1. Welcome to PlowSite. Notice a fresh look and new features? It’s now easier to share photos and videos, find popular topics fast, and enjoy expanded user profiles. If you have any questions, click HELP at the top or bottom of any page, or send an email to help@plowsite.com. We welcome your feedback.

    Dismiss Notice

Virus Info

Discussion in 'Commercial Snow Removal' started by Chuck Smith, Apr 23, 2002.

  1. Chuck Smith

    Chuck Smith 2000 Club Member
    from NJ
    Messages: 2,317

    Seems there is a new wave of this being sent around. This is the latest trick they are trying. Remember, DO NOT DOWNLOAD FILES FROM STRANGERS, and update your virus protection ONCE A WEEK.

    I edited the from field.........

    Look at the Headers (which I edited too)

    ----------------------- Headers --------------------------------
    Return-Path: mickey**@netrover.com

    Always look at the headers too. I contacted the ISP that this was sent from, and they disabled the account of the sender, and notified them they had a virus.

    Look at the BS "NOTE" they included in the e mail to "reassure" you that it is not the virus itself, yeah right!


    -------------------------------------------------------------

    Subj: Worm Klez.E immunity
    Date: 4/22/02 5:10:43 PM Eastern Daylight Time
    From: ****mis@geocities.com (****mis)
    To: csmith669@aol.com

    File: all.mim (129002 bytes)
    DL Time (31200 bps): < 1 minute

    HEAD /HEAD

    Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
    Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
    We developed this free immunity tool to defeat the malicious virus.
    You only need to run this tool once,and then Klez will never come into your PC.
    NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
    If so,Ignore the warning,and select 'continue'.
    If you have any question,please mail to me.


    ----------------------- Headers --------------------------------
    Return-Path: mickey**@netrover.com
    Received: from rly-xg01.mx.aol.com (rly-xg01.mail.aol.com [172.20.115.198]) by air-xg04.mail.aol.com (v85.4) with ESMTP id MAILINXG41-0422171042; Mon, 22 Apr 2002 17:10:42 -0400
    Received: from river.netrover.com (river.netrover.com [216.95.168.66]) by rly-xg01.mx.aol.com (v84.15) with ESMTP id MAILRELAYINXG19-0422170853; Mon, 22 Apr 2002 17:08:53 -0400
    Received: from Eimus (1Cust181.tnt1.chatham.on.da.uu.net [216.95.136.181]) by river.netrover.com (8.9.3+Sun/8.7.3) with SMTP id RAA05394 for <csmith669@aol.com>; Mon, 22 Apr 2002 17:08:30 -0400 (EDT)
    Date: Mon, 22 Apr 2002 17:08:30 -0400 (EDT)
    Message-Id: <200204222108.RAA05394@river.netrover.com>
    X-Envelope-From: mickeyds@netrover.com
    X-Envelope-To: <csmith669@aol.com>
    From: ****mis <****mis@geocities.com>
    To: csmith669@aol.com
    Subject: Worm Klez.E immunity
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary=T5B778115KB6425a6GKZ
    ------------------------------------------------------------------------------


    And here is yet another, that I got from the same "netrover" address. Different fictious sender, but same "actual sender" in the headers.....


    -------------------------
    Subj: Worm Klez.E immunity
    Date: 4/21/02 8:22:17 PM Eastern Daylight Time
    From: *****CAR@UPI.ON.CA (*****CAR)
    To: csmith669@aol.com

    File: shape.zip (46406 bytes)
    DL Time (31200 bps): < 1 minute

    HEAD /HEAD

    Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
    Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
    We developed this free immunity tool to defeat the malicious virus.
    You only need to run this tool once,and then Klez will never come into your PC.
    NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
    If so,Ignore the warning,and select 'continue'.
    If you have any question,please mail to me.


