zip attachments

**Sun** · August 9th, 2004, 08:01 AM

I don't know whether this was discussed here earlier as i am not regular here.

I am getting a large number of .zip attachments nowadays from known and unknown addresses. The known address are from yahoogroups friends and i received a mail from mygroup-unsubscribe@yahoogroups today. I suspect some virus had infected yahoo groups.

Also am getting mails saying that some server rejected my message bcoz it contains virus but actually those messages were not send by me. it happens only with my yahoo id.

Is it a virus ?

Thanks

***moxnix*** · August 9th, 2004, 09:11 AM

Is it a virus ?

They very well could be. Any time you receive an attachment (zip or not) that you didn't know was coming, it is wise to check with the sender to see if they actually meant to send it to you. If they didn't send it, and or you don't know the sender then I would assume it to be maleware of some sort and just delete it.

***SirDice*** · August 9th, 2004, 10:05 AM

Don't you have an up2date virusscanner? That should tell you if it's a virus or not.
There are a few viruses lurking around that send their payload in a zipfile.

Also note that alot of viruses fake the senders address. So somebody is sending viruses (probably without their knowledge) with your address as the sender. That's why you're getting the viruswarnings (which any descent admin should have turned off by now).

***Und3ertak3r*** · August 9th, 2004, 01:05 PM

I am getting a large number of .zip attachments nowadays from known and unknown addresses. The known address are from yahoogroups friends and i received a mail from mygroup-unsubscribe@yahoogroups today. I suspect some virus had infected yahoo groups.

Also am getting mails saying that some server rejected my message bcoz it contains virus but actually those messages were not send by me. it happens only with my yahoo id.

one or a couple of your friends have been infected with one of the many mass mailer virus's like Netsky.p and family (please note this is not the only virus/worm that works like this)

The Virus searched the victems machine and found email addresses in various locations including emails and word documents.. It then went about sending emails containing itself using its own Smtp (email distribution) program.. but here is the twist.. when it creates the email using a random name (in some cases yours) and sends it to another Random name (sometime yours)..

But then again it could be you thats infected.. have you scanned the machine recently.. as Sirdice asked..

I now have a new recomendation.. a BartPE CD with the AV & spyware plugins.. (still working on this one) basic but it makes life a little easier..

Cheers

BTW: who recommended BartPE to me?.. or was it in a thread here.. thanks just the same..

***jinxy*** · August 9th, 2004, 02:38 PM

Got 3 emails today from service@cinderblock, through my yahoo account. All had password protected zip attachments. I only looked at one, no prizes for guessing what i found.

You guest it. Beagle.H@mm.

Info:

W32.Beagle.H@mm is a mass-mailing worm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through email. It also sends the attacker the port on which the backdoor listens, as well as the IP address. The email attachment is a randomly named .exe file inside a .zip file. The embedded .exe file is password-protected with a random password.

http://[email protected]

I new what i was doing when i took a look and i new what i would find. If you nead to ask the question, just delete them. One of the drawbacks to groups@yahoo and the like is you are going to get added to plentty of address books. It only takes one infected idiot to start the ball rolling.

**MilitantEidolon** · August 9th, 2004, 04:25 PM

If you are looking for a good scanner with very good updates and a scanner that will automatically filter your email go with Kaspersky Virus scanner. You can get a free scanner at kaspersky.com.

- MilitantEidolon

***ShagDevil*** · August 9th, 2004, 08:11 PM

Also am getting mails saying that some server rejected my message bcoz it contains virus but actually those messages were not send by me

Sun, may be just a simple case of email spoofing. Usually the returned emails I've gotten back contain an expanded email header of the original offending email along with an explanation of why it was returned. If you look at the Received: fields, you can generally determine the true origin of the actual email most of the time. Personally though, I never had much luck tracing the path of the offending emails because there's people out there using proxies and telnetting into open mail servers which makes the investigation almost pointless.
The only thing I can recommend to combat email spoofing is updated mail server logs (of emails you actually sent) coupled with maybe PGP or a Digital ID (Verisign for instance).

***morganlefay*** · August 9th, 2004, 08:39 PM

We have just been hit with about 25 of these ......and Norton CE 8.01 is not catching them.
I manually downloaded the virus defs
8/09/04

Anyone else???

Email appears to be coming from internal exchange users or absolute strangers.

MLF

Attachments are price.zip containing
price.html and price.exe

***SirDice*** · August 10th, 2004, 03:26 PM

morganlefay: It's the new Bagle.AQ see this thread.

***jinxy*** · August 10th, 2004, 03:36 PM

The email attachment is a password protected zip file. Hence Norton will not catch it untill after it has been unzipped. At least thats my experience. Norton upto now has always stripped infected attachments from my emails but those that i have recieved uptill now were not in a password protected compressed file.

Thread: zip attachments

Thread Tools

Display

zip attachments

Posting Permissions