Fake Email from AS members?

dbabcock · May 21, 2003

I talked to Ken today and he's been getting some emails that were never sent by those who supposedly sent them. BG got one from Ken that he never sent. I got one this morning that was supposedly sent by Sawracr but probably wasn't. In at least some of these, there are attachments that can't be opened or at least associated with any known application program. I don't know if they contain viruses or not, but I suspect that the common denominator may be the AS database. Maybe Dennis could get in touch with PL and check this out.

Dennis · May 21, 2003

Doug...thanks for the heads up on this...anyone that receives these emails...please log the date/time/(supposed) sender...and email them to me. I will talk to PLS today.

NeTree · May 21, 2003

And DON'T try to open the attachments.

Dennis · May 21, 2003

Ok, I think what has happened here is one of our members got an email from another site with the virus attached. The virus then attacked the address book of the other users and continued sending out the messages. The possible bug in charge is "win32klezh@mm". Another reason to have good antivirus protection.

If you are sending me the details...please do not forward the message!! just send details.

Dennis · May 21, 2003

question

ok...here is a question...are the fake emails all being sent through arboristsite?? Or are they coming from private email addresses? (hotmail/yahoo/attbi/aol....etc)

Marky Mark · May 21, 2003

http://security.symantec.com/ssc/home.asp?j=1&langid=ie&venid=sym&plfid=22&pkj=DGSCPJUIYCZRWEJGSSK

Go to this link if you think your infected, from there do an online scan. What's happening is someone has the virus and it is mass mailing form there address book. then the next user gets infected and it just keeps growing. If you need help email me or better yet spend the 35 bucks for the norton.Even if you don't open the attachmant you'll be infected regardless.

I have included the tool if you need it. I also had to zip it to post it.Doug If ken is infected have him call me.

glens · May 21, 2003

I got one from "mrupley" on Sun, 18 May 2003 01:22:28 -0400 (EDT) really from [email protected] which contained "if" and "insidem1[1].jpg" as attachments.

My "file" utility reports:<pre>$ file if 'insidem1[1].jpg' if: MS-DOS executable (EXE), OS/2 or MS Windows insidem1[1].jpg: JPEG image data, JFIF standard 1.02, aspect ratio, 100 x 100</pre>I don't have any virus scanning software that's even remotely current (no need for it here <tt>:</tt>) but I get this using something I found buried on an old partition:<pre>$ uvscan if This program is more than 14 months old. New viruses come out all the time - we would suggest that you upgrade your copy. /home/glen/if Found the W32/Klez.gen@MM virus !!! Thank you for choosing to evaluate VirusScan from Network Associates.</pre>The messages are being sent from individuals by a virus which uses their address book to propagate.

If you're unfortunate enough to be stuck on a Microsoft-laden computer (or are simply curious), visit <a href="http://securityresponse.symantec.com/avcenter/venc/data/[email protected]">Symantec</a> or <a href="http://vil.mcafee.com/dispVirus.asp?virus_k=99455">McAfee</a> for information about (and remedy for) the virus.

Glen

Ryan Willock · May 21, 2003

My girlfriends (soon to be wife) computer got one of those virus a month or so ago. Took Mcaffe virus scan two hours to get rid of it.

glens · May 21, 2003

Whoever's on "h002078c61521.ne.client2.attbi.com" (24.62.183.126) right now (thirty minutes ago, actually), you sent me the virus email last Sunday and again today at 20:05:34 -0400 (EDT).  At least this time the included image was a little thumbnail action shot from a **** site.

I don't give a hoot for the fact that it'll never affect my computer's operation or citizenship, but I could do without the several seconds of tied-up bandwidth on this measly dialup.

Dennis, if you can determine who that is you might drop them a note.  I guess comcast.net would know who it is at any rate.

I'd guess that unless it's something to do with email harvesting from the AS server that it's someone I've been in direct correspondence with (else how would my special-to-AS email address be in their address book).  The only two it could be on attbi's network are DB and "StIhL MaGnUm".  Take your pick on who's the more likely candidate...

Glen

glens · May 21, 2003

Rocky,

The most recent message came from the host at 24.62.183.126, that is unequivocal.  The "sender" envelope header on the SMTP level indicated it was sent by "[email protected]".  The rfc822 "From:" header indicated "[email protected]" sent it.  The former would normally be a more authoritative source, but both can easily be faked (especially the latter).

How do you get db or "stihl magnum" out of either of those addresses?  I don't, but maybe you can enlighten me.  In fact I wish you would, as it seems as though my running unix servers live on the internet has left me "stupid" about this kind of stuff (you did accuse me of being so, right?).

Neither of my Internet Service Provider providers[sic] knows anything about the email address I use here.  There's only one computer on the internet that acts as a mail relay and which knows anything about it, and I might ultimately be wrong, but I'd say it isn't harvestable from there.  This particular critter thrives only on vulnerabilities built into stock MS-Windows boxes.  Antivirus protection only is protection if it can load before any other code on the computer, can not be gotten under while running, and especially, is omniscient.  Probably none of those pertain to anything readily available, but having something fairly current is better than nothing if one has to use MS "stuff" in other than a lab environment.

There are subtle differences between viruses and worms.  This particular example is actually a bit of both.  If you want to take this private I'd be glad to compare notes with you regarding some of the concepts involved.

I don't know why we always butt heads, Brian, but it sure seems to happen, doesn't it?

Glen

dbabcock · May 21, 2003

I don't usually respond to unfounded accusations, Glen, but I'll make an exception in your case. I'm suprised that someone with your supposed candor and polished graces would start babbling nonsense before they were sure of something.

