Do I have a Virus
rober...@gmail.com
school). Each account had an email with the subject heading "455".
The entire text of the email was "969". What's really weir though is
that each email was sent from that email address. In other words, the
email in my gmail account was sent from my own gmail account itself.
the email in my school account was sent from my school account. yet
the emails are identical. Also, they were both sent within an hour of
one another while my computer was turned off.
I'm about halfway through a Norton scan right now and so far nothing.
Should I be worried? This is weird.
Please help.
jen
news:1149622690.9...@u72g2000cwu.googlegroups.com...
See here: http://isc.sans.org/diary.php?storyid=1384&rss
-jen
rober...@gmail.com
jen
Befunge Sudoku
rober...@gmail.com says...
claims to come from you is irrelevant. In fact we often assume dodgy mail doesn't come
from whatever the FROM line says.
If your mail client is set to display text only and not to run any scripts, nothing
will have happened to your machine. Even if that's not the case, probably nothing's
happened to your machine. If you're worried, boot into Safe Mode (f8 during power-up)
and scan from there.
--
News: use seven bits;
or accept you cannot know
how it looks elsewhere.
Duh_Oz
5556 in the message.
The originating IP (65.160.56.2) is located in Arizona.
David H. Lipman
| Just received my first one - had 57657 in the subject line and just
| 5556 in the message.
|
| The originating IP (65.160.56.2) is located in Arizona.
I had it too the other day -- pure spam !
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
kurt wismer
> From: "Duh_Oz" <ozzy....@gmail.com>
>
> | Just received my first one - had 57657 in the subject line and just
> | 5556 in the message.
> |
> | The originating IP (65.160.56.2) is located in Arizona.
>
> I had it too the other day -- pure spam !
pure spam? but it has no commercial content...
--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
David H. Lipman
| David H. Lipman wrote:
>> From: "Duh_Oz" <ozzy....@gmail.com>
>>
|>> Just received my first one - had 57657 in the subject line and just
|>> 5556 in the message.
|>>
|>> The originating IP (65.160.56.2) is located in Arizona.
>>
>> I had it too the other day -- pure spam !
|
| pure spam? but it has no commercial content...
|
Does spam really have to have commercial content to be called spam ?
I would state that the shear numbers sent out makes it spam.
Now if I had received numerous copies of this email then it might me an email DoS attack not
spam but its wide distribution to many, many, recipients I believe makes it spam.
Phil Weldon
| Does spam really have to have commercial content to be called spam ?
| I would state that the shear numbers sent out makes it spam.
|
| Now if I had received numerous copies of this email then it might me an
email DoS attack not
| spam but its wide distribution to many, many, recipients I believe makes
it spam.
Consider the possibility that the source is a 'beta' worm. It harvests
email addresses, but doesn't produce a payload or 'human engineered' message
yet B^)
Phil Weldon
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:MXIhg.7094$PY6.5869@trnddc05...
David H. Lipman
|
| Consider the possibility that the source is a 'beta' worm. It harvests
| email addresses, but doesn't produce a payload or 'human engineered' message
| yet B^)
|
| Phil Weldon
Could you please elaborate Phil.
jen
> From: "Duh_Oz" <ozzy....@gmail.com>
>
> | Just received my first one - had 57657 in the subject line and just
> | 5556 in the message.
> |
> | The originating IP (65.160.56.2) is located in Arizona.
>
> I had it too the other day -- pure spam !
As per the link from SANS ISC I posted previously:
"There is a possible link to Bagle seeding as it was done in the past and we
might need to expect a new variant of it soon."
-jen
Ant
> From: "kurt wismer":
> | pure spam? but it has no commercial content...
>
> Does spam really have to have commercial content to be called spam ?
No.
> I would state that the shear numbers sent out makes it spam.
Yes.
> Now if I had received numerous copies of this email then it might
> me an email DoS attack not spam
I would still consider it spam.
> but its wide distribution to many, many, recipients I believe makes
> it spam.
Yes. Spam is unsolicited bulk email (UBE), unless you're talking about
Usenet spam.
