OT: Inundated with bogus(?) warnings I'm infected
Mike McCarty
Mike.McCarty at sbcglobal.net
Wed Sep 13 18:02:05 UTC 2006
Matthew Saltzman wrote:
> On Wed, 13 Sep 2006, Paul Howarth wrote:
>
>> fredex wrote:
>>
>>> On Wed, Sep 13, 2006 at 05:33:21AM -0500, Mike McCarty wrote:
>>>
>>>> I'm getting inundated (like a few tens of e-mails a day) with
>>>> messages claiming that my machine has been identified as sending
>>>> a multitude of messages and is likely to be infected, or that
>>>> some e-mail I don't recognize was undeliverable. Both of them
>>>> recommend that I follow the attached instructions.
>>>>
>>>> The attachment is a .zip which unpacks to a file named
>>>>
>>>> text.doc .scr
>
>
> This is a classic virus/trojan payload technique. If your mailer
Thanks for the reply. I'm aware of that. I don't "open" attachments.
I save them to disk, and use $ file and dump them in hex.
> appears to show the attachment as a .doc file, you might be persuaded to
> open it with MS Word. The .scr extension is there to get past
> attachment scanners that key on the file type. Odds are, this is a Word
> macro trojan.
Umm, some of them don't look like that. Some of them are definitely
Windows executables; have the "MZ" signature, and the tell-tale
"This program cannot be run in DOS mode" message in them (strings
is a nice program, too).
[snip]
>>>> Would someone please help me in interpreting the headers
>>>> from these messages so I can ascertain where they originate,
>>>> and possibly get someone (who I presume is infected) either
>>>> cleaned or shut down?
>
>
> It's playing whack-a-mole, really. But you can follow the chain of
> "Received:" headers back to the last one that makes sense (sometimes the
> earlier ones are forged too) and mail the postmaster or abuse address at
> that domain.
Well, I have done that sort of thing once or twice, and accidentally
posted a copy to an e-mail echo. One fellow commented that I had
mis-interpreted the forged headers, but then disappeared and wouldn't
explain what I had done wrong. That's where I want some help.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
More information about the fedora-list
mailing list