ReX Posted May 25, 2003 Today I received a flurry of junk email, many with attachments that contained the following virus: W32.Yaha.F@mm Practically all of these email messages were from someone in the DooM community, including the following: Cyb brandori arioch Chris Hansen bloodshedder The subject header is one of the following: FW: goldfish New Text Document Nice Screenshot to Enjoy ! FW: Wonderfool Stuff for You Keep an eye out for this shit, and delete the entire email if you come across it. 0 Share this post Link to post
insertwackynamehere Posted May 25, 2003 Thanks for warning us, though I haven't gotten one yet. 0 Share this post Link to post
fraggle Posted May 25, 2003 I doubt its them, most viruses now are clever (and annoying) enough to spoof their source address. The virus is undoubtedly pretending to be those people. 0 Share this post Link to post
Arioch Posted May 25, 2003 I'm completely virus free. Despite having used outlook exclusively for the past 3 years. Check not the address but the e-mail headers. It is there that you'll find the true victim. 0 Share this post Link to post
Cyb Posted May 25, 2003 yeah I get quite a few of those myself, sometimes from 'myself' what viruses do (and spam companies as well, further proving that they are a virus) is often spoof the return address or return path with someone found in the inbox, making the virus impossible to trace all of my current mail servers strip any sort of attachments that are executable in any way (exe, vbscript or otherwise), so it's highly unlikely it was from me, or any of those people in fact 0 Share this post Link to post
Arioch Posted May 25, 2003 Thread moved to EE. Keep this crap out of the Doom forums. 0 Share this post Link to post
Ichor Posted May 25, 2003 Just in case someone does have the virus, here's some information on it and maybe how to get rid of it. 0 Share this post Link to post
Hobo Posted May 25, 2003 Thanks for the heads up. /me checks his email 0 Share this post Link to post
ReX Posted May 25, 2003 Fraggle, Arioch, and Cyb said that viruses often spoof the return address Thanks for clarifying that. I suspected that there was something deeper than a simple forwarded email, as I was getting them from so many different DooMers. 0 Share this post Link to post
Fredrik Posted May 25, 2003 E-mail viruses still outsmart the computer users? Heh. 0 Share this post Link to post
Sharessa Posted May 25, 2003 Hasn't this been going around for like a year? 0 Share this post Link to post
DOOM Anomaly Posted May 25, 2003 Fredrik said:E-mail viruses still outsmart the computer users? Heh. Not really, the creators of the virus' may though. :P 0 Share this post Link to post
Grazza Posted May 25, 2003 The infected person will probably be a Doomer, given that they have these addresses in their address book. The "Sender:" line in the message header should give a better idea of whose computer it is really from than the "From:" line (which the virus fakes). 0 Share this post Link to post
Sephiroth Posted May 25, 2003 my rules for email never open anything FWD: never open anything with a clip if it looks like someone's email address but is incorrect in some way, dont open it i open nothing that dsoesnt sound like a subject that person would send i never open Re: messages unless i know i sent the original message. nothing is opened that is sent to more than one user i also almost never open anything from AOL, mainly cause AOL users are the most common virus transmiters( the whores of the internet, and these whore dont use condoms) 0 Share this post Link to post
Bloodshedder Posted May 26, 2003 Grazza said:The infected person will probably be a Doomer, given that they have these addresses in their address book.Not necessarily. Certain worms/viruses have been known to troll browser caches, picking up addresses there on an infected machine. So even someone who visited DW once could be sending some of these out.The "Sender:" line in the message header should give a better idea of whose computer it is really from than the "From:" line (which the virus fakes). The Sender line can be easily faked as well. The only true indication is to look at the Received: lines. Bogus Received: lines can be added, but there's always at least one that is real. 0 Share this post Link to post
ReX Posted May 26, 2003 More of the same shit in my Bulk Mail folder. There's another variant of the regular and forwarded mail -- an Undelivered Mail Returned to Sender message. These are being "returned" from the same people from whom I got the original mail and forwarded mail. Curious that Yahoo recognizes these as Bulk Mail. You'd think that mail from cyb, arioch, etc. would be put into my Inbox 0 Share this post Link to post
Lüt Posted May 26, 2003 Hey bs, post that huge email analysis you gave to me a week or so ago. 0 Share this post Link to post
Bloodshedder Posted May 26, 2003 heh, okay. Viruses, spammers, etc. can falsify any sort of SMTP header information they wish, including Received: lines, Message-ID: lines, Return-path: lines, and so on. Here's an example of a typical junk mail header, along with another copy with my comments. Return-Path: Received: from millersace.com (pa-bethelpark-cadent1-millers-ace-hardware-cpe.pit.adelphia.net [68.168.162.198]) by middleearth.telefragged.com (8.12.8/8.12.6) with ESMTP id 3UL4Mn1008146 for ; Wed, 30 Apr 2003 16:04:22 -0500 Received: from kimo.com.tw [61.62.4.252] by millersace.com with ESMTP (SMTPD32-7.06) id A7904501F8; Wed, 30 Apr 2003 02:05:04 -0400 From: swsc@seed.net.tw Subject: =?Big5?B?s8zCsrPmqfbAtKq6pEikT7vIpuY=?= To: angelscott@kimo.com.tw Content-Type: multipart/alternative; boundary="=_NextPart_2rfkindysadvnqw3nerasdf"; charset="CHINESEBIG5" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: swsc@seed.net.tw Reply-To: sib00585@ms34.hinet.net Date: Wed, 30 Apr 2003 14:06:19 +0800 X-Priority: 1 X-Library: Indy 9.00.10 X-MimeOLE: Produced By Mircosoft MimeOLE V6.00.2600.0000 Message-Id: <200304300206885.SM01240@kimo.com.tw> Return-Path: Forged. As you'll see from the next line, this message did not come from anywhere in Taiwan. Received: from millersace.com (pa-bethelpark-cadent1-millers-ace-hardware-cpe.pit.adelphia.net [68.168.162.198]) by middleearth.telefragged.com (8.12.8/8.12.6) with ESMTP id h3UL4Mn1008146 for ; Wed, 30 Apr 2003 16:04:22 -0500 This line, the last Received: line, is the only one that cannot be forged. As you can see, the Telefragged server received this message from 68.168.162.198, which it resolved to pa-bethelpark-cadent1-millers-ace-hardware-cpe.pit.adelphia.net. Adelphia is the ISP of the user who sent this message. Received: from kimo.com.tw [61.62.4.252] by millersace.com with ESMTP (SMTPD32-7.06) id A7904501F8; Wed, 30 Apr 2003 02:05:04 -0400 Forged. kimo.com.tw does not resolve to 61.62.4.252, but to 64.58.79.230 and 66.218.71.198. From: swsc@seed.net.tw Forged; see Return-Path above. Subject: =?Big5?B?s8zCsrPmqfbAtKq6pEikT7vIpuY=?= Just the subject. To: angelscott@kimo.com.tw May be true; the reason my address was not in any To: list was most likely because the sender used BCC (Blind Carbon Copy), which does not show who it is sent to. Content-Type: multipart/alternative; boundary="=_NextPart_ 2rfkindysadvnqw3nerasdf"; charset="CHINESEBIG5" This line defines the MIME (Multiple Internet Mail Exchange) format. As you can see, the message should be in Chinese, but since I don't have that character set installed... MIME-Version: 1.0 See above. Content-Transfer-Encoding: quoted-printable Not sure what this means. Sender: swsc@seed.net.tw See Return-Path. Reply-To: sib00585@ms34.hinet.net Can be set to basically anything in any e-mail client. Date: Wed, 30 Apr 2003 14:06:19 +0800 Just the date. X-Priority: 1 This means "High" priority in Outlook/Outlook Express. X-Library: Indy 9.00.10 Not sure what this means. X-MimeOLE: Produced By Mircosoft MimeOLE V6.00.2600.0000 Mircosoft? An obvious forgery. Message-Id: <200304300206885.SM01240@kimo.com.tw> Forged as well, since this message never passed through any of kimo.com.tw's mail servers. 0 Share this post Link to post
Alboroto Posted May 26, 2003 SARS is attacking fellow doomers!!! ARRRGHHHHHHHH 0 Share this post Link to post