Virus email

[Ed30]

Hi,

I have a slight problem I'm hoping you can give me some advice.

Someone has gotten my email address (probably from whois) and has sent out emails in my name containing a computer virus.
Is there any way of tracing the ip address of the b*stard who has done this. This is what I have just received:

From: edxxxxxxxx [SMTP:[email protected]]
To: <unknown>
Date: Mon, Feb 17 2003, 9:21:13 AM
Subject: Dclkpufocus


The message contained 1 virus(es):

onload.pif infected with the xxxxxxxx virus
- - -


An email message you have recently sent may have contained a virus. Please
check your system, or contact someone to help you.
.

 

[cyphix]

Sometimes it can be hard cause a lot use fake aliases....but u need to look deeply into your headers & then do some traceroutes & such.

 

[Ed30]

What's a traceroute?

 

[DrWho]

traceroute:
http://www.faqs.org/rfcs/rfc1393.html


Tools:
http://network-tools.com/

 

[mole]

Were you forwarded this mail example from someone, ed? If so, your ISP probably caught the infected email that "someone" sent and autoreplied to him/her on your behalf.

Nothing to worry about, imo.

 

[Ed30]

Mole - it was sent from: Nemx Power Tools for MS Exchange Server_JUDGESTAR_1<[email protected]>

Nemx looks like a virus blocker to me.

 

[DomainPairs]

There is nothing you can do about it, unless you want to spend a lot of time trying to get access to an isp log. Most viruses now have their own smtp servers and lie about everything. Writing to a person and saying that they sent you a virus just because their addy is in the envelope just makes you look as if you don't understand email and computers.

If you post the name of the virus, I'll tell you what to look for in the registry if you are worried about it being in your pc.

There are lots of simple tests you can do. I wrote a bit about it ages ago, and you can see it on this page.

http://www.computerthreats.com/virus/mancheck.html

 

[WildCard]

I think it was the Klez virus that takes an email address off the newly virused computer and sends the new virused emails out using that 3rd party email address.

Example, my computer is virused with this type of viruses - it sends out emails to everyone in my address book using a random email address from my address book at the sent from. You get one of these emails because you were in my address book. It may look like Ed30s email contact info or whomever's the virus decided to glean.

I've heard rumors about viruses that find a random email address from your inbox, but that seems pretty intense.

-WC-

PS: Just don't worry about it. If anyone complains to you, just tell them to delete it or forward it to you with the headers or something.

 

[.com.net.org]

Always use Anti-Virus and update it often.

 

[Ed30]

Thanks for all your help.

 

[DomainPairs]

Klez comes with Elkern. The first thing that Elkern does is to try to disable your av software. When Klez is installed it trawls a variety of places looking for email addys, these include your stored emails, your address books, temporary internet files and my documents. It constructs a message either from a document in your my documents directory or your mail boxes. It uses addresses from its trawl as the reply to and return addys in the envelope, and of course for the send to addy. It sends mail from your computer via its own smtp server directly out through port 25. It does not use your mail program and therefore bypasses some outgoing virus scans. Just to make it even more interesting, it is polymorphic (comes in in various bits, and builds itself when it gets to you).

More recent viruses are more sophisticated

 

[ctn]

I just went through all of this,the best way to get rid of it if you have it is
http://www.pandasoftware.com
30 day trail,I tried two or three different softwares and theres got rid of all of it

 

[DomainPairs]

Well they won't let me onto their site using the link you supplied, so they are obviously up to something in your computer when you visit their site. I documented a manual removal system for getting rid of Klez which goes back to dos to do it. I still mistrust any Windows based removal system as Windows has mechanisms to protect Viruses (CLSID for example).

 

[ctn]

Originally posted by DomainPairs
Well they won't let me onto their site using the link you supplied, so they are obviously up to something in your computer when you visit their site. I documented a manual removal system for getting rid of Klez which goes back to dos to do it. I still mistrust any Windows based removal system as Windows has mechanisms to protect Viruses (CLSID for example).

I left the www off the first time ,it should work now.Now what would they be up to?All i know is they took care of the virus .They also don't pester me or my computer like nortons do.And this software opens up dos to get rid of it to.Matter of fact all these other software i was using said it was a certain name klez virus and found it but couldn't get rid of it.Because, it ended up being a newer klez virus under an alias of the old.So it ended up finding out the real name of it and deleting all of it.So im very pleased at www.pandasoftware.com

PS.Now it did get rid of some of my plug in exe like my flash plug in from macromedia,but nothing major,i just reinstalled them

 

[mole]

I recently discovered that Outlook 2002/XP has a new built in security feature that prevents any program from accessing your Contacts without stopping it and prompting you of this action and asking whether you want to permit it. I found out as I was trying to synch my Contact folder with its categories using the Category synch plug-in provided free by Microsoft. Viruses don't get through my system, since I use Norton Antivirus to scan all mails coming into my mailbox.