    ----------------------- Headers --------------------------------
    Return-Path: mickey**@netrover.com
    Received: from rly-xf02.mx.aol.com (rly-xf02.mail.aol.com [172.20.105.226]) by air-xf01.mail.aol.com (v85.4) with ESMTP id MAILINXF12-0421202217; Sun, 21 Apr 2002 20:22:17 -0400
    Received: from river.netrover.com (river.netrover.com [216.95.168.66]) by rly-xf02.mx.aol.com (v84.10) with ESMTP id MAILRELAYINXF29-0421202148; Sun, 21 Apr 2002 20:21:48 -0400
    Received: from Kuxx (1Cust26.tnt1.chatham.on.da.uu.net [216.95.136.26]) by river.netrover.com (8.9.3+Sun/8.7.3) with SMTP id UAA11244 for <csmith669@aol.com>; Sun, 21 Apr 2002 20:21:19 -0400 (EDT)
    Date: Sun, 21 Apr 2002 20:21:19 -0400 (EDT)
    Message-Id: <200204220021.UAA11244@river.netrover.com>
    X-Envelope-From: mickey**@netrover.com
    X-Envelope-To: <csmith669@aol.com>
    From: *****CAR <*****CAR@UPI.ON.CA>
    To: csmith669@aol.com
    Subject: Worm Klez.E immunity
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary=D1t3rlI7qt4s38EGib

    -----------------------------------------------------


    UPDATE YOUR VIRUS PROTECTION NOW!

    If you are foolish enough not to have an anti-virus program, you can run one from the internet for free. It is also good to do a scan from the net every now and then, as sometimes a virus can hide on your PC from your virus protection software. Scanning from an outside source can often find the sneaky ones on your system.


    You can do a free scan, and virus removal here.

    http://housecall.antivirus.com/


    ~Chuck

    (I posted this in the Plowing Forum because EVERYONE reads it)
     
    Last edited: Apr 23, 2002
  2. Chuck Smith

    Chuck Smith 2000 Club Member
    from NJ
    Messages: 2,317

    Another

    Subj: CELLPADDING
    Date: 4/23/02 4:46:40 AM Eastern Daylight Time
    From: jbmk**4@hotmail.com (jbmk**4)
    To: csmith669@aol.com

    File: htsearch.zip (58846 bytes)
    DL Time (31200 bps): < 1 minute

    HEAD /HEAD
    iframe src=cid:TPv25y424495i9W0 height=0 width=0
    /iframe
    (this iframe is a virus itself, aimed at Outlook Express users)



    ----------------------- Headers --------------------------------
    Return-Path: faustocb**nco@uol.com.br
    Received: from rly-yb04.mx.aol.com (rly-yb04.mail.aol.com [172.18.146.4]) by air-yb05.mail.aol.com (v84.10) with ESMTP id MAILINYB53-0423044640; Tue, 23 Apr 2002 04:46:40 -0400
    Received: from rly-ip02.mx.aol.com (rly-ip02.mx.aol.com [152.163.225.160]) by rly-yb04.mx.aol.com (v85.3) with ESMTP id MAILRELAYINYB41-0423044615; Tue, 23 Apr 2002 04:46:15 -0400
    Received: from logs-mtc-tk.proxy.aol.com (logs-mtc-tk.proxy.aol.com [64.12.107.5])
    by rly-ip02.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0)
    with ESMTP id CAA07757 for <csmith669@aol.com>;
    Tue, 23 Apr 2002 02:16:36 -0400 (EDT)
    Received: from Offy (ACAC0E9A.ipt.aol.com [172.172.14.154])
    by logs-mtc-tk.proxy.aol.com (8.10.0/8.10.0) with SMTP id g3N14iu43000
    for <csmith669@aol.com>; Mon, 22 Apr 2002 21:04:44 -0400 (EDT)
    Date: Mon, 22 Apr 2002 21:04:44 -0400 (EDT)
    Message-Id: <200204230104.g3N14iu43000@logs-mtc-tk.proxy.aol.com>
    From: jbmk724 (jbmk**24@hotmail.com)
    To: csmith669@aol.com
    Subject: CELLPADDING
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary=Noz494gc81i034H31R8uQ26
    X-Apparently-From: SKILE**ENT@aol.com


    ---------------------------------

    So who did this one come from really?

    jbmk**4@hotmail.com (jbmk**4)
    Return-Path: faustocb**nco@uol.com.br
    X-Apparently-From: SKILE**ENT@aol.com


    Confusing huh? Microsoft realesed a "patch" a looooong time ago to protect users from that "iframe" crap.

    Regardless of who sent it, just delete it immediately.

    If you are an AOL user, be sure to forward it to TOSFILES before deleting it. That way AOL can strip the file attachment, and prevent it from being downloaded. They might also try to trace who it is from.

    Also for AOL users, if you get spam or junk mail from other AOL members, forward the e mail to TOSEMAIL1.

