Re: Virus Problem ** Help!**

You have the virus. It's a worm of one sort or another. You are
sending the emails. Or rather your computer is without you knowing it.
I know you say you are running an AV prog but that doesn't always
work. I'm a sys admin for an ISP and I get this senario daily. You do
have a virus\worm\hack (blended threat). If you update your defs
regularly (daily) you can still get a virus. I have people tell me
they couldn't possibly have a virus because they run norton. If your
defs are 12 hours old and the virus is only 2 hours old, do the math.
There are literally billions of these bogus virus spams flooding the
Internet. What do I tell people? Get a new email address, don't use it
in public. Wipe your system reinstall and restore critical files from
backup. Don't have a backup? Thats your fault.


On Fri, 20 Feb 2004 08:05:46 GMT, "David BlandIII" <>
wrote:

>Perhaps some of you bright lads & lasses can help me with a rather perplexing problem.
>Having cruised the net since the early days of the web, I have (on occasion) run into
>the random virus here and there, perhaps as many as five or six time a year. I always
>keep NAV running and I do a lot of downloading. Every one in a while I'll download a
>virus infected file and get that cool little sound letting me know that Norton's found
>one.
>
>This is all quite normal and no problem at all. In all of my webbing years I have probably
>only gotten two or three virus infected e-mails. However, after visiting several newsgroups
>early in January of this year, I noticed a slow tide of virus infected e-mails that has recently
>turned into a torrent. At this rate I may have to pull this account altogether. I'd like to avoid
>this scenario, however, so I was wondering if anyone could shed some light on the root
>cause of my problem?
>
>Over the last month I have been instituting e-mail filters in an attempt to prevent the infected
>emails from being downloaded from my server altogether. I thought it would be simple
>enough to do as all of the infected e-mail notices came from a handful of sources and all
>contained similar messages. The sources seem to be from the various ISP's own e-mail
>management systems and included addresses such as:
>
> -
> -
> -
> -
> - even Norton Antivirus's own E-mail Protection Program
>
>The names listed in the "From" field all contained terms such as Microsoft Internet Mail
>Storage System, Inet Mail Delivery Service, or the ever-ubiquitous "Administrator," and
>the message line would always be blank or say something like "user unknown."
>
>In the body of all of these e-mails there is usually a simple message always stating the
>same thing such as:
>
> "I'm afraid the message returned below could not be delivered to the following addresses:
> Undeliverable mail to "
>
>I've included the full return path of the latest such e-mail which had listed "Administrator"
>in the From filed and "mail: user unknown" in the message field. The body of the letter
>stated:
>
> Undeliverable mail to
> Message follows:
>
>The e-mail usually has an attachment with the original infected e-mail.
>
>================================================= ============
>
>
>Return-Path: <>
>Received: from prserv.net ([192.168.1.7]) by mta015.verizon.net
> (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP
> id <20040219183211.XIMD6907.mta015.verizon.net@prserv .net>
> for <>; Thu, 19 Feb 2004 12:32:11 -0600
>Received: from prserv.net (32.97.166.32) by sc009pub.verizon.net (MailPass SMTP server v1.1.1 - 121803235448JY) with ESMTP id <4-26778-35-26778-125958-1-1077315531> for mta015.verizon.net; Thu, 19 Feb 2004 12:32:12 -0600
>Date: Thu, 19 Feb 2004 18:31:50 +0000 (GMT)
>X-Comment: Sending client does not conform to RFC822 minimum requirements
>X-Comment: Date has been added by Maillennium.
>Received: from rbpgp (slip32-106-141-81.bar.es.prserv.net[32.106.141.81])
> by attglobal.net (out2) with SMTP
> id <2004021918313320206pca04e>; Thu, 19 Feb 2004 18:31:37 +0000
>FROM: "Administrator" <>
>TO: " " <>
>SUBJECT: mail: user unknown
>Mime-Version: 1.0
>Content-Type: multipart/alternative;
> boundary="vylvuuh"
>Message-Id: <20040219183211.XIMD6907.mta015.verizon.net@prserv .net>
>
>================================================= ===============
>
>The thing that perplexes me about all of these e-mails is that they all seem to be
>messages from other systems' e-mail programs telling me that an e-mail that I was
>sending was for some reason undeliverable. Of course I have sent no such e-mail
>to any of the return addresses listed in the messages. I assumed that some program
>was sniffing the newsgroups I posted mesages in and got my e-mail and started
>trying to replicate a virus infected message by sending it out to others using my
>return address, thus these various e-mail systems are sending this junk back to me.
>That's my theory anyway.
>
>The problem is that the volume of e-mail is increasing despite over fifteen e-mail
>filters that I've tried to establish (including a block sender list). Apparently these
>e-mail management systems are designed to alter the messages to avoid blocking
>as e-mail from the same systems (even blocked addresses) keep showing up again
>and again using slightly wording in the From and Message fields, as well as in the
>message body.
>
>Seeing as how the block senders list and e-mail filters have been unsuccessful, I
>resorted changing the email address that I have been using but today I found that two
>of my other e-mail addresses that I never use when visiting newsgroups and only use
>in business correspondence, have now also become infected with this virus problem.
>In other words I'm receiving virus e-mails from on all three e-mail accounts now. At this
>point I don't know what to do. Is my only recourse to pull the entire Verizon account
>and never again venture into an online newsgroup such as this? Any suggestions
>would be very much appreciated. Thanks.
>
>David Bland

