[dba-Tech] I don't know what I don't know from where issendingmessages usingmy e-mail address...

Erwin Craps Erwin.Craps at ithelps.be
Mon Sep 8 15:43:21 CDT 2003


Not only Sobig.
All recent/new virusses are using that technique.


-----Oorspronkelijk bericht-----
Van: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] Namens Shamil
Salakhetdinov
Verzonden: maandag 8 september 2003 20:10
Aan: Discussion of Hardware and Software issues
Onderwerp: Re: [dba-Tech] I don't know what I don't know from where
issendingmessages usingmy e-mail address...


Thanks Gary and all the others who anwered my message!
All is clear now - this SoBig virus writer is a real devil...

Shamil

----- Original Message ----- 
From: "Gary Kjos" <garykjos at hotmail.com>
To: <dba-tech at databaseadvisors.com>
Sent: Monday, September 08, 2003 9:55 PM
Subject: Re: [dba-Tech] I don't know what I don't know from where is
sendingmessages usingmy e-mail address...


> Hi Shamil.
>
> Sobig virus uses E-Mail Spoofing - info belos is from the Symantec AV 
> site info on it....
> -----------
>
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.h
tml
> -----------
> Email spoofing
> W32.Sobig.F at mm uses a technique known as "spoofing," by which the worm

> randomly selects an address it finds on an infected computer. The worm
uses
> this address as the "From" address when it performs its mass-mailing 
> routine. Numerous cases have been reported in which users of 
> uninfected computers received complaints that they sent an infected 
> message to
another
> individual.
>
> For example, Linda Anderson is using a computer infected with 
> W32.Sobig.F at mm. Linda is neither using an antivirus program nor has 
> the current virus definitions. When W32.Sobig.F at mm performs its email 
> routine, it finds the email address of Harold Logan. The worm inserts 
> Harold's
email
> address into the "From" portion of an infected message, which it then
sends
> to Janet Bishop. Then, Janet contacts Harold and complains that he 
> sent
her
> an infected message; however, when Harold scans his computer, Norton 
> AntiVirus does not find anything, because his computer is not 
> infected.
>
> --------
>
> So Shamil, someone who has you on their contact list is infected and 
> is sending the message pretending to be you.....
>
> Gary Kjos
> garykjos at hotmail.com
>
>
>
>
>
> >From: "Shamil Salakhetdinov" <shamil at SMSConsulting.spb.ru>
> >Reply-To: Discussion of Hardware and Software 
> >issues<dba-tech at databaseadvisors.com>
> >To: "dba - Tech" <dba-tech at databaseadvisors.com>
> >Subject: [dba-Tech] I don't know what I don't know from where is 
> >sending messages usingmy e-mail address...
> >Date: Mon, 8 Sep 2003 21:34:15 +0400
> >
> >Hi All,
> >
> >Have you ever seen a message returned to your mailbox, having your 
> >e-mail address in From field, which you didn't send? (see example in 
> >P.S.) This doesn't seem to be a virus running on my PC - my PC is 
> >scanned periodically using NAV with latest updates. And the 
> >recipients e-mail addresses of such messages aren't written in my 
> >address book, and even MS Outlook Express version I use is different!
> >
> >What is this? A virus NAV missing while scanning my PC? Or...? Could 
> >you please advice?
> >
> >This looks very much like SOBIG virus but I don't have it on my PC!
> >
> >So much confused,
> >TIA for any info,
> >Shamil
> >
> >P.S. Strange messages header:
> >
> >Return-path: <shamil at smsconsulting.spb.ru>
> >Received: from conversion-daemon.mailgw2.cityu.edu.hk by 
> >mailgw2.cityu.edu.hk
> >  (iPlanet Messaging Server 5.2 HotFix 1.17 (built Jun 23 2003))
> >  id <0HKW00601M6XOB at mailgw2.cityu.edu.hk>
> >  (original mail from shamil at smsconsulting.spb.ru); Tue,
> >  9 Sep 2003 01:11:56 +0800 (CST)
> >Received: from USER-VJCG7U5W26 (171-043.onebb.com [202.180.171.43])
> >  by mailgw2.cityu.edu.hk
> >  (iPlanet Messaging Server 5.2 HotFix 1.17 (built Jun 23 2003))
> >  with ESMTP id <0HKW007I6N4417 at mailgw2.cityu.edu.hk> for
> >  college.office at cityu.edu.hk; Tue, 09 Sep 2003 00:57:47 +0800 (CST)
> >Date: Tue, 09 Sep 2003 01:28:39 +0800
> >From: shamil at smsconsulting.spb.ru
> >Subject: Thank you!
> >To: college.office at cityu.edu.hk
> >Message-id: <0HKW007I7N4417 at mailgw2.cityu.edu.hk>
> >MIME-version: 1.0
> >X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> >Content-type: multipart/mixed; 
> >boundary="Boundary_(ID_5Tw3yk+UVcZTNnkh000UIg)"
> >Importance: Normal
> >X-Priority: 3 (Normal)
> >X-MSMail-priority: Normal
> >X-MailScanner: Found to be clean
> >
> >This is a multipart message in MIME format
> >
> >--Boundary_(ID_5Tw3yk+UVcZTNnkh000UIg)
> >Content-type: text/plain; charset=iso-8859-1
> >Content-transfer-encoding: 7BIT
> >
> >See the attached file for details
> >
> >--Boundary_(ID_5Tw3yk+UVcZTNnkh000UIg)
> >Content-type: text/plain; Name=UnsafeFile.txt
> >Content-transfer-encoding: 7BIT
> >Content-disposition: inline
> >Content-description: Unsafe file movie0045.pif is removed!
> >
> >********* UNSAFE FILE REMOVED! *********
> >
> >The system has removed the following unsafe file from this mail:
> >
> >* Name of the file being removed: movie0045.pif
> >
> >Postmaster (Mail Administrator),
> >City University of Hong Kong
> >Email: postmaster at cityu.edu.hk
> >
> >(Reference number: 20030909_011156_13779)
> >********************************************
> >
> >
> >--
> >e-mail: shamil at smsconsulting.spb.ru 
> >http://smsconsulting.spb.ru/shamil_s
> >
> >_______________________________________________
> >dba-Tech mailing list
> >dba-Tech at databaseadvisors.com 
> >http://databaseadvisors.com/mailman/listinfo/dba-tech
> >Website: http://www.databaseadvisors.com
>
> _________________________________________________________________
> Fast, faster, fastest: Upgrade to Cable or DSL today! 
> https://broadband.msn.com
>
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com 
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com


More information about the dba-Tech mailing list