OT: Inundated with bogus(?) warnings I'm infected

Matthew Saltzman mjs at ces.clemson.edu
Wed Sep 13 19:56:55 UTC 2006 

On Wed, 13 Sep 2006, Mike McCarty wrote:

> Matthew Saltzman wrote:
>> On Wed, 13 Sep 2006, Paul Howarth wrote:
>> 
>>> fredex wrote:
>>> 
>>>> On Wed, Sep 13, 2006 at 05:33:21AM -0500, Mike McCarty wrote:
>>>> 
>>>>> I'm getting inundated (like a few tens of e-mails a day) with
>>>>> messages claiming that my machine has been identified as sending
>>>>> a multitude of messages and is likely to be infected, or that
>>>>> some e-mail I don't recognize was undeliverable. Both of them
>>>>> recommend that I follow the attached instructions.
>>>>> 
>>>>> The attachment is a .zip which unpacks to a file named
>>>>> 
>>>>> text.doc                                      .scr
>> 
>> 
>> This is a classic virus/trojan payload technique.  If your mailer 
>
> Thanks for the reply. I'm aware of that. I don't "open" attachments.
> I save them to disk, and use $ file and dump them in hex.
>
>> appears to show the attachment as a .doc file, you might be persuaded to 
>> open it with MS Word.  The .scr extension is there to get past attachment 
>> scanners that key on the file type.  Odds are, this is a Word macro trojan.
>
> Umm, some of them don't look like that. Some of them are definitely
> Windows executables; have the "MZ" signature, and the tell-tale
> "This program cannot be run in DOS mode" message in them (strings
> is a nice program, too).

Mikkel L. Ellertson pointed out in another post what I missed--.scr is a 
screensaver.  So you'll attempt to open it by double-clicking, thinking 
you have a Word document, then the program will run.  (Why .scr and not 
.exe I'm not sure.  There are probably be both types of vectors out there 
and more.)

>
> [snip]
>
>>>>> Would someone please help me in interpreting the headers
>>>>> from these messages so I can ascertain where they originate,
>>>>> and possibly get someone (who I presume is infected) either
>>>>> cleaned or shut down?
>> 
>> 
>> It's playing whack-a-mole, really.  But you can follow the chain of 
>> "Received:" headers back to the last one that makes sense (sometimes the 
>> earlier ones are forged too) and mail the postmaster or abuse address at 
>> that domain.
>
> Well, I have done that sort of thing once or twice, and accidentally
> posted a copy to an e-mail echo. One fellow commented that I had
> mis-interpreted the forged headers, but then disappeared and wouldn't
> explain what I had done wrong. That's where I want some help.

postmaster at mydomain and and abuse at mydomain are not supposed to echo to 
anyone except a sysadmin.  It's still the right idea, but you do have to 
be careful who you write to.  The From address is almost surely wrong, 
even if the REceived lines appear to trace back to it.

>
> Mike
>

-- 
 		Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs

More information about the fedora-list mailing list