2003, 04:52 PM
#5
Thank you so much to everyone.
-
August 22nd, 2003, 05:08 PM
#6
Attachment : wicked_scr.scr (97k)
b
Yeh thats a variant of the sobig worm. I'm thinkin AOL updated they're virus protection to pretty recent to help stop the worm spreading. Thats another problem though...all these emails get sent out eatin bandwidth up...then the mail delievery systems have to send these back out to whoever is sending this out. Thats twice the bandwidth. I also read that in an article somewhere too, but if the worm doestn get to the recipient, bandwidth is still used by the mail subsystem, just not as much. Yeh enough blabbing now, that "wicked screensaver.scr" is a attatchment that goes with the sobig worm along with many other attatchments. At least you know what worm u got anyways.
-
August 22nd, 2003, 05:15 PM
#7
-
August 22nd, 2003, 05:37 PM
#8
Hey any of u guys got a copy of this worm saved? If so would u PM me so i could get it from u? This may sound a lil crazy and ur thinkin "whats this guy tryin to do...get infected"? but no...i just wanna check it out...i read in this article
http://home.businesswire.com/portal/...ewID=news_view
and wanted to check it out...pretty smart worm. So if anyone would be willing to give me a copy PM me please. Thanks.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|