    If you get spam from a non-AOL address, forward it to TOSSPAM.

    If you receive a harrassing e mial, or vulgar e mail from another AOL member, forward it to TOSGENERAL.

    Every little bit helps stop this from happening.


    ~Chuck
     
  3. Chuck Smith

    Chuck Smith 2000 Club Member
    from NJ
    Messages: 2,317

    And yet another I just got.......

    They will try anything to get you to download the attachment! Also, these e mails are sent out by the virus, and often deleted from the persons "sent mail" folder.....


    --------------------------------------------------

    Subj: A very nice game
    Date: 4/23/02 11:48:10 PM Eastern Daylight Time
    From: deniseg**@mindspring.com (deniseg**)
    To: csmith669@aol.com

    File: play.zip (60796 bytes)
    DL Time (52000 bps): < 1 minute

    <HEAD></HEAD>

    This is a special nice game
    This game is my first work.
    You're the first player.
    I expect you would like it.


    ----------------------- Headers --------------------------------
    Return-Path: kcris**@earthlink.net
    Received: from rly-xj04.mx.aol.com (rly-xj04.mail.aol.com [172.20.116.41]) by air-xj02.mail.aol.com (v84.14) with ESMTP id MAILINXJ22-0423234810; Tue, 23 Apr 2002 23:48:10 -0400
    Received: from avocet.prod.itd.earthlink.net (avocet.mail.pas.earthlink.net [207.217.120.50]) by rly-xj04.mx.aol.com (v84.15) with ESMTP id MAILRELAYINXJ44-0423234659; Tue, 23 Apr 2002 23:46:59 -0400
    Received: from user-2ivfomd.dialup.mindspring.com ([165.247.226.205] helo=Bscppac)
    by avocet.prod.itd.earthlink.net with smtp (Exim 3.33 #2)
    id 170Djc-0003d6-00
    for csmith669@aol.com; Tue, 23 Apr 2002 20:46:25 -0700
    From: deniseg** (deniseg**@mindspring.com)
    To: csmith669@aol.com
    Subject: A very nice game
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary=WQO4814kf83168thGtTk3I8iB0
    Message-Id: <E170Djc-0003d6-00@avocet.prod.itd.earthlink.net>
    Date: Tue, 23 Apr 2002 20:46:25 -0700
    ----------------------------------------------------------

    I forwarded this one to abuse@mindspring.com and to abuse@earthlink.net

    *Maybe* they will do something about it.

    I think one of the best things an ISP can do would be to include some type of Virus Protection software packaged *with* their software. That way newbies could be protected from day 1, and experienced surfers could elect not to install the "free" protection.
    Especially with free internet access programs, no doubt some of those who use them are also too cheap to buy a virus protection program, LOL


    ~Chuck
     
  4. Chuck Smith

    Chuck Smith 2000 Club Member
    from NJ
    Messages: 2,317

  5. Pelican

    Pelican 2000 Club Member
    Messages: 2,075

    With this particular virus, you must be careful with attachments from friends as well as strangers. It infected my buddies computer and dug up a year old note from his archives, then sent it to his entire address list with an attachment. Fortunately he warned me that it had happened before I downloaded messages and I was able to discard it. Be careful!
     
  6. digger242j

    digger242j Senior Member
    Messages: 672

    Thanks, Chuck.

    The "Cellpadding" message showed up in my fiance's mailbox, showing that it was from a friend of hers. She downloaded the attachment. Fortunately Norton identified it and isolated it right away. (I hope...) I'd read your posts, but had failed to mention the information to her.

    The very next day "A special funny game" showed up in my mailbox showing as from a second cousin of mine. This cousin's address shows up on emails sent to the whole family about reunions and such, but she's not one who'd bother to send me a game. Actually I didn't know (just by her address), which one she was. A day later "A special funny website" showed up from yet another distant cousin. Obviously someone who gets the family emails has been infected. Had either of those been from someone I communicate with frequently (and had I not just read about them here), I'd likely have opened the attachments.

    Prior to this I'd never ever even seen a virus in my mail. It's certainly made me more cautious....
     
  7. digger242j

    digger242j Senior Member
    Messages: 672

    I thought it might be a good idea to bump this thread up to the top again.

    BRL sent me a PM telling me he'd gotten an infected message from my address, but which he was able to determine had been sent from a different address.