Duh_Oz
David H. Lipman wrote:
> From: "Duh_Oz" <ozzy....@gmail.com>
>
> | Just received my first one - had 57657 in the subject line and just
> | 5556 in the message.
> |
> | The originating IP (65.160.56.2) is located in Arizona.
>
> I had it too the other day -- pure spam !
>
> --
bounced back saying "Invalid recipient". I'll see if I get any
malware from that IP in the near future.
Phil Weldon
| Could you please elaborate Phil.
It's a joke, Dave. A 'beta' release to work out the bugs/
Phil Weldon
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:0JJhg.18641$3i3.5850@trnddc08...
| From: "Phil Weldon" <notdi...@example.com>
|
|
||
|| Consider the possibility that the source is a 'beta' worm. It harvests
|| email addresses, but doesn't produce a payload or 'human engineered'
message
|| yet B^)
||
|| Phil Weldon
|
|
|
|
kurt wismer
> From: "kurt wismer" <ku...@sympatico.ca>
[snip]
> | pure spam? but it has no commercial content...
> |
>
> Does spam really have to have commercial content to be called spam ?
> I would state that the shear numbers sent out makes it spam.
no, i suppose not... i do recall someone once making a distinction
between spam and junk mail but apparently it's one of those things where
there is no universal agreement...
> Now if I had received numerous copies of this email then it might me an email DoS attack not
> spam but its wide distribution to many, many, recipients I believe makes it spam.
well, i suppose so, but i think that points to a problem with the
definition of spam - it's so general as to be next to useless... i think
there is something going on with these numbered emails and dismissing
them as just spam seems to ignore the potential that there's something
on the horizon...
jen
news:e687rf$h8u$1...@nntp.aioe.org...
[snip]
> well, i suppose so, but i think that points to a problem with the
> definition of spam - it's so general as to be next to useless... i think
Sort of like the common man's definition of "virus" ;)
> there is something going on with these numbered emails and dismissing them
> as just spam seems to ignore the potential that there's something on the
> horizon...
-jen
Gabriele Neukam
> David H. Lipman wrote:
> > From: "Duh_Oz" <ozzy....@gmail.com>
> >
> > | Just received my first one - had 57657 in the subject line and just
> > | 5556 in the message.
> > |
> > | The originating IP (65.160.56.2) is located in Arizona.
> >
> > I had it too the other day -- pure spam !
>
> pure spam? but it has no commercial content...
Avira (the former H+BEDV) have received them in their honeypots and
think it is a kind of adress verification run - everything that comes
back, will be removed from the address list of a certain spammer, or
rather a phisher. No idea if that is correct.
Gabriele Neukam
--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.
edgewalker
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:MXIhg.7094$PY6.5869@trnddc05...
> From: "kurt wismer" <ku...@sympatico.ca>
>
> | David H. Lipman wrote:
> >> From: "Duh_Oz" <ozzy....@gmail.com>
> >>
> |>> Just received my first one - had 57657 in the subject line and just
> |>> 5556 in the message.
> |>>
> |>> The originating IP (65.160.56.2) is located in Arizona.
> >>
> >> I had it too the other day -- pure spam !
> |
> | pure spam? but it has no commercial content...
> |
They are advertising their spamming service, but they forgot the 'your ad here'
placeholder. :))
> Does spam really have to have commercial content to be called spam ?
> I would state that the shear numbers sent out makes it spam.
>
> Now if I had received numerous copies of this email then it might me an email DoS attack not
> spam but its wide distribution to many, many, recipients I believe makes it spam.
Maybe the content was hidden (stealth or rootkit spam) :))
...anyway, it is time to redifine spam (again) - maybe Kurt can give it a whirl.
David H. Lipman
| It's a joke, Dave. A 'beta' release to work out the bugs/
|
| Phil Weldon
Sorry Phil, I thought you may have been on to something :-)
David H. Lipman
| They are advertising their spamming service, but they forgot the 'your ad here'
| placeholder. :))
|
There 'ya go ! :-)
Phil Weldon
| Sorry Phil, I thought you may have been on to something :-)
On the other hand, there must be a lot of failed worm launches. If this is
the case a worm writer of intelligence might choose to withhold the 'human
engineered', visible component until operational capability is demonstrated.
