OT: Inundated with bogus(?) warnings I'm infected

Matthew Saltzman mjs at ces.clemson.edu
Wed Sep 13 14:18:38 UTC 2006 

On Wed, 13 Sep 2006, Paul Howarth wrote:

> fredex wrote:
>> On Wed, Sep 13, 2006 at 05:33:21AM -0500, Mike McCarty wrote:
>>> I'm getting inundated (like a few tens of e-mails a day) with
>>> messages claiming that my machine has been identified as sending
>>> a multitude of messages and is likely to be infected, or that
>>> some e-mail I don't recognize was undeliverable. Both of them
>>> recommend that I follow the attached instructions.
>>> 
>>> The attachment is a .zip which unpacks to a file named
>>> 
>>> text.doc                                      .scr

This is a classic virus/trojan payload technique.  If your mailer appears 
to show the attachment as a .doc file, you might be persuaded to open it 
with MS Word.  The .scr extension is there to get past attachment scanners 
that key on the file type.  Odds are, this is a Word macro trojan.


>>> 
>>> (many more spaces in the name than I put). For some of these,
>>> I've managed to ascertain that they are actually Windows
>>> executables. Sometimes my ISP warns me that the attachment
>>> contains the W32.Mydoom.M at mm virus, and the content was
>>> removed (in which case the .zip is 0 bytes). Other times
>>> the "virus protection" was unavailable, and I am warned
>>> that it wasn't run, and those are the ones I've looked
>>> at.
>>> 
>>> Would someone please help me in interpreting the headers
>>> from these messages so I can ascertain where they originate,
>>> and possibly get someone (who I presume is infected) either
>>> cleaned or shut down?

It's playing whack-a-mole, really.  But you can follow the chain of 
"Received:" headers back to the last one that makes sense (sometimes the 
earlier ones are forged too) and mail the postmaster or abuse address at 
that domain.

>>> 
>>> Thanks very much for your time.
>> 
>> Mike:
>> 
>> I dunno where they come from, but I get tons of 'em too. They're
>> clearly some kind of spam, I presume them to be a phishing scheme,
>> though it could just be a virus laden piece of crapware.
>> 
>> My spam filter (spambayes) does an excellent job of filtering out
>> all that junk so I never see them anywhere except in the spam (or
>> unsure) folder.
>
> It's probably just clueless anti-virus software sending mail to the forged 
> sender address used by the virus.
>
> http://attrition.org/security/rant/av-spammers.html
> http://www.joewein.de/sw/spam-virus-warnings.htm
> http://www.f-prot.com/news/gen_news/030910_open_letter.html
> http://www.f-prot.com/news/gen_news/040130_open_letter.html

That usually explains the "undeliverable" notices.  Occasionally, you get 
a legitimate one, though (usually very shortly after you send a message 
with a typo in the address).  I just trash most of them, except the ones 
that come right after I hit send.  That's not quite perfect, but I haven't 
figured out quite how to filter them.

>
> Paul.
>
>
>

-- 
 		Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs

More information about the fedora-list mailing list