jim6538980

You're talking out of your ass sir. The man HAS the virus. No amount
of DEFENSE will remove it. Virus definitions that you import after an
infection are rarely any good. The blended infection disables virus
scans or continuously overwrites the def files with bogus versions of
itself. Zone Alarm is a software solution and a resource hog. I would
never recommend it as a viable defense. A hardware firewall (in
addition to a router) are a solution. All your little linsys router
does is NAT and everybody knows the default IP address of the Linksys
router is 192.168.1.1 and it's DHCP scope is 192.168.1.100-200 so if
you count on this as a solution I'm glad you aren't the one flipping
my burgers. An ISP can only do so much to protect a subscriber. If you
continue to click on banners and popups you will invite viruses
regardless of what I do at the ISP level. The ONLY sure way to get a
virus completely removed from your system is to wipe it and restore
from a known good backup. Incidently, I am not flaming you. You
attacked me in your first line.

Jim Warner
Systems Administrator
Nebutel, Inc.
MCSE, MCSA, CCNA, A+, Net+

On Sun, 22 Feb 2004 12:30:46 GMT, Doug Scott <> wrote:

>Jim6538980,
>
>Well, I'm glad I don't use your ISP service.
>
>There is a minimum set of tools you need to be able to secure yourself,
>and two of them are an AV scanner and a firewall of some kind. My
>router provides a first level of protection because it restricts
>addresses available. Second line of defence is Zone Alarm, which has
>both inbound and outbound email protection by preventing executable
>files from being sent or executed. Thirs line of protection is the AV
>scanner.
>
>Changing your email address won't solve the problem for more than a few
>weeks/months. Strong defences will reduce it to a manageable level.
>
>---
>
>Doug
>
>
>
>

jim6538980

Hmmm, a Rumble In the Network Jungle! Thanks you guys. Your battle of ideas
really helps!

--
David Bland

"Doug Scott" <> wrote in message
news:...
> Jim6538980,
>
> > You're talking out of your ass sir.
>
> > Incidently, I am not flaming you.
>
> Hmmm.
>
> I was actually reacting to the tone of your message, but we can't go on
> like this - it's counterproductive and not very pretty for anyone to
> read, so let's drop it, eh?
>
> > The man HAS the virus. No amount of DEFENSE will remove it.
>
> True. It has to be removed before the defense mechanisms can be
> implemented.
>
> > The blended infection disables virus
> > scans or continuously overwrites the def files with bogus versions of
> > itself.
>
> Also true of some viruses. With most viruses, though, even the lowly XP
> Home firewall will quieten the thing long enough for the user to log
> into an AV site and get it removed. Even the MS web site gives
> instructions on how to do it.
>
> > Zone Alarm is a software solution and a resource hog
>
> ANY software solution takes resources. ZA isn't nearly as bad, for
> instance, as NAV.
>
> > All your little linsys router
> > does is NAT and everybody knows the default IP address of the Linksys
> > router is 192.168.1.1 and it's DHCP scope is 192.168.1.100-200 so if
> > you count on this as a solution I'm glad you aren't the one flipping
> > my burgers.
>
> Well, without the router, I get probes every 10 seconds. With it, I
> hardly get them at all. NAT is an effective front line, IMHO.
>
> I don't count on any single weapon as a solution - that would be
> madness. But I certainly wouldn't agree that changing my Id every month
> or so is sustainable for anyone using the Net professionally.
>
> > An ISP can only do so much to protect a subscriber.
>
> Well, my ISP does nothing, and I'm content with that. I don't get any
> emails lost or friends' sites blacklisted.
>
> > The ONLY sure way to get a
> > virus completely removed from your system is to wipe it and restore
> > from a known good backup.
>
> Of course. My attention was upon the question: Then what?
>
> > MCSE, MCSA, CCNA, A+, Net+
>
> Fine. I've been using the Net for 18 years, and was involved in early
> network designs for 30 years. No certifications, though.
>
>
> ---
>
> Doug
>
>
>
>
>

David BlandIII

You are right of course. My apologies to you sir. Your professionalism
is commendable. Please forgive my tone. I watch this group regularly
but rarely post. I recently started teaching an A+ course at a local
private college. I hope that I can get ideas and topics here as well
as contribute to the community. We're using the Thompson Course
Technology, Course ILT(ISBN 0-619-20550-4). It seems to be okay, but a
little drier than Meyers. Any thoughts?

On Sun, 22 Feb 2004 15:49:35 GMT, Doug Scott <> wrote:

>Jim6538980,
>
>> You're talking out of your ass sir.
>
>> Incidently, I am not flaming you.
>
>Hmmm.
>
>I was actually reacting to the tone of your message, but we can't go on
>like this - it's counterproductive and not very pretty for anyone to
>read, so let's drop it, eh?

It's dropped

>> The man HAS the virus. No amount of DEFENSE will remove it.
>
>True. It has to be removed before the defense mechanisms can be
>implemented.
>
>> The blended infection disables virus
>> scans or continuously overwrites the def files with bogus versions of
>> itself.
>
>Also true of some viruses. With most viruses, though, even the lowly XP
>Home firewall will quieten the thing long enough for the user to log
>into an AV site and get it removed. Even the MS web site gives
>instructions on how to do it.
>
>> Zone Alarm is a software solution and a resource hog
>
>ANY software solution takes resources. ZA isn't nearly as bad, for
>instance, as NAV.
>
>> All your little linsys router
>> does is NAT and everybody knows the default IP address of the Linksys
>> router is 192.168.1.1 and it's DHCP scope is 192.168.1.100-200 so if
>> you count on this as a solution I'm glad you aren't the one flipping
>> my burgers.
>
>Well, without the router, I get probes every 10 seconds. With it, I
>hardly get them at all. NAT is an effective front line, IMHO.
>
>I don't count on any single weapon as a solution - that would be
>madness. But I certainly wouldn't agree that changing my Id every month
>or so is sustainable for anyone using the Net professionally.
>
>> An ISP can only do so much to protect a subscriber.
>
>Well, my ISP does nothing, and I'm content with that. I don't get any
>emails lost or friends' sites blacklisted.
>
>> The ONLY sure way to get a
>> virus completely removed from your system is to wipe it and restore
>> from a known good backup.
>
>Of course. My attention was upon the question: Then what?
>
>> MCSE, MCSA, CCNA, A+, Net+
>
>Fine. I've been using the Net for 18 years, and was involved in early
>network designs for 30 years. No certifications, though.
>
>
>---
>
>Doug
>
>
>
>

jim6538980

I apologize to you as well sir, for my outburst. Please forgive me.
Mr. Scott is correct. Once you get rid of the viruses set up levels of
defense. Router, firewall, AV software is a good strategy. Good luck.