Phil Weldon
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:P40ig.6742$td6.1371@trnddc02...
kurt wismer
> "kurt wismer" <ku...@sympatico.ca> wrote in message
> news:e687rf$h8u$1...@nntp.aioe.org...
> [snip]
>> well, i suppose so, but i think that points to a problem with the
>> definition of spam - it's so general as to be next to useless... i think
>
> Sort of like the common man's definition of "virus" ;)
yeah, except virus at least has a formal academic definition we can fall
back on...
jen
news:0Xkhg.1906$gv2....@bignews3.bellsouth.net...
And here is the Trojan it is:
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.fc.html
-jen
Dustin Cook
> definition of spam - it's so general as to be next to useless... i
> think there is something going on with these numbered emails and
> dismissing them as just spam seems to ignore the potential that
> there's something on the horizon...
>
Phil is likely right, it's probably a test for a new bug we will soon be
seeing, if some haven't already.
--
Dustin Cook
http://bughunter.atspace.org
BugHunter MalWare Removal Tool
David H. Lipman
| Phil is likely right, it's probably a test for a new bug we will soon be
| seeing, if some haven't already.
|
Then why such a wide broadcast ?
A test could have been done with a smaller sample.
I think it is a case of a spammer who was not "done" with the work and it was released
prematurely.
Dustin Cook
> From: "Dustin Cook" <bughunte...@gmail.com>
>
>
>| Phil is likely right, it's probably a test for a new bug we will soon
>| be seeing, if some haven't already.
>|
>
> Then why such a wide broadcast ?
> A test could have been done with a smaller sample.
Depends on what your testing for. Each unique number sequence could be a
hash. The author may be testing for range, spreadability, etc.
> I think it is a case of a spammer who was not "done" with the work and
> it was released prematurely.
Are they all coming from the same IP range?
jen
news:Ek2jg.816$OL2.769@trnddc06...
> From: "Dustin Cook" <bughunte...@gmail.com>
>
>
> | Phil is likely right, it's probably a test for a new bug we will soon be
> | seeing, if some haven't already.
> |
>
> Then why such a wide broadcast ?
>
> A test could have been done with a smaller sample.
>
> I think it is a case of a spammer who was not "done" with the work and it
> was released
> prematurely.
Here it is:
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.fc.html
-jen
Ant
> kurt wismer wrote:
>> definition of spam - it's so general as to be next to useless... i
>> think there is something going on with these numbered emails and
>> dismissing them as just spam seems to ignore the potential that
>> there's something on the horizon...
>
> Phil is likely right, it's probably a test for a new bug we will soon be
> seeing, if some haven't already.
Jen already posted the link on 8th June:
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.fc.html
"W32.Beagle.FC is a Trojan horse that steals email addresses from the
compromised computer and sends the information via HTTP to the
rodolfomejia.com domain. The threat sends spam emails with random
text in order to verify if the gathered email addresses are live to
build a validated email list for sending malicious code or spam in
the future".
The subject is one of these numbers:
455
557
56757
586876
1545453
The HTML message is as follows:
in
<html><body>
5556 or 969
<br>
</body></html>
David H. Lipman
|
| Here it is:
| http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.fc.html
|
| -jen
|
OK. It certainly details the aspects. Spam generated by a an internet worm.
Since it was generated by a I-worm, why no payload ? It was unable to spread by the
generated email.
David H. Lipman
|
| Jen already posted the link on 8th June:
| http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.fc.html
|
| "W32.Beagle.FC is a Trojan horse that steals email addresses from the
| compromised computer and sends the information via HTTP to the
| rodolfomejia.com domain. The threat sends spam emails with random
| text in order to verify if the gathered email addresses are live to
| build a validated email list for sending malicious code or spam in
| the future".
|
| The subject is one of these numbers:
|
| 455
| 557
| 56757
| 586876
| 1545453
|
| The HTML message is as follows:
|
| in
| <html><body>
| 5556 or 969
|
| <br>
| </body></html>
|
I guess I was "missing the picture".
