-
January 9th, 2004, 02:30 AM
#1
Windows XP Puzzlement?
I'm trying to help a student with an issue via chat and something he gave to me has me a bit puzzled. From what I can tell his machine is named your-us67pi6luv. Now here's the puzzlement: this "name" is all over the Internet. I want to eliminate it as a potential virus/worm effect but I'm not sure if this is a default name giving by a manufacturer or by Microsoft.
Anyone seen this as a machine name on a Windows box?
[Edit]
I have suspicions of SoBig.F@mm.... but not sure as I can't find any matches to this.
-
January 9th, 2004, 02:38 AM
#2
i googled it and saw it occuring a lot in mail headers... is he running a mail server on his computer?
slick
\"Look, Doc, I spent last Tuesday watching fibers on my carpet. And the whole time I was watching my carpet, I was worrying that I, I might vomit. And the whole time, I was thinking, \"I\'m a grown man. I should know what goes on my head.\" And the more I thought about it... the more I realized that I should just blow my brains out and end it all. But then I thought, well, if I thought more about blowing my brains out... I start worrying about what that was going to do to my goddamn carpet. Okay, so, ah-he, that was a GOOD day, Doc. And, and I just want you to give me some pills and let me get on with my life. \" -Roy Waller
-
January 9th, 2004, 02:40 AM
#3
I don't have too much time on me right now, but I have noticed that
your-us67pi6luv
points to (at least in email headers) a university, and a relgious group discussion?
example: http://www.ibiblio.org/pardo/birds/a.../msg01333.html
I don't see anything calling it a virus, but it makes me wonder if it is being used only internally for that system alone. A bit busy, but as soon as I get a moment I'll look more into it.
However, what does make me hesitant is I saw it being used as a direct HTML link, not even as a proper standard.
<BODY bgColor=3D#ffffff=20 background=3Dcid:016801c3945c$6db2c3c0$88f71643@yourus67pi6luv> on
http://lists.eskiedog.com/pipermail/...er/002432.html
Anyways, have to run! Goodluck!
-
January 9th, 2004, 02:41 AM
#4
Nope. No webserver either...
Part of his netstat -a
Proto Local Address Foreign Address State
TCP your-us67pi6luv:epmap your-us67pi6luv:0 LISTENING
TCP your-us67pi6luv:microsoft-ds your-us67pi6luv:0 LISTENING
TCP your-us67pi6luv:1025 your-us67pi6luv:0 LISTENING
TCP your-us67pi6luv:1029 your-us67pi6luv:0 LISTENING
TCP your-us67pi6luv:1034 your-us67pi6luv:0 LISTENING
TCP your-us67pi6luv:1050 your-us67pi6luv:0 LISTENING
TCP your-us67pi6luv:5000 your-us67pi6luv:0 LISTENING
TCP your-us67pi6luv:1041 your-us67pi6luv:0 LISTENING
TCP your-us67pi6luv:netbios-ssn your-us67pi6luv:0 LISTENING
And I don't think he has a firewall (he's not a full student of mine... yet )
-
January 9th, 2004, 02:46 AM
#5
pooh, interesting that you bring this up:
However, what does make me hesitant is I saw it being used as a direct HTML link, not even as a proper standard.
<BODY bgColor=3D#ffffff=20 background=3Dcid:016801c3945c$6db2c3c0$88f71643@yourus67pi6luv> on
Because check this picture's name
-
January 9th, 2004, 02:46 AM
#6
looked at SoBig.F@mm and according to symantec:
The worm uses its own SMTP engine to propagate.
However, the article continued:
The worm de-activates on September 10, 2003. The last day after which the worm should stop spreading is September 9, 2003.
Is his system clock up to date? An out of date sytem clock would probably let the worm stay.
slick
\"Look, Doc, I spent last Tuesday watching fibers on my carpet. And the whole time I was watching my carpet, I was worrying that I, I might vomit. And the whole time, I was thinking, \"I\'m a grown man. I should know what goes on my head.\" And the more I thought about it... the more I realized that I should just blow my brains out and end it all. But then I thought, well, if I thought more about blowing my brains out... I start worrying about what that was going to do to my goddamn carpet. Okay, so, ah-he, that was a GOOD day, Doc. And, and I just want you to give me some pills and let me get on with my life. \" -Roy Waller
-
January 9th, 2004, 02:49 AM
#7
Well, see.. here's the thing that's bugging me: one of the reasons I've been helping him is that he claims the school's website is giving him pop-ups (which no one else experiences -- he's got a thread on the school forum that I've been going through with him). He's run various spybot, adaware and AV software with no luck.
It makes me think variant. At least, I suppose I can eliminate that this is a default name put in by MS and/or a manufacturer like Dell?
In addition, all the definitions of So.Big.F@mm don't mention machine name changes.
-
January 9th, 2004, 02:58 AM
#8
How many people have confirmed no popups? i'd like to see a link, just in case. maybe try booting in safe mode and run adaware and spybot and AV? i dunnno, this is an unusual one, im just throwing out ideas.
slick
\"Look, Doc, I spent last Tuesday watching fibers on my carpet. And the whole time I was watching my carpet, I was worrying that I, I might vomit. And the whole time, I was thinking, \"I\'m a grown man. I should know what goes on my head.\" And the more I thought about it... the more I realized that I should just blow my brains out and end it all. But then I thought, well, if I thought more about blowing my brains out... I start worrying about what that was going to do to my goddamn carpet. Okay, so, ah-he, that was a GOOD day, Doc. And, and I just want you to give me some pills and let me get on with my life. \" -Roy Waller
-
January 9th, 2004, 03:41 AM
#9
When I get new computers from dell, they computer name has to do with dell and then random characters after that.
like: dell-d3a5s68 or somthing of the sort.
I have to setup another one tommorrow... so if you can wait till tomorrow... I can confirm this.
when you install it yourself, it asks you what you want to make it.
some manufacturers will go only as far as to install and to the point where you name it yourself and then setup user accounts.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
January 9th, 2004, 03:56 AM
#10
I looked around more and it seems like it is coming from a university, and maybe as a mask to each user's real IP behind the university's connection. Check this out, a security advisory for UFL:
http://www.health.ufl.edu/mail-archi.../msg00017.html
Does he/she attend ufl or utk?
Also, I found a linking jpg to that hostname:
http://groups.msn.com/LittleRockAdul...o&PhotoID=3601
From a little Rock community? Man, I can't find any documentation on this hostname.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|