Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Windows XP Puzzlement? *solved*

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323

    Windows XP Puzzlement?

    I'm trying to help a student with an issue via chat and something he gave to me has me a bit puzzled. From what I can tell his machine is named your-us67pi6luv. Now here's the puzzlement: this "name" is all over the Internet. I want to eliminate it as a potential virus/worm effect but I'm not sure if this is a default name giving by a manufacturer or by Microsoft.

    Anyone seen this as a machine name on a Windows box?

    [Edit]

    I have suspicions of SoBig.F@mm.... but not sure as I can't find any matches to this.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    407
    i googled it and saw it occuring a lot in mail headers... is he running a mail server on his computer?


    slick
    \"Look, Doc, I spent last Tuesday watching fibers on my carpet. And the whole time I was watching my carpet, I was worrying that I, I might vomit. And the whole time, I was thinking, \"I\'m a grown man. I should know what goes on my head.\" And the more I thought about it... the more I realized that I should just blow my brains out and end it all. But then I thought, well, if I thought more about blowing my brains out... I start worrying about what that was going to do to my goddamn carpet. Okay, so, ah-he, that was a GOOD day, Doc. And, and I just want you to give me some pills and let me get on with my life. \" -Roy Waller

  3. #3
    I don't have too much time on me right now, but I have noticed that

    your-us67pi6luv

    points to (at least in email headers) a university, and a relgious group discussion?

    example: http://www.ibiblio.org/pardo/birds/a.../msg01333.html

    I don't see anything calling it a virus, but it makes me wonder if it is being used only internally for that system alone. A bit busy, but as soon as I get a moment I'll look more into it.

    However, what does make me hesitant is I saw it being used as a direct HTML link, not even as a proper standard.

    <BODY bgColor=3D#ffffff=20 background=3Dcid:016801c3945c$6db2c3c0$88f71643@yourus67pi6luv> on

    http://lists.eskiedog.com/pipermail/...er/002432.html


    Anyways, have to run! Goodluck!

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Nope. No webserver either...


    Part of his netstat -a
    Proto Local Address Foreign Address State
    TCP your-us67pi6luv:epmap your-us67pi6luv:0 LISTENING
    TCP your-us67pi6luv:microsoft-ds your-us67pi6luv:0 LISTENING
    TCP your-us67pi6luv:1025 your-us67pi6luv:0 LISTENING
    TCP your-us67pi6luv:1029 your-us67pi6luv:0 LISTENING
    TCP your-us67pi6luv:1034 your-us67pi6luv:0 LISTENING
    TCP your-us67pi6luv:1050 your-us67pi6luv:0 LISTENING
    TCP your-us67pi6luv:5000 your-us67pi6luv:0 LISTENING
    TCP your-us67pi6luv:1041 your-us67pi6luv:0 LISTENING
    TCP your-us67pi6luv:netbios-ssn your-us67pi6luv:0 LISTENING
    And I don't think he has a firewall (he's not a full student of mine... yet )
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    pooh, interesting that you bring this up:

    However, what does make me hesitant is I saw it being used as a direct HTML link, not even as a proper standard.

    <BODY bgColor=3D#ffffff=20 background=3Dcid:016801c3945c$6db2c3c0$88f71643@yourus67pi6luv> on
    Because check this picture's name
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    Senior Member
    Join Date
    May 2003
    Posts
    407
    looked at SoBig.F@mm and according to symantec:
    The worm uses its own SMTP engine to propagate.
    However, the article continued:

    The worm de-activates on September 10, 2003. The last day after which the worm should stop spreading is September 9, 2003.
    Is his system clock up to date? An out of date sytem clock would probably let the worm stay.



    slick
    \"Look, Doc, I spent last Tuesday watching fibers on my carpet. And the whole time I was watching my carpet, I was worrying that I, I might vomit. And the whole time, I was thinking, \"I\'m a grown man. I should know what goes on my head.\" And the more I thought about it... the more I realized that I should just blow my brains out and end it all. But then I thought, well, if I thought more about blowing my brains out... I start worrying about what that was going to do to my goddamn carpet. Okay, so, ah-he, that was a GOOD day, Doc. And, and I just want you to give me some pills and let me get on with my life. \" -Roy Waller

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Well, see.. here's the thing that's bugging me: one of the reasons I've been helping him is that he claims the school's website is giving him pop-ups (which no one else experiences -- he's got a thread on the school forum that I've been going through with him). He's run various spybot, adaware and AV software with no luck.

    It makes me think variant. At least, I suppose I can eliminate that this is a default name put in by MS and/or a manufacturer like Dell?

    In addition, all the definitions of So.Big.F@mm don't mention machine name changes.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    Senior Member
    Join Date
    May 2003
    Posts
    407
    How many people have confirmed no popups? i'd like to see a link, just in case. maybe try booting in safe mode and run adaware and spybot and AV? i dunnno, this is an unusual one, im just throwing out ideas.


    slick
    \"Look, Doc, I spent last Tuesday watching fibers on my carpet. And the whole time I was watching my carpet, I was worrying that I, I might vomit. And the whole time, I was thinking, \"I\'m a grown man. I should know what goes on my head.\" And the more I thought about it... the more I realized that I should just blow my brains out and end it all. But then I thought, well, if I thought more about blowing my brains out... I start worrying about what that was going to do to my goddamn carpet. Okay, so, ah-he, that was a GOOD day, Doc. And, and I just want you to give me some pills and let me get on with my life. \" -Roy Waller

  9. #9
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    When I get new computers from dell, they computer name has to do with dell and then random characters after that.

    like: dell-d3a5s68 or somthing of the sort.

    I have to setup another one tommorrow... so if you can wait till tomorrow... I can confirm this.

    when you install it yourself, it asks you what you want to make it.

    some manufacturers will go only as far as to install and to the point where you name it yourself and then setup user accounts.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  10. #10
    I looked around more and it seems like it is coming from a university, and maybe as a mask to each user's real IP behind the university's connection. Check this out, a security advisory for UFL:

    http://www.health.ufl.edu/mail-archi.../msg00017.html


    Does he/she attend ufl or utk?


    Also, I found a linking jpg to that hostname:

    http://groups.msn.com/LittleRockAdul...o&PhotoID=3601


    From a little Rock community? Man, I can't find any documentation on this hostname.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •