[dba-Tech] Lots of Virii attempts today

Drew Wutka dbatech at wolfwares.com
Thu Aug 21 16:51:03 CDT 2003


RE: [dba-Tech] Norton FirewallNo, what it means is that a machine called DELLY, with an IP Address of 68.49.121.92 send you this email.

Here is the WhoIS info for that IP Address:

OrgName: Comcast Cable Communications, Inc. 
OrgID: CMCS
Address: 3 Executive Campus
Address: 5th Floor
City: Cherry Hill
StateProv: NJ
PostalCode: 08002
Country: US

NetRange: 68.32.0.0 - 68.63.255.255 
CIDR: 68.32.0.0/11 
NetName: JUMPSTART-1
NetHandle: NET-68-32-0-0-1
Parent: NET-68-0-0-0-0
NetType: Direct Allocation
NameServer: NS01.JDC01.PA.COMCAST.NET
NameServer: NS02.JDC01.PA.COMCAST.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-11-29
Updated: 2002-06-12


TechHandle: IC161-ARIN
TechName: Comcast Cable Communications, Inc. 
TechPhone: +1-856-317-7300
TechEmail: cips-ip-registration at cable.comcast.com 

OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance 
OrgAbusePhone: +1-856-317-7272
OrgAbuseEmail: abuse at comcast.net

OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications, Inc. 
OrgTechPhone: +1-856-317-7300
OrgTechEmail: cips-ip-registration at cable.comcast.com

CustName: Comcast Cable Communications, Inc.
Address: 3 Executive Campus
Address: 5th Floor
City: Cherry Hill
StateProv: NJ
PostalCode: 08002
Country: US
RegDate: 2003-03-19
Updated: 2003-03-19

NetRange: 68.48.0.0 - 68.49.255.255 
CIDR: 68.48.0.0/15 
NetName: DC-3
NetHandle: NET-68-48-0-0-1
Parent: NET-68-32-0-0-1
NetType: Reassigned
Comment: NONE
RegDate: 2003-03-19
Updated: 2003-03-19

TechHandle: IC161-ARIN
TechName: Comcast Cable Communications, Inc. 
TechPhone: +1-856-317-7300
TechEmail: cips-ip-registration at cable.comcast.com 

OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance 
OrgAbusePhone: +1-856-317-7272
OrgAbuseEmail: abuse at comcast.net

OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications, Inc. 
OrgTechPhone: +1-856-317-7300
OrgTechEmail: cips-ip-registration at cable.comcast.com

# ARIN WHOIS database, last updated 2003-08-20 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.


So it's someone that is using Comcast as their ISP.  Sometimes the WhoIs information narrows it down further, but this looks like a home user.  (Most businesses register their own information within the WhoIs servers.

You could try to contact Comcast with the numbers here, and tell them you are receiving virus emails....they may be able to contact the actual infected person, since they should know which one of their customers is currently using that IP Address.

Drew
  ----- Original Message ----- 
  From: John Bartow 
  To: Discussion of Hardware and Software issues 
  Sent: Thursday, August 21, 2003 4:36 PM
  Subject: RE: [dba-Tech] Lots of Virii attempts today


  I've been getting deluged by them too this week. Probably 20 a day since I got back from vacation (Sunday).

  I opened one of them (Outlook 2k) and choose View | Options and copied this info:

  Received: from DELLY [68.49.121.92] by mail.winhaven.net with ESMTP
    (SMTPD32-8.01) id A9CB30F0378; Thu, 21 Aug 2003 09:40:11 -0500
  From: <stuartcannon at mindspring.com>
  To: <techasst at winhaven.net>
  Subject: Re: Wicked screensaver

  Does this mean that Stuart Cannon really is the person that sent this or can this be masquraded somehow?

  John B.



    -----Original Message-----
    From: dba-tech-bounces at databaseadvisors.com [mailto:dba-tech-bounces at databaseadvisors.com]On Behalf Of Drew Wutka
    Sent: Thursday, August 21, 2003 2:52 PM
    To: Discussion of Hardware and Software issues
    Subject: Re: [dba-Tech] Lots of Virii attempts today


    Just a little FYI on this virus.  It DOES NOT use the email address of the infected machine to send out emails.  It sends them out using random email addresses found on the users machine.  What does that mean in English?  If your anti-virus software sends a notice to the sender of a virus (like yours did here Arthur), you are notifying the wrong person.  We have gotten tons of these notices, because our employee's email addresses are being spoofed by this virus!

    To actually determine what is sending out these emails, look at the header info of the email.  That will give you the machine name and IP Address of the computer sending out the viruses.  Get the WhoIS information for that IP Address, and notify the Abuse or Tech person for that IP Address.  It may help them if you include a copy of the header information.

    Drew
      ----- Original Message ----- 
      From: Arthur Fuller 
      To: Discussion of Hardware and Software issues 
      Sent: Thursday, August 21, 2003 2:31 PM
      Subject: [dba-Tech] Lots of Virii attempts today


      I just got about the 20th notice today from the company's email provider. A snip:

      Recipient: afuller at etsys.com

      Sender: ntbug at microsoft.com

      Subject: Re: Approved

      Virus name: W32.Sobig.F at mm

      Attachment: details.pif

      Status: Messaged deleted

      Notified: recipient, administrator

      Thank you for using our services

      ---

      The Electric Mail Company

      www.electricmail.com

      My question is, how can people spoof an email address? Look where it allegedly came from.




--------------------------------------------------------------------------


      _______________________________________________
      dba-Tech mailing list
      dba-Tech at databaseadvisors.com
      http://databaseadvisors.com/mailman/listinfo/dba-tech
      Website: http://www.databaseadvisors.com



------------------------------------------------------------------------------


  _______________________________________________
  dba-Tech mailing list
  dba-Tech at databaseadvisors.com
  http://databaseadvisors.com/mailman/listinfo/dba-tech
  Website: http://www.databaseadvisors.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://databaseadvisors.com/pipermail/dba-tech/attachments/20030821/60fd3c4b/attachment.html>


More information about the dba-Tech mailing list