    I just deleted one, without even opening it, from "Deicerinfo@(I forget the domain name)". The subject line was "A pretty funny website".

    Maybe somebody here has caught something, or is it possible that there's a virus getting addresses directly from the website?

    Either way, it pays to be cautious.
     
  8. Pelican

    Pelican 2000 Club Member
    Messages: 2,075

    What a coincidence!

    I received a suspicious mailing yesterday and thought about this thread. It came from xxxxxxx (unknown to me) and is titled "gotta be CAREFUL". There's no text and just an attachment enclosed. It also went to to other addresses I don't know, including one in the UK. I don't know anyone there. Anybody know anything about this?
     
    Last edited: Feb 1, 2003
  9. OffRoadPlow

    OffRoadPlow Senior Member
    Messages: 247

    I run the Internet Security for the Company I work for, the Anti virus server I run at work checks for VIRUS UPDATES or New Definitions every 30 minutes. I only check once or twice a day on my home Systems. Your right about it being a good idea to use virus software, but IMO you would be better off Scanning twice a week at least, as most of the email virus can spread global in 24 to 48 hours if not sooner... Just my thought... Good post.
     
  10. Chuck Smith

    Chuck Smith 2000 Club Member
    from NJ
    Messages: 2,317

    This has been going on for over a year now. I still get 10+ a day.

    The KLEZ has "evolved" in the past year, but this is a general, partial description:

    "Mass-mailing Routine

    To propagate copies of itself, this worm uses its own SMTP engine to send email containing its executable program. It has several ways of collecting its spoofed source email address and target email address.

    It randomly chooses its target users from a pool of email addresses and from the email address that appear in the From field of the email.

    Similar to the other KLEZ variants, this worm can change or spoof the original email address in the FROM: field. It obtains the email addresses that it places in the FROM: field from the infected user's address book. This causes a non-infected user's name to appear as the person who has sent this worm's malicious email. It does this to hide the real sender of the infected email. "

    Quoted from this web site:

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H&VSect=T

    Another place it gets e mail addresses is from web pages in an infected computer's "cache". The "cache" stores a copy of every page on the internet your computer visits. The virus, scans the stored pages for e mail addresses, then it sends itself to the e mail address from the stored page, using some of the text from that stored page as the "Subject" of the e mail, and attaches a random file that it infected from the infected computer. (Read that a few times).

    For instance, I get them all the time, and the subject is always something from one of my web pages like "Copyright Notice" or "73 - 87 Chevy", or "Questions", "to drain the fluid", etc.

    As I said before, update your VIRUS PROTECTION program at LEAST once a week.

    Go to your Start button, and run Windows Update. Download and install ALL Critical Updates.

    The main target of this virus is users of Outlook, and Outlook Express. There is a flaw that was discovered a LOOOOOONG time ago, that will allow the attachment to download and run automatically, simply by reading the e mail. That is, unless your computer is up to date. You can see how many people are foolish, just by the shear volume of this virus out there.

    Also, this virus (and most new ones) will NOT allow you to install anti-virus software once they are on your computer (smart, huh?). The good news, is you can find, and REMOVE them, using the link from my post above. (It has been changed, just go to www.antivirus.com). It's a free scan, and it works great. Since it scans "externally", the virus will not stop it from running and cleaning your computer.


    And another thing. If you ever think you have received an e mail from me, and it is not signed ~Chuck, then it is NOT from me. You will NEVER receive any (real) e mails from webmaster@snowplowing-contractors.com as my host does not allow outgoing mail (which is fine by me). The virus has been forging that address for months now.

    Glad you brought it up again Pelican. Check your PM's....


    ~Chuck
     
  11. The_Burning_Rom

    The_Burning_Rom Member
    Messages: 40

    As a member of the IT/CIS community, I have on piece of advice for all you guys using Outlook/Outlook Express. TURN OFF THE PREVIEW PANE! If you preview an infected email..then you've already opened it and infected yourself. I've seen this happen a hundred times. I get phone calls from people around here all the time about it. If you use Hotmail/Yahoo, you don't have to worry about getting a virus...they scan emails before you open them. If you use Outlook/OE, I'd suggest getting Norton 2003/System Works 2003. It has built in email scanning..and it really helps!
     
  12. Pelican

    Pelican 2000 Club Member
    Messages: 2,075

    Mystery solved, just a bit embarrasing...:eek:

    Thanks guys!