Why would I bother doing that to you or anyone else? I haven't emailed you since I showed you how to solve that 9th grade math problem a few weeks ago. Because of that email, you must already have my IP, don't you?.

I can also give you odds that Stihl Magnum wouldn't have any more knowlege of how to do such a thing than you would about modular forms.

Want me to show you how to dance now? I'm not impressed, Glen.

Marky Mark · May 21, 2003

Let's look at this worm like this, It attacks the address book first then triggers the mass mailing. Lets say I had the worm and recieved an email from Doug several weeks before I opened the worm. If doug is the top address in my book it could look like he was mailing it. So if my mail passed thru a router that ATT owns then it could attach the header.

If you guys want a little virus tip create a email address
[email protected]
if by chance you do get infected you will know right away because you will get a failed delivery.

Glenn when you figure out how to configure this baby then we can move onto the to simple virus.

glens · May 21, 2003

Doug,

I have not edited my previous posts and I cannot find accusation of malice in them.  Maybe you'd be so kind as to point out to me where I'd suggested the attempted infestations were so driven, or even knowingly done in any fashion?  I understand from your tone that's what you perceive I was implying.

I want to make it perfectly clear that was not the case, and in fact, quite the opposite was true.  I was hoping to spur whoever it is (if they even know what an IP address is much less which one they're using at any given time) to check their computer for the bug.

Since this worm/virus propagates by using the contents of one's MS address book, and I can't imagine anyone of the few here I've transacted email with would forward anything I've written, my primary guess is it's one of those few.

You are one of the two possibilities from my limited sampling.  And furthermore, not only would I guess it not be you, but the other person had an IP address in very close affinity to the one from which the laden emails came.  The two addresses are close enough that it's easily conceivable they are the same person who's gotten a new address in a DHCP share rotation which is common on individual internet accounts.

I've never been an enthusiast of mathematical physics.  And I've never earned a primary, much less steady paycheck using a chainsaw.  But this kind of stuff I know and know well.

I wasn't even going to say anything about the initial attempted infestation but was emboldened by your bringing it up as a topic of discussion.  I guess if your intent was to lure me to a confrontation it would seem you've succeeded admirably.

I believe I'd given you your props for helping me with the embarrassingly simple logarithmic ratios, by the way.  If not, I apologize and do so now.

Glen

jokers · May 22, 2003

I got one of these messages about 6 weeks ago and the sender was listed as CBetz, not CMBetz or however Christian is listed here. So if infact the common source is linked to AS, perhaps someone will recognize that they have CBetz in their address book and look further into innoculating themselves. Just a probably meaningless thought because I am just a hack when it comes to computers. Computer OSs have never really interested me to any great extent but I do like putting them together.

Russ

johncinco · May 22, 2003

I have gotten a couple of these emails supposedly through the email system on AS. I just assumed you guys really thought I needed bigger breasts or was into animal ****.

As soon as I see most of these messages I just delete them and know it was some wack nut smarter than me that knows how to figure out stuff like that. Such is the price for a great site at a free price.

Cheers, JB

Oh yeah, I love it when they send me some of those messages, and their supposed to be from me!

dbabcock · May 22, 2003

Glen,
It was not my intent to lure you into a confrontation, it's just that I tend to not throw names around in a knee jerk fashion.

So here's the deal. Had you and I not posted at almost the exact time, I would have read your reply to Brian and probably not bothered posting my reply to you, even though I found the "take your pick" tone a little offhanded.

In this case, your suspicion about my involvement appears to be correct. Mike Abbott is a good friend of mine and has nothing to do with AS at all. [email protected] is his email address and he sent me a video file two days ago that played just fine. Going back, the last email he sent me was about 3 weeks ago, so I don't think it's in that.

So I have this email on my computer at home, complete with the video attachment. I guess I should probably call Marky.

The only emails I've sent to AS members in the last two days are to BG, so watch out Candice. Also, I don't think that my virus problem is necessarily the only one infecting us here.

Thanks for the info Glen.

Marky Mark · May 22, 2003

After helping Doug remove the KLezypoo I promised I would post another shot of the basement.

Glenn are you ready to control that Linux Power?????? Squid Server command center.

dbabcock · May 22, 2003

Marky's da man!

For a few weeks now, I've noticed that my machine has been getting pretty slow. I first noticed it when my mouse pointer started getting a little sluggish. Thanks to Mark, it's as fast as ever now.

dbabcock · May 22, 2003

What makes you think it was me? You get this thing be receiving emails not sending them. The only email I ever sent you siezed you up tighter than a 335 without oil, and that was a year ago.

The correct spelling is aggrAvation.

dbabcock · May 22, 2003

Brian,

Actually, I do have AV with the last revision downloaded 2 weeks and three days ago. For whatever reason it didn't catch this, so get on with life. I didn't have to bring up the subject, but I did because I was concerned for others, so stop whining. You don't see me whimpering about the fact that you're brighter than I am.

Fake Email from AS members?

Help Support Arborist Forum:

Hi Tech Redneck

Arboristsite MVP

Addicted to ArboristSite

Arboristsite MVP

Arboristsite MVP

Hell's Kitchen Trapper

Former Member

Addicted to ArboristSite

Former Member

Former Member

Hi Tech Redneck

Hell's Kitchen Trapper

Former Member

Addicted to ArboristSite

Addicted to ArboristSite

Hi Tech Redneck

Hell's Kitchen Trapper

Hi Tech Redneck

Hi Tech Redneck

Hi Tech Redneck

Similar threads

Join the conversation!

Join today and get all the highlights of this community direct to your inbox. It's FREE!