On Sun, 22 Feb 2004 21:31:36 GMT, "David BlandIII" <>
wrote:

>Hmmm, a Rumble In the Network Jungle! Thanks you guys. Your battle of ideas
>really helps!

jim6538980

Doug,

I keep my NAV updated automatically with it sometimes updating itself on a
weekly basis.
As for the messages, none of the recipients are anyone I've ever heard of
and none of the
e-mails supposedly sent by me were to anyone in my address book. In fact I
asked everyone
in my mailing list if they received anything from me related to this matter
and they hadn't. Many
of the addresses to which these rejects were sent were semingly gibberish. I
really didn't get
what was going on.

For some strange reason, however, I nloticed that the volume of e-mails has
dropped sig-
nificantly to around one or two a day now. The only change I have made was
to create
another primary e-mail address and to change the newsgroup account's e-mail
address to my
MSN account (which I don't use). Since doing that, I logged onto my MSN
account (which I
hadrly ever use and which had had no virus e-mails ) and yesterday there
were 17 such e-mails
from the various e-mail systems telling me that my virus infected e-mails
were undeliverable -
just like the ones I get on my main account. So apparently logging onto this
newsgroup was the
one and only causal factor. The odd thing is that, after changing my primary
e-mail address
on Verizon.net, I starting getting virus reject emails to it also and I had
not used it to send any-
thing other than messages to the folks in my address book telling them of my
new address!?
So somehow it seems that this virus, once it got into my system from the
newsgroups, somehow
has the ability to latch itself onto any and all e-mail accounts listed in
my computer.

Like I said, this all started the day I visited this and two other
newsgroups for the first time.
And though I only had my primary e-mail address associated with my newsgroup
account,
I started getting those pesky virus e-mails on all three of my e-mail
accounts. Just before I
wrote my original note for help I was getting about 10 to 12 of these things
a day. For some
reason I now only get 1 to 2. Perhaps it'll stop altogether??????? I haven't
a clue. Tomorrow
I'm going to implement some of the suggestions I've received on here and see
what happens.

Thanks.

--
David Bland
"Doug Scott" <> wrote in message
news:...
> David,
>
> > Hmmm, a Rumble In the Network Jungle! Thanks you guys. Your battle of
ideas
> > really helps!
>
> Well, if you've got a really destructive virus, it's going to be difficult
to
> remove it, but thinks like KLEZ aren't that difficult.
>
> Firstly, is your copy of NAV up to date? If so, it's doubtful that you
have
> the virus yourself, but someone has copied your Id and is sending messages
on
> your behalf from another ISP. Although most mailer software uses to From:
> field without question, it doesn't actually reflect the sender's true
> identity. Your bounced mails will contain the original message, and you
could
> check that they did indeed originate from gnilink.net. If not, the sending
> address has been spoofed. If so, you're probably sending it, and your copy
of
> NAV is deficient.
>
> Either way, you're going to have to log in to somewhere like
> http://housecall.trendmicro.com/ and run the free scanner (other free
> scanners do exist - see Google). Sometimes simply removing the virus isn't
> enough because the registry is corrupt, so you might have to download
other
> software to clean your machine up. But it'll only take an hour or so to
scan
> your machine, and perhaps another half hour to clean the registry. And
it's
> simple.
>
> If, as our friend suggests, you have the (rare) version which rewrites
files
> as soon as you correct them, I can't say whether or not you'll know,
except
> over time - the attacks won't stop. I've never had to remove one of those,
so
> I can't give chapter and verse on that.
>
> If you have one, it's pretty benign - after all, your system is still
> functioning. In that case, it's probably a worm downloaded as an email
> attachment (Zone Alarm renames any executable attachment so that it can't
> execute without renaming it back to its original file name, which is a
nice
> feature). ZA also prevents you sending more than 5 emails in 2 seconds, in
> order to stop outgoing bulk emails.
>
> But have a look at the rejections, and find out whether they originate
from
> you. It's a bit of a pain, but e.g. My last rejection message carried the
> message "Undeliverable to ". Well, isn't in
my
> address book, so I know it didn't originate from me, even though the From:
> field says it was, because the virus technique is to go through your
address
> book and send messages out.
>
> ---
>
> Doug
>
>
>
>
>

