VIRUS ALERT

[Bradster]

Over the past two days, I have received two unusual e-mails from "ucsoft <ucsoft@gmx.net>" and "trickster <trickster@armadauniverse.com>" with the titles "End Nedstat Basic code" and "Install and Uninstall" respectively. After checking the headers of these e-mails, I found that they both originated from the BTI Internet network, specifically from:Return-Path: <philmein@btinternet.com>I also received e-mails from Andy Thomas and Matthew Darcy saying that they had each gotten a similar e-mail with an attachment, but that had originated from my e-mail address.Most likely, someone (probably philmein) is using a PC that is infected with a virus which is spamming out these messages and spoofing the headers to make them appear to come from different sources.I would STRONGLY recommend that everyone update your virus definitions and run the latest virus-protection software. I am usually very protective of my e-mail address and do not want it being spread around the internet on a virus.Also, here are the received paths from the two messages I received. They may be of some use for tracking down this guy:Received: from smtpin04-en2.mac.com ([10.13.10.149]) by ms04.mac.com (Netscape Messaging Server 4.15) with ESMTP id H6NTID00.JS9 for <bradster@mac.com>; Thu, 5 Dec 2002 10:47:01 -0800 Received: from carbon.btinternet.com (carbon.btinternet.com [194.73.73.92]) by smtpin04-en2.mac.com (8.12.3/MantshX 2.0) with ESMTP id gB5IkvHq000564 for <bradster@mac.com>; Thu, 5 Dec 2002 10:46:57 -0800 (PST)Received: from host213-120-137-111.in-addr.btopenworld.com ([213.120.137.111] helo=Tsfyvgfgo) by carbon.btinternet.com with smtp (Exim 3.22 #16) id 18K0zx-0000I6-00 for bradster@mac.com; Thu, 05 Dec 2002 18:45:21 +0000Received: from smtpin01-en2.mac.com ([10.13.10.146]) by ms04.mac.com (Netscape Messaging Server 4.15) with ESMTP id H6MDP100.N8Y for <bradster@mac.com>; Wed, 4 Dec 2002 16:07:49 -0800 Received: from rhenium (rhenium.btinternet.com [194.73.73.93]) by smtpin01-en2.mac.com (8.12.3/MantshX 2.0) with ESMTP id gB507jF0003957 for <bradster@mac.com>; Wed, 4 Dec 2002 16:07:46 -0800 (PST)Received: from host62-7-99-204.in-addr.btopenworld.com ([62.7.99.204] helo=Fzf) by rhenium with smtp (Exim 3.22 #16) id 18JjXx-0000bO-00 for bradster@mac.com; Thu, 05 Dec 2002 00:07:17 +0000

[Bradster]

update:The attachments have both been identified as viruses.Specifically it is the Exploit-MIME.gen.exe virus.

[Bradster]

I got three more messages in my mailbox yesterday, this time with the W32.Klez.H@mm virus.All three have the same return path to philmein@btinternet.com, but have spoofed headers to appear to come from our own Matt Darcy and two others I've never seen.I'm sending an e-mail to philmein immediately to notify him. This needs to stop. Does anyone here recognize that name?

[Bradster]

In case anyone is interested, here is the message I sent to philmein. In case you have not dealt with viruses before, I would strongly recommend you read this too:Quote Hi Phil, (It is Phil, right? I'll explain below.)I'm Brad Smith (Bradster) from Andy Thomas's Star Fleet X-Bomber forums at "http://www.sfxb.co.uk/cgi-bin/ikonboard/ikonboard.cgi". I don't know who you are, but apparently your computer is infected with both the W32.Klez.H@mm virus AND the Exploit-MIME.gen.exe virus. They are sending copies of themselves to everyone in your address book (I think) and forging the e-mail headers to appear to come from other people.I know that at least two other people on Andy's Star Fleet forums have received your viruses. They both later contacted me because the headers were faked with my own e-mail address. I myself have gotten FIVE e-mails with viruses attached. How do I know they are all actually from you if the headers are forged from different sources? There is one header that is the same on them all:Return-Path: <philmein@btinternet.com>Also, the message id and received path headers that are added by the mail servers also give a source originating from somewhere on the BTI Internet network.What do you do now? Well, you NEED to buy some virus software IMMEDIATELY, download any updated virus definitions, and run the scan AS SOON AS POSSIBLE. Stay OFFLINE and do NOT run your e-mail software until your computer has been cleaned. Otherwise, you could continue to spread the viruses. I recommend McAfee's VirusScan (it detected all five viruses I've gotten from you) but Norton AntiVirus should work well also. Once you have cleaned and repaired your own computers, you need to send a message like this to anyone in your e-mail address books and notify them that you have been spreading viruses for the past several days and that they too need to IMMEDIATELY scan for viruses. Tell them that if they do find a virus that they need contact everyone in their address book, tell them about the virus, and have them scan. The cycle repeats. Get it?Fortunately, the virus has done no damage to me. I have a Mac and the Mac OS is naturally immune to any and all Windows viruses. I can't be so confident about the security of anyone else that may have gotten. Andy was able to catch it because he just has a good eye and noticed something suspicious. Matt Darcy also got a copy of it, but I still haven't heard back from him if things are okay.What can you do to prevent this kind of problem? First of all, if you use it, stop using Microsoft Outlook or Outlook Express for your e-mail. In case you don't already know, Microsoft's products are peppered with a hundred different security flaws. Just about ANY other e-mail client would be safer. Second, once you have installed some virus-scanning software, set it to automatically check all e-mails and all internet downloads. This may be a slight nuisance to wait for a scan each time, but the ends more than justify the means. It is worth a minor delay if it means protecting yourself and all your friends and colleagues from these destructive viruses. Third, be sure your virus software is set to automatically check for updated virus definitions at least once a week. That will enable it to detect new viruses when they appear. Lastly, never open e-mail attachments that don't have a clear explanation at to what they are or if they come from someone you don't know. As in this case, viruses can spread by appearing to come from people you already know, but in each example there is almost no explanation or text in the message body. That is a clear sign of an attached virus.Thank you very much for your cooperation in this matter. I hope we can have this problem resolved at soon as possible. I'm sure Andy Thomas and everyone else would be very happy to hear from you after you have scanned your computer so that we will know that the source has been eliminated.Sincerely,Brad SmithHopefully I'll hear back from him this weekend. I'll keep you all posted.