However, how does this Trojan know what was failed mail or not ?
jen
> From: "Ant" <n...@home.today>
>
>
> |
> | Jen already posted the link on 8th June:
> |
> http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.fc.html
> |
> | "W32.Beagle.FC is a Trojan horse that steals email addresses from the
> | compromised computer and sends the information via HTTP to the
> | rodolfomejia.com domain. The threat sends spam emails with random
> | text in order to verify if the gathered email addresses are live to
> | build a validated email list for sending malicious code or spam in
> | the future".
> |
> | The subject is one of these numbers:
> |
> | 455
> | 557
> | 56757
> | 586876
> | 1545453
> |
> | The HTML message is as follows:
> |
> | in
> | <html><body>
> | 5556 or 969
> |
> | <br>
> | </body></html>
> |
>
> I guess I was "missing the picture".
>
> However, how does this Trojan know what was failed mail or not ?
The failed mail bounces...
-jen
David H. Lipman
Ant
> I guess I was "missing the picture".
You're not the only one. Someone in another group thought the spam
was the actual malware. How the computer gets infected in the first
place is a different matter.
> However, how does this Trojan know what was failed mail or not ?
Presumably it runs its own SMTP process on the infected machine and
records the accept and reject codes from the servers it tries to send
mail to. Then it would have to send those results, together with the
corresponding addresses, back to the author or controller.
I don't imagine it would wait for those servers that accept mail to
any address at their domain and issue a 'bounce' later, so I expect
a lot of non-deliverable addresses at poorly configured mail servers
would be considered valid.
David H. Lipman
If it just had a SMTP engine it would just send the email. It is all store and forward. It
would need a POP3 engine to receive each failed mail message.
Ant
> From: "Ant" <n...@home.today>
>| "David H. Lipman" wrote:
>>> However, how does this Trojan know what was failed mail or not ?
>|
>| Presumably it runs its own SMTP process on the infected machine and
>| records the accept and reject codes from the servers it tries to send
>| mail to. Then it would have to send those results, together with the
>| corresponding addresses, back to the author or controller.
>|
>| I don't imagine it would wait for those servers that accept mail to
>| any address at their domain and issue a 'bounce' later, so I expect
>| a lot of non-deliverable addresses at poorly configured mail servers
>| would be considered valid.
>
> If it just had a SMTP engine it would just send the email.
And check the return codes:
Server: 220 example.com SMTP server ready
Trojan: HELO spammer.trojan
Server: 250 example.com
Trojan: MAIL FROM:<whoever@invalid>
Server: 250 OK
Trojan: RCPT TO:<ad...@example.com>
Server: 250 OK <---- (recorded as good address)
DATA
[etc.]
Trojan: RCPT TO:<ad...@example.com>
Server: 550 No such user here <---- (recorded as bad address)
[etc.]
> It is all store and forward.
These days well managed servers should reject with a 5xx code during
the transaction. Many don't, and end up sending backscatter to the
forged 'From' adresses in spam.
> It would need a POP3 engine to receive each failed mail message.
If it was dealing with late bounces or non-delivery reports, then yes;
which is more trouble, and why it probably won't do that.
kurt wismer
> From: "jen" <j...@example.com>
> | Here it is:
> | http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.fc.html
> OK. It certainly details the aspects. Spam generated by a an internet worm.
>
> Since it was generated by a I-worm, why no payload ? It was unable to spread by the
> generated email.
the email was the payload... it's harvesting email addresses from
affected computers, verifying they're legitimate, and sending the ones
that work along to whomever orchestrated this... if you received the
email then your address has been added to the attacker's list...
everyone who has received the email has had their email address
compromised, bypassing whatever lengths they may have gone to to prevent
their address from being known outside their circle of legitimate
contacts...
this might not mean much to most people since most people live with a
compromised email address already...
jen
Here is an interesting write up on the history of Beagle, if you haven't
seen it before:
http://www.infectionvectors.com/vectors/year_of_the_beagle.htm
-jen
David H. Lipman
Thanx Ant and Jen.
It looks like I have some homework on this subject matter !