David BlandIII

Doug, thanks for that 'lil bit of help

I really liked the part about receiving viruses and spam forever!

--
David Bland

"Doug Scott" <> wrote in message
news:...
> David,
>
> > I keep my NAV updated automatically with it sometimes updating itself on
a
> > weekly basis.
>
> OK then any virus you had would have to be less than a week old, and you'd
> just be unlucky.
>
> > As for the messages, none of the recipients are anyone I've ever heard
of
> > and none of the e-mails supposedly sent by me were to anyone in my
address
> > book.
>
> OK. So you don't have a virus.
>
> I don't know if you've noticed that among the hundreds of spam messages
are
> included offers for a million email addresses. The way they collect such
> lists if simply to run down the newsgroups every day and pick them up from
> the postings. That means that the very day you post to a newsgroup, your
> name will be harvested.
>
> Names are then inserted in both the To: and From: addresses. I used to
have
> a whitelist entry for my own Id, until I found that lots of emails started
> appearing suddenly from me, so I had to add extra filtering. One guy I
know,
> for instance, won't accept any emails unless they've got a particular
> pattern of characters embedded in the email (e.g. "D.a.v.i.d"). Anything
> without that is deleted.
>
> I use that, but I also use POPfile to filter out spam by contents.
POPfile's
> learning algorithm depends on me rejecting messages, and the word pattern
> within the messages is then stored for later reference. A subsequent
message
> with similar word pattern ("FREE!!!", EARN EXTRA" etc) will be assigned to
> the same category as the first.
>
> Beause POPfile works on the contents of a message, it's also highly
> effective at recognising viruses. Virtually any message with an attachment
> is suspect, because I hardly ever get proper messages with executable
> attachments, so that simple fact is enough to qualify a message as a
virus.
> I use POPfile to modify the header of the message with its classification
> ("virus"), and my email reader ignores headers with "virus" in the header.
> So I never get to see them. The beauty of the POPfile approach (called
> "Baysean filtering") is that it's not the meaning of the words that
counts;
> just its appearance in a message which I deem to be within a certain
> category. "Microsoft", for instance, has an 8% probability of appearing in
a
> personal message, and a 43% probability of appearing in a virus. By
> totalling all the probabilities of all the words in a message, POPfile
will
> automatically classify the message for me - and it does a great job - 99%
> accurate, as at to-day.
>
> Hmmm. I seem to have run on a bit.
>
> - You don't have a virus.
> - Your name has been added to the list of valid email addresses, and thus
> you will receive spam and viruses forever.
> - I suggest POPfile to sort the wheat from the chaff (there are other
> Baysean filtering programs).
>
> By using POPfile, you won't be bothered nearly as much by spam. The down
> side is that you need to log in to POPfile (via Internet Explorer, locally
> on your machine) to verify its classifications. Since you can verify them
> simply by looking at the header and From: fields, it's quick.
>
> That's all, really.
>
> ---
>
> Doug
>
>
>
>
>

David BlandIII

David,

This link will tell you what is targeting you.
http://

There are still thousands of infected systems out there. Start using
another mail account. Don't include the new address into Usenet posts.
Either set up a fake as someone suggested, use a totally bogus address
(don't be surprised if it turns out to be somebody's actual address and they
send you a furious email ) or change your address in your news reader to
something complicated; as someone pointed out simple ones no longer seem to
fool the address harvesting bots. You need something more, like
, and then an instruction to the reader to
remove the knots bots and nots and the 111ab if they want to email you.