[Bradster]

another update...My e-mail to "philmein" has bounced. I just got the following message:Quote ********************************************** ** THIS IS A WARNING MESSAGE ONLY ** ** YOU DO NOT NEED TO RESEND YOUR MESSAGE ** **********************************************The original message was received at Sat, 7 Dec 2002 04:43:33 -0800 (PST)from asmtp01-qfe3 [10.13.10.65] ----- Transcript of session follows -----<philmein@btiinternet.com>... Deferred: Connection refused by mail.btiinternet.com.Warning: message still undelivered after 4 hoursWill keep trying until message is 5 days oldReporting-MTA: dns; smtpout.mac.comArrival-Date: Sat, 7 Dec 2002 04:43:33 -0800 (PST)Final-Recipient: RFC822; philmein@btiinternet.comAction: delayedStatus: 4.4.1Remote-MTA: DNS; mail.btiinternet.comLast-Attempt-Date: Sat, 7 Dec 2002 08:44:27 -0800 (PST)Will-Retry-Until: Thu, 12 Dec 2002 04:43:33 -0800 (PST)So, I'm wondering if his mailbox is full on the server and my message is being delayed until he clears it out.Damnit.

[Crash]

Hey there Brad there's some goofed up s*** goin on here at my end too.I too got an email from trickster@armadauniverse.com - 07/12/02 - 10:57 AM it has nothing in it esxcept for some really freaky little code in its html script - except i'm not at all sure it is html.Right well subsequently I've had reports from a SFXB user who says my PC seems to be firing off "viruses" of some sort to other peoples' machines using my email.Subsequently I have had a number of emails, from people I have never heard of and certainly aren't in my Outlook contacts containing the following:"Hello,This is a very funny gameThis game is my first work.You're the first player.I expect you would enjoy it. "AND"Hi,This is a special funny gameThis game is my first work.You're the first player.I wish you would enjoy it. "All of which is pretty #### scary actually especially since it took an absolutely brand new update of Norton AV to pick up some little buggers that have taken up residence in my "Temp Internet" stuff folder.They are: JS.Seeker Viruses, two of them, hiding in .jpg files and are extremely primitive in terms of inbuilt defensive systems and seem to cause no harm otherwise - they may be unrelated but... what's going on?I swear I'm gonna kill this joker at "armadauniverse" if I'm not absolutley extatic with his response to my email.

[Bradster]

Before you start sending messages in reply to the original e-mail, remember that these viruses are spoofing/forging the headers and making the messages appear to come from someone else. For example, I suspect that the guy at armadauniverse is not the original sender of your e-mail. Remember, Andy and Matt both said they got e-mails from me. That simply is not possible.So far, the e-mails I have received appear to come from these names:ucsoft <ucsoft@gmx.net>trickster <trickster@armadauniverse.com>matthew <matthew@darcy.demon.co.uk>deaks <deaks@bscs.freeserve.co.uk>doccymorton <doccymorton@talk21.com>nick <nick@morris.vscotland.org.uk>jon <jon@valcato.net>BUT all of them have that same return path to "philmein@btinternet.com". The return path is what the actual mail servers add into the message's headers to really identify the original sender. That means that NONE of those people listed above are actually sending these e-mails; rather, this philmein@btiinternet.com is sending them.Your e-mail client should have the ability to view/display all/extra/other headers in an e-mail message. I suggest you enable this option and look for the Return-path field. I'll bet that it doesn't match the From field, meaning that the guy at armadauniverse really didn't send it.For what it's worth, five of my messages had the virus embedded in a jpeg file. Three others had the virus in a script named as an html file.(Edited by Bradster at 8:13 pm on Dec. 7, 2002)

[Crash]

Yes, good shooting. A surprising number of those addresses have made themselves known to me too in the last day or so although I have no clue who they are as well as this gent:a2maps [a2maps@strategyplanet.com]Well my friend 'ugly' Norton has wiped out all resistance at my end so it's officially not my fault from now on! .I absolutely agree I'm now quite sure trickster is just as innocent in this as we are but it seems to be targetting a disproportionate number of us X-Bomberers. Its absolutley mad - it oughtta be on the news.

[AndyThomas]

I get a lot of these attempts through on an almost daily basis - and the "I hope you would enjoy/like" tag-line is a classic for emails that contain .bat files and the like. The virus generates the message from a number of options so it's never quite the same. Of course, you're most likely to activate it if it seems to come from someone you know. If you can, I'd disable the display of graphics in Outlook by default - Pegasus Mail doesn't do it so I think I see far fewer problems as a result.BTW, Brad - I think you have an extra "i" in the address you used to email Philmein judging by the rejection email - it might be worth correcting it and having another crack at him?

[Bradster]

Bah! You were right, Andy. I did have an extra 'i' in btinternet. Thanks! I just re-sent it to the correct address. Here's hoping he gets it tonight or tomorrow...