OT: Inundated with bogus(?) warnings I'm infected

Wed Sep 13 18:02:05 UTC 2006

Matthew Saltzman wrote:
> On Wed, 13 Sep 2006, Paul Howarth wrote:
> 
>> fredex wrote:
>>
>>> On Wed, Sep 13, 2006 at 05:33:21AM -0500, Mike McCarty wrote:
>>>
>>>> I'm getting inundated (like a few tens of e-mails a day) with
>>>> messages claiming that my machine has been identified as sending
>>>> a multitude of messages and is likely to be infected, or that
>>>> some e-mail I don't recognize was undeliverable. Both of them
>>>> recommend that I follow the attached instructions.
>>>>
>>>> The attachment is a .zip which unpacks to a file named
>>>>
>>>> text.doc                                      .scr
> 
> 
> This is a classic virus/trojan payload technique.  If your mailer 

Thanks for the reply. I'm aware of that. I don't "open" attachments.
I save them to disk, and use $ file and dump them in hex.

> appears to show the attachment as a .doc file, you might be persuaded to 
> open it with MS Word.  The .scr extension is there to get past 
> attachment scanners that key on the file type.  Odds are, this is a Word 
> macro trojan.

Umm, some of them don't look like that. Some of them are definitely
Windows executables; have the "MZ" signature, and the tell-tale
"This program cannot be run in DOS mode" message in them (strings
is a nice program, too).

[snip]

>>>> Would someone please help me in interpreting the headers
>>>> from these messages so I can ascertain where they originate,
>>>> and possibly get someone (who I presume is infected) either
>>>> cleaned or shut down?
> 
> 
> It's playing whack-a-mole, really.  But you can follow the chain of 
> "Received:" headers back to the last one that makes sense (sometimes the 
> earlier ones are forged too) and mail the postmaster or abuse address at 
> that domain.

Well, I have done that sort of thing once or twice, and accidentally
posted a copy to an e-mail echo. One fellow commented that I had
mis-interpreted the forged headers, but then disappeared and wouldn't
explain what I had done wrong. That's where I want some help.

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!