I have one (yahoo) mail acct that gets the same viruses you're getting. It
fills up in a day and a half. I wasted some time telling yahoo they ought
to filter it, then just wrote off the account: once Swen infected systems
get hold of an address, you'll get the same virus with different headers, as
the gentleman said, forever.

good luck,

Mike

"David BlandIII" <> wrote in message
news:ado_b.68051$...
> Doug, thanks for that 'lil bit of help
>
> I really liked the part about receiving viruses and spam forever!
>
> --
> David Bland
>
> "Doug Scott" <> wrote in message
> news:...
> > David,
> >
> > > I keep my NAV updated automatically with it sometimes updating itself
on
> a
> > > weekly basis.
> >
> > OK then any virus you had would have to be less than a week old, and
you'd
> > just be unlucky.
> >
> > > As for the messages, none of the recipients are anyone I've ever heard
> of
> > > and none of the e-mails supposedly sent by me were to anyone in my
> address
> > > book.
> >
> > OK. So you don't have a virus.
> >
> > I don't know if you've noticed that among the hundreds of spam messages
> are
> > included offers for a million email addresses. The way they collect such
> > lists if simply to run down the newsgroups every day and pick them up
from
> > the postings. That means that the very day you post to a newsgroup, your
> > name will be harvested.
> >
> > Names are then inserted in both the To: and From: addresses. I used to
> have
> > a whitelist entry for my own Id, until I found that lots of emails
started
> > appearing suddenly from me, so I had to add extra filtering. One guy I
> know,
> > for instance, won't accept any emails unless they've got a particular
> > pattern of characters embedded in the email (e.g. "D.a.v.i.d"). Anything
> > without that is deleted.
> >
> > I use that, but I also use POPfile to filter out spam by contents.
> POPfile's
> > learning algorithm depends on me rejecting messages, and the word
pattern
> > within the messages is then stored for later reference. A subsequent
> message
> > with similar word pattern ("FREE!!!", EARN EXTRA" etc) will be assigned
to
> > the same category as the first.
> >
> > Beause POPfile works on the contents of a message, it's also highly
> > effective at recognising viruses. Virtually any message with an
attachment
> > is suspect, because I hardly ever get proper messages with executable
> > attachments, so that simple fact is enough to qualify a message as a
> virus.
> > I use POPfile to modify the header of the message with its
classification
> > ("virus"), and my email reader ignores headers with "virus" in the
header.
> > So I never get to see them. The beauty of the POPfile approach (called
> > "Baysean filtering") is that it's not the meaning of the words that
> counts;
> > just its appearance in a message which I deem to be within a certain
> > category. "Microsoft", for instance, has an 8% probability of appearing
in
> a
> > personal message, and a 43% probability of appearing in a virus. By
> > totalling all the probabilities of all the words in a message, POPfile
> will
> > automatically classify the message for me - and it does a great job -
99%
> > accurate, as at to-day.
> >
> > Hmmm. I seem to have run on a bit.
> >
> > - You don't have a virus.
> > - Your name has been added to the list of valid email addresses, and
thus
> > you will receive spam and viruses forever.
> > - I suggest POPfile to sort the wheat from the chaff (there are other
> > Baysean filtering programs).
> >
> > By using POPfile, you won't be bothered nearly as much by spam. The down
> > side is that you need to log in to POPfile (via Internet Explorer,
locally
> > on your machine) to verify its classifications. Since you can verify
them
> > simply by looking at the header and From: fields, it's quick.
> >
> > That's all, really.
> >
> > ---
> >
> > Doug
> >
> >
> >
> >
> >
>
>

MF