Virus!!!???

helfmann

helfmann

New member
Hi Forum users and Admin... Just got this message from my eMail Virus scanner!

Kaspersky Anti-Virus 4.0.2.2 reports a problem
in the following message:
----------------------
From:admin@chitownsyty.com
To:tyguy@tyguy.net

----------------------
message_details.pif infected: I-Worm.NetSky.d


----------------------
The mailsystem tried to disinfect the virus.
If this was impossible, the system deleted
the infected segment of the email.
Attached please find the original message minus
the infected parts.
-----------------------
Attached message
Please have a look at the attached file.
 
Joey Allen

Joey Allen

MUNCHKIN
I too got a message from a Syclone2XX6 but it was @ hotmail.com This us the second email with a sy/ty address.
 
TYPHOOL7

TYPHOOL7

Post Hawk
SYTYGUY IS SENDING ME VIRUS's
along with Mhoover and TCARTER???????
sy0237, Muarbud
quit it, lolz
 
Syclone#1992

Syclone#1992

SyTy.net Moderator
Just got another one 20 of these F*CKIN emails, I am really getting pissed now. Someone needs to put an end to this bullshit.
 
Vaders Sy

Vaders Sy

Donating Member
Syclone#1992 said:
Just got another one 20 of these F*CKIN emails, I am really getting pissed now. Someone needs to put an end to this bullshit.
Click to expand...

I second that. ::protestno:: More
 
phoonTy

phoonTy

Truckless. For now.
TYPHOOL7 said:
SYTYGUY IS SENDING ME VIRUS's
along with Mhoover and TCARTER???????
sy0237, Muarbud
quit it, lolz
Click to expand...

my computer is clean. just scanned it to be sure. my server was down all day friday, and I think it was virus related.

shoot, I even got an email from "TCarterDesigns.net Administration" saying my computer was infected and sending out virus filled emails. Told me to use the attachment to "clean my computer of infected files :roll:. . . Kinda funny, seeing as how I am the admin.

So someone, please scan your computer!
 
scotts4

scotts4

ADDICTED
i scanned mine today and i am clean i keep getting emails from lots of difrent people? hope we get to the bottom this soon.
 
J_SULLIVAN

J_SULLIVAN

A&P slave monkey
I have got e-mails from about 15 different members so far. Also w/one of them, I got the RESJO Trojan virus and it took Norton 7 days to get rid of it and the 7th day was today. 3/4/04
 
1

100in6

100in6
my cable server sent me an email saying they had intercepted almost 400 virus infected emails yesterday. i spent the day running norten over and over and over... i'm glad someone thinks this is cute. i for one will be for banning someone for life plus 50 years if it ever get tracked down to someone doing this stuff on purpose. makes ya kind of hate the internet doesn't it.
 
R

rflunt78

New member
Its really no one specific person on the board. Though they may be infected there is currently a online virus war taking place between 3 (2 mostly) virus/email trojan creators. The link below explains this. I am a network administrator for a CPA firm and have been fighting this fire for the past several days. I have caught over 350 attempts to enter the system in a week. The people creating these viruses should be found and ran over (my personal opinion). Any how just venting.

http://msn-cnet.com.com/2100-7355_3-5169195.html?part=msn-cnet&subj=ns_5169195&tag=msn_home

Just keep your virus protection updated. Use caution opening emails from unrecognized sources or from emails proclaiming to be from your service provider or support staff. Some have started to trick users by proclaiming to be from support staff and get you to open a attachment when in turn infects your PC.
 
InvisiBill

InvisiBill

Active member
The addresses are all spoofed. The "From" address isn't really who it's from. It looks for email addresses on the PC, and picks two. One is the "From" and one is the "To". Your email address and the "sender" address just happened to both be on the infected PC somewhere.

Posting email addresses does absolutely nothing to help. You need to view the header information to see where it actually came from. In Mozilla-based mail programs, press Ctrl+U. In Outlook Express, I think it's Ctrl+F3. In Outlook (part of MS Office) open the message up and then go to Options (under the View menu maybe?) - the headers will be in a little box at the bottom of the window.

Now that you're looking at the headers, you can find out where it came from. The beginning will look something like this:
From - Fri Mar 05 18:31:02 2004
X-UIDL: UID4732-1070125090
Return-path: <privacy@weatherbug.com>
Envelope-to: invisibill@invisibill.net
Delivery-date: Fri, 05 Mar 2004 11:51:35 -0800
Received: from [151.199.49.197] (helo=invisibill.net)
by mx.mailix.net with esmtp (Exim 4.24-NY)
id 1AzLM3-0004tf-63
for invisibill@invisibill.net; Fri, 05 Mar 2004 11:51:31 -0800
From: privacy@weatherbug.com
To: invisibill@invisibill.net
Date: Fri, 5 Mar 2004 14:45:39 -0500
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <E1AzLM3-0004tf-63@mx.mailix.net>
X-SA-Exim-Mail-From: privacy@weatherbug.com
Subject: Re: Your text
Click to expand...

The line Received: from [151.199.49.197] (helo=invisibill.net) is the part we want to look at. This is the mail server that sent the mail to you. helo is the command that shows the server's name. The Netsky worm uses the To address (mine in this case) to get the helo information - that line is saying that the mail is coming from invisibill.net. However, my mail server isn't named invisibill.net - it simply copied the last part of my address. The IP address there is real though - that's the IP address that connected to my mail server to deliver the mail. IP address 151.199.49.197 is infected with the Netsky virus. Using the -a switch with the ping command tells it to look up the IP's name: ping -a 151.199.49.197 returns pool-151-199-49-197.bos.east.verizon.net. The infected PC is using Verizon for internet access. (This one may or may not be a SyTy-er, it's just the first virus mail that I pulled out for an example.) Note that Netsky says the email is from the server of the to address. Other ones say they're from the server of the from address, which is more realistic.

http://www.invisibill.net/ipcheck.php is the easiest way to check your own IP. It's a script on my server that simply spits out the IP address that connected to the web server. It doesn't do any ha><0ring to your computer or anything, it just shows where the connection came from. If your IP matches the sender IP from one of these emails, you have the worm on your PC.

http://pctech.invisibill.net/virusinfo.html is a little old, but it's got links to update pages for most popular virus scanners. http://www.free-av.com/[URL] and [URL]http://www.grisoft.com/us/us_dwnl_free.php are both free AV programs. If you don't already have one, get one of these. http://housecall.trendmicro.com/housecall/start_corp.asp, http://www.pandasoftware.com/activescan/, and http://security.symantec.com/default.asp?productid=symhome&langid=ie&venid=sym are all free online scanners - they won't keep you from getting new viruses, but they can be used to scan your computer if you don't have an AV program yet, or you think a virus may be disabling your installed AV scanner (yes, some try to do that).

Going back to the email header stuff, anything containing Received: from invisibill.net or (helo=invisibill.net) can be safely discarded immediately. Due to my hosting plan, my mail server is not named invisibill.net. The invisibill.net domain doesn't contain any mail servers. It's impossible for a valid mail to come from a server named invisibill.net. That's my address, but the server itself is not named invisibill.net - don't just delete anything containing invisibill.net, but if you have those lines in the headers, they're saying that the email came from a server with that name (which simply isn't possible).
 
You must log in or register to reply here.
Top