Gary Kjos
garykjos at hotmail.com
Mon Sep 8 12:55:26 CDT 2003
Hi Shamil. Sobig virus uses E-Mail Spoofing - info belos is from the Symantec AV site info on it.... ----------- http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html ----------- Email spoofing W32.Sobig.F at mm uses a technique known as "spoofing," by which the worm randomly selects an address it finds on an infected computer. The worm uses this address as the "From" address when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to another individual. For example, Linda Anderson is using a computer infected with W32.Sobig.F at mm. Linda is neither using an antivirus program nor has the current virus definitions. When W32.Sobig.F at mm performs its email routine, it finds the email address of Harold Logan. The worm inserts Harold's email address into the "From" portion of an infected message, which it then sends to Janet Bishop. Then, Janet contacts Harold and complains that he sent her an infected message; however, when Harold scans his computer, Norton AntiVirus does not find anything, because his computer is not infected. -------- So Shamil, someone who has you on their contact list is infected and is sending the message pretending to be you..... Gary Kjos garykjos at hotmail.com >From: "Shamil Salakhetdinov" <shamil at SMSConsulting.spb.ru> >Reply-To: Discussion of Hardware and Software >issues<dba-tech at databaseadvisors.com> >To: "dba - Tech" <dba-tech at databaseadvisors.com> >Subject: [dba-Tech] I don't know what I don't know from where is sending >messages usingmy e-mail address... >Date: Mon, 8 Sep 2003 21:34:15 +0400 > >Hi All, > >Have you ever seen a message returned to your mailbox, having your e-mail >address in From field, which you didn't send? (see example in P.S.) >This doesn't seem to be a virus running on my PC - my PC is scanned >periodically using NAV with latest updates. >And the recipients e-mail addresses of such messages aren't written in my >address book, and even MS Outlook Express version I use is different! > >What is this? A virus NAV missing while scanning my PC? Or...? Could you >please advice? > >This looks very much like SOBIG virus but I don't have it on my PC! > >So much confused, >TIA for any info, >Shamil > >P.S. Strange messages header: > >Return-path: <shamil at smsconsulting.spb.ru> >Received: from conversion-daemon.mailgw2.cityu.edu.hk by >mailgw2.cityu.edu.hk > (iPlanet Messaging Server 5.2 HotFix 1.17 (built Jun 23 2003)) > id <0HKW00601M6XOB at mailgw2.cityu.edu.hk> > (original mail from shamil at smsconsulting.spb.ru); Tue, > 9 Sep 2003 01:11:56 +0800 (CST) >Received: from USER-VJCG7U5W26 (171-043.onebb.com [202.180.171.43]) > by mailgw2.cityu.edu.hk > (iPlanet Messaging Server 5.2 HotFix 1.17 (built Jun 23 2003)) > with ESMTP id <0HKW007I6N4417 at mailgw2.cityu.edu.hk> for > college.office at cityu.edu.hk; Tue, 09 Sep 2003 00:57:47 +0800 (CST) >Date: Tue, 09 Sep 2003 01:28:39 +0800 >From: shamil at smsconsulting.spb.ru >Subject: Thank you! >To: college.office at cityu.edu.hk >Message-id: <0HKW007I7N4417 at mailgw2.cityu.edu.hk> >MIME-version: 1.0 >X-Mailer: Microsoft Outlook Express 6.00.2600.0000 >Content-type: multipart/mixed; >boundary="Boundary_(ID_5Tw3yk+UVcZTNnkh000UIg)" >Importance: Normal >X-Priority: 3 (Normal) >X-MSMail-priority: Normal >X-MailScanner: Found to be clean > >This is a multipart message in MIME format > >--Boundary_(ID_5Tw3yk+UVcZTNnkh000UIg) >Content-type: text/plain; charset=iso-8859-1 >Content-transfer-encoding: 7BIT > >See the attached file for details > >--Boundary_(ID_5Tw3yk+UVcZTNnkh000UIg) >Content-type: text/plain; Name=UnsafeFile.txt >Content-transfer-encoding: 7BIT >Content-disposition: inline >Content-description: Unsafe file movie0045.pif is removed! > >********* UNSAFE FILE REMOVED! ********* > >The system has removed the following unsafe file from this mail: > >* Name of the file being removed: movie0045.pif > >Postmaster (Mail Administrator), >City University of Hong Kong >Email: postmaster at cityu.edu.hk > >(Reference number: 20030909_011156_13779) >******************************************** > > >-- >e-mail: shamil at smsconsulting.spb.ru >http://smsconsulting.spb.ru/shamil_s > >_______________________________________________ >dba-Tech mailing list >dba-Tech at databaseadvisors.com >http://databaseadvisors.com/mailman/listinfo/dba-tech >Website: http://www.databaseadvisors.com _________________________________________________________________ Fast, faster, fastest: Upgrade to Cable or DSL today! https://broadband.msn.com