Erwin Craps
Erwin.Craps at ithelps.be
Mon Sep 8 15:43:21 CDT 2003
Not only Sobig. All recent/new virusses are using that technique. -----Oorspronkelijk bericht----- Van: dba-tech-bounces at databaseadvisors.com [mailto:dba-tech-bounces at databaseadvisors.com] Namens Shamil Salakhetdinov Verzonden: maandag 8 september 2003 20:10 Aan: Discussion of Hardware and Software issues Onderwerp: Re: [dba-Tech] I don't know what I don't know from where issendingmessages usingmy e-mail address... Thanks Gary and all the others who anwered my message! All is clear now - this SoBig virus writer is a real devil... Shamil ----- Original Message ----- From: "Gary Kjos" <garykjos at hotmail.com> To: <dba-tech at databaseadvisors.com> Sent: Monday, September 08, 2003 9:55 PM Subject: Re: [dba-Tech] I don't know what I don't know from where is sendingmessages usingmy e-mail address... > Hi Shamil. > > Sobig virus uses E-Mail Spoofing - info belos is from the Symantec AV > site info on it.... > ----------- > http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.h tml > ----------- > Email spoofing > W32.Sobig.F at mm uses a technique known as "spoofing," by which the worm > randomly selects an address it finds on an infected computer. The worm uses > this address as the "From" address when it performs its mass-mailing > routine. Numerous cases have been reported in which users of > uninfected computers received complaints that they sent an infected > message to another > individual. > > For example, Linda Anderson is using a computer infected with > W32.Sobig.F at mm. Linda is neither using an antivirus program nor has > the current virus definitions. When W32.Sobig.F at mm performs its email > routine, it finds the email address of Harold Logan. The worm inserts > Harold's email > address into the "From" portion of an infected message, which it then sends > to Janet Bishop. Then, Janet contacts Harold and complains that he > sent her > an infected message; however, when Harold scans his computer, Norton > AntiVirus does not find anything, because his computer is not > infected. > > -------- > > So Shamil, someone who has you on their contact list is infected and > is sending the message pretending to be you..... > > Gary Kjos > garykjos at hotmail.com > > > > > > >From: "Shamil Salakhetdinov" <shamil at SMSConsulting.spb.ru> > >Reply-To: Discussion of Hardware and Software > >issues<dba-tech at databaseadvisors.com> > >To: "dba - Tech" <dba-tech at databaseadvisors.com> > >Subject: [dba-Tech] I don't know what I don't know from where is > >sending messages usingmy e-mail address... > >Date: Mon, 8 Sep 2003 21:34:15 +0400 > > > >Hi All, > > > >Have you ever seen a message returned to your mailbox, having your > >e-mail address in From field, which you didn't send? (see example in > >P.S.) This doesn't seem to be a virus running on my PC - my PC is > >scanned periodically using NAV with latest updates. And the > >recipients e-mail addresses of such messages aren't written in my > >address book, and even MS Outlook Express version I use is different! > > > >What is this? A virus NAV missing while scanning my PC? Or...? Could > >you please advice? > > > >This looks very much like SOBIG virus but I don't have it on my PC! > > > >So much confused, > >TIA for any info, > >Shamil > > > >P.S. Strange messages header: > > > >Return-path: <shamil at smsconsulting.spb.ru> > >Received: from conversion-daemon.mailgw2.cityu.edu.hk by > >mailgw2.cityu.edu.hk > > (iPlanet Messaging Server 5.2 HotFix 1.17 (built Jun 23 2003)) > > id <0HKW00601M6XOB at mailgw2.cityu.edu.hk> > > (original mail from shamil at smsconsulting.spb.ru); Tue, > > 9 Sep 2003 01:11:56 +0800 (CST) > >Received: from USER-VJCG7U5W26 (171-043.onebb.com [202.180.171.43]) > > by mailgw2.cityu.edu.hk > > (iPlanet Messaging Server 5.2 HotFix 1.17 (built Jun 23 2003)) > > with ESMTP id <0HKW007I6N4417 at mailgw2.cityu.edu.hk> for > > college.office at cityu.edu.hk; Tue, 09 Sep 2003 00:57:47 +0800 (CST) > >Date: Tue, 09 Sep 2003 01:28:39 +0800 > >From: shamil at smsconsulting.spb.ru > >Subject: Thank you! > >To: college.office at cityu.edu.hk > >Message-id: <0HKW007I7N4417 at mailgw2.cityu.edu.hk> > >MIME-version: 1.0 > >X-Mailer: Microsoft Outlook Express 6.00.2600.0000 > >Content-type: multipart/mixed; > >boundary="Boundary_(ID_5Tw3yk+UVcZTNnkh000UIg)" > >Importance: Normal > >X-Priority: 3 (Normal) > >X-MSMail-priority: Normal > >X-MailScanner: Found to be clean > > > >This is a multipart message in MIME format > > > >--Boundary_(ID_5Tw3yk+UVcZTNnkh000UIg) > >Content-type: text/plain; charset=iso-8859-1 > >Content-transfer-encoding: 7BIT > > > >See the attached file for details > > > >--Boundary_(ID_5Tw3yk+UVcZTNnkh000UIg) > >Content-type: text/plain; Name=UnsafeFile.txt > >Content-transfer-encoding: 7BIT > >Content-disposition: inline > >Content-description: Unsafe file movie0045.pif is removed! > > > >********* UNSAFE FILE REMOVED! ********* > > > >The system has removed the following unsafe file from this mail: > > > >* Name of the file being removed: movie0045.pif > > > >Postmaster (Mail Administrator), > >City University of Hong Kong > >Email: postmaster at cityu.edu.hk > > > >(Reference number: 20030909_011156_13779) > >******************************************** > > > > > >-- > >e-mail: shamil at smsconsulting.spb.ru > >http://smsconsulting.spb.ru/shamil_s > > > >_______________________________________________ > >dba-Tech mailing list > >dba-Tech at databaseadvisors.com > >http://databaseadvisors.com/mailman/listinfo/dba-tech > >Website: http://www.databaseadvisors.com > > _________________________________________________________________ > Fast, faster, fastest: Upgrade to Cable or DSL today! > https://broadband.msn.com > > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-tech > Website: http://www.databaseadvisors.com _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com