Computer virus?

“I'm having weird things happen with my Outlook Express. Over the past 3 days, I've gotten maybe four messages with a heading of "Delivery Status Notification (Failure)"

They are coming from a "postmaster" at MSN. They are notes to people at MSN. The addresses are given. HOWEVER, I NEVER SENT ANY NOTES TO THESE PEOPLE AND KNOW OF NO SUCH PEOPLE!!!

This was freaking me out, too, cuz it seemed my Norton Antivirus had not been updating. I mean, I'm sure there were beaucoo virus updates the past few weeks!

Since my subscription was to run up Sept. 17, I just downloaded Norton Antivirus 2004 last night. And now I'm having problems with THAT!!

1. I can't open it up from my system tray or desktop shortcut by double-clicking.

2. When I do get it open (by right clicking and going to "open") -- AND LIKE RIGHT NOW, I AM NOT ABLE TO DO THAT EITHER! -- the options are somewhat different from what I had with my old Norton (I think I had 2002... was purchased late in that year).

3. I can't do a full-system scan! WTF??! When I click on "manual scan," it just runs it on any file that is open. I want to run that full-system scan to see if any virus shows up.

4. I did try to run the full-system scan by going under Windows task scheduler, and scheduled it to run 2 minutes from the time I was in there. Again, just ZIP and it was done. Not the hour-long scan it had been doing previously.

I am fed up... and WORRIED!! HELP??!

(ps and now I'm doing Windows security updates that will take probably at least another hour... not like I have to work or anything. HA!)”

“This is just another spammer trick. They send emails to known bad addresses with your email address as the sender. Then you get a return email from that system, which, of course, contains the email that the spammer wishes you to see. You open it because it's a message from the Mail Delivery Subsystem, and you want to figure out who you were trying to send an email to.

As for the Norton stuff, I have no idea. Do you have the instruction manual still?”

“Also... I had my old Norton set up to TELL ME when live updates were available, so I could then run that. And I hadn't gotten anything new for at least 1.5 weeks...and maybe another 1.5 weeks before that.

AND ANOTHER THING: My Outlook Express e-mail is driving me nuts. It bombs half the time when I go to send things. First I was scanning outgoing with Norton, but then I quit doing that. Still, bombs. Sometimes I would get an "MSISM" error. At one point, maybe 3-4 months ago, I looked that up... don't recall what it said. I moved and then the computer worked fine... for a bit. Now... same old problems.

grrrrrrrrr.... Am running ME on a Compaq computer with AMD processor. And no, don't tell me to get either A) new computer, or B) XP. I've been fairly happy with ME. And unless you can tell me this problem is TOTALLY WITHOUTA DOUBT an ME problem, I'm not switching”

“Installed any new software recently? Other than the Norton stuff?”

“I have a problem too that maybe soemone can help me with....

On almost a dialy basis in order to dial-up and connect to the internet I must unload and reload my modem....

Could this be a virus?”

“It may also be that somebody has your email and is infected, sending out emails that look like they are from you. I've gotten a couple of those at the same time I was getting emails from blaster or sobig infected computers that had my email address stored on them.”

“Bitpusher and Pathman have the e-mail issue right.

Regarding Norton, I guarantee you that there are new updates. I update every Wednesday morning, did so yesterday, and received a new virus file.

In NAV 2003, you set the files scanned in the "Options" menu but I don't know NAV 2004 at all.

The good news is that you don't have a virus. The bad news is that you are going to have to spend some time with the manual and maybe re-install once you isolate the problem.

Oh, and for all the rest of us, dear Microsoft has identified yet ANOTHER vulnerability similar to that abused by the Blaster virus and has released yet ANOTHER patch to fix it. For those of us who already downloaded the Blaster patch, SURPRISE!, it does NOT fix the new problem, which requires another download.

Ain't this fun?

:-)”

“Yeah, especially when the Micro#&%!$ update sight freezes half the time, and the install is not completed the other half.”

“....even when it is completed...last time I stupidly said yes to an ActiveX upgrade to 9.0, not really knowing it was a full upgrade beacuse the loader program was so small.

I used to be able to open 20 browsers and more but now I can only do 4 or 5 before my system is "DANGEROUSLY LOW ON RESOURCES".

If you ask me, Bill's OS is dangerously overweight except underfed where it counts.”

“I'm at work now. I was running a HUGE Windows upgrade from MS. Said it was gonna take 2 hours. HA!

OK, so someone explain to me how the scenario that bitpusher presented -- about the spammers -- actually helps them?

Another thing I should mention... I was getting tons of e-mails with the .sobig virus in attachments on my Yahoo mail. I didn't ever open the attachment, although I did open the e-mail to see if the attachment had the guilty extension. That means I'm OK, right?”

“yep, one good thing about yahoo email. the spam software works about 60% of the time for me.”

“It works because the email is from "Mail Delivery Subsystem" instead of from "HOT CHIK WITH BIG BOOBS"”

“bitpusher, here is what comes in. I copied the content of the e-mail:

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

danman38@msn.com



That is it. The address shows up as a clickable address. When I run my mouse over it, it shows up as the same address, not a website. No, I haven't actually clicked on one, but when I run the mouse over it, it says in the taskbar:

mail to: danman38@msn.com



Which would appear to be e-mail”

“Yes, but it's not valid, which is why it got bounced back to you. The spammer has set you as the sender, and the Mail Delivery Subsystem automagically forwards the message back to the sender.

The trick that because it's from "Mail Delivery Subsystem" instead of from someone you don't know, you open and see the message.

The fact that the email address is highlighted and that the browser shows it at the bottom of the page doesn't make it a valid email address.

Not every Mail Delivery Subsystem forwards the entire contents of the email back to you, but enough do that this trick works. The fact that you're getting a bounce from a system that doesn't forward the entire message back means you've been targeted by and extremely stupid spammer.”

“You can right click on the message before you open it and go to properties and view the message before you open it.”

“Ok Liz, I know I'm not supposed to say this. But I used to have all sorts of problems with software before, mainly realplayer, when I was running ME, and with realpalyer even when I wasn't running it. AOL would crash all the time too.

They've stopped completley now I'm using windows 2k pro.”

“Realplayer's full of ET phone home code, stroke loggers and other various spyware. Might be why it crashes.

There's another gain for the spammers and virus writers when they spoof the sending address, beyond the one Bitpusher noted.

If I sneak into...pick a name...Yvonne's address book and send my virus to everyone in it from me or from Acme Dynamite Company, a certain percentage won't open it and click on the link and a certain percentage will. There's no help for people in this category.

But if I sneak into Yvonne's address book and send everyone there a virus from one person there, presumably some of Yvonne's friends know some of the other friends on the list, increasing the trust potential, and increasing the chance that a recipient will activate the payload and let me in their box, PLUS Yvonne might self infect if any of the mails are returned from Mailer Daemon as described by Bitpusher. Win-win.

Of course since even your most knowing computer guru's machine might follow virus instructions and send you a virus "from" the friend, no-one here clicks on any attachments from any source, unless it is expected, right?”

“I use yahoo to hold my emails, scan any attachment AT ALL, trusted or not.”

“I make sure I don't click attachments or links unless they have .exe at the end.”

“AAAAAAACK!!! lol

j/k, right stickman?

course, the .pif's and .scr's are always trouble”

“OK, more info on this. It looks like spammers. I happened to open one of these "failures" in yahoo... and got a full look at the #&%!$.

It definitely looks like they are using my e-mail -- MY NEW, TWO MONTHS OLD **HOME!** E-MAIL -- to spend out spam for a dirty web site.

So who do I report this to? Cripes, I get a new e-mail with earthlink and look what happens!!!

Here's what showed up:

Date: Fri, 12 Sep 2003 10:14:28 -0700
Subject: Delivery Status Notification (Failure)




This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

frankdavidson@msn.com
frankdis@msn.com
frankia@msn.com
frankie20@msn.com

Message/delivery-status

Reporting-MTA: dns;mc11-s11.hotmail.com
Received-From-MTA: dns;mc11-f36.hotmail.com
Arrival-Date: Fri, 12 Sep 2003 10:14:16 -0700

Original-Recipient:
Final-Recipient: rfc822;frankdavidson@msn.com
Action: failed
Status: 5.2.3

Original-Recipient:
Final-Recipient: rfc822;frankdis@msn.com
Action: failed
Status: 5.2.3

Original-Recipient:
Final-Recipient: rfc822;frankia@msn.com
Action: failed
Status: 5.2.3

Original-Recipient:
Final-Recipient: rfc822;frankie20@msn.com
Action: failed
Status: 5.2.3



Forwarded Message [ Save to my Yahoo! Briefcase | Download File ]
From: "jane rozelle"
To: frank_r_brueggeman@msn.com
Date: Fri, 12 Sep 2003 13:11:00 -0400
Subject: Account Verification



HTML Attachment [ Scan with Norton AntiVirus | Save to my Yahoo! Briefcase | Download Without Scan ]

correspond howells
"EXOTIC NUDE WOMEN"
CLICK HERE
hawthorns contraction
baldauf



as attachmentinline text”

“EXOTIC NUDE WOMEN!!!!!


Oh ya!


8p”

“Oh, behind the part where it said from "Jane Rozelle," my home e-mail address appeared.”

“I have a bug shutting me down every 5 minutes or less. I tried to install a patch but the virus shut down my computer. Now when I reboot the patch option is no longer available and the virus is still shutting me down about every five minutes. I’m dead in the water.

damn user "support"!”

“Sounds like the Sasser worm...is there a new variant out there?”

“Might be new. Our security is tighter than Dubyas butt!”

“Go to another computer and look up the Sasser worm on the Symantec site. Follow the instructions.


Good luck.”

“shutting down in:45”

“that was 9 minutes!”

“Lotsa Korgo variants lately.... also exploiting the LSASS vulnerability.”

“I do not have the "privledges" required to install my own debugger. I have to rely on user support.”

“Yah I read that about Korgo, but didn't see anything about it shutting down the system. I guess it reacts in the same way.

bearmagnet, you need to get your support people down there now...shut off your computer before it infects others.”

“I went down there at 11:30 EDT, they said it was all over the building. Serves 'em right, they've been quarantining every message from a Company I've been trying to establish a relationship with!”

“Not good.”

“Would anyone here like a job in User Support? methinks you might know more.

My co-workers somputer seems to be crashing because of the patch installation.”

“I'm waiting for the entire system to crash!
I mean world wide!
No computers! just like the 20's
Then we can all go hiking and back packing.
We need to have an emergency meeting place set up before this happens so we all know where to meet.
Say one for each area NE, SE, NW, SW, mid west, etc....
Then when everyone meets up at the local area's we have a national meeting place. whaddda ya tinx?”

“They thought that was going to happen in 2000 and it didn't.

Experts are still divided on whether it was no big threat to begin with, or it was avoided by the massive effort of the late nineties to get around it.

Next big date: sometime in 2038, every Unix system's clock ticker will roll over, unless something is done about it. I'm considering it to be job insurance, as I'll be in my 70's then.”

“I can't believe your support people didn't already install the LSASS patch. Are they aware that Sasser (and maybe Korgo too) don't perpetuate through email?”

“Meeting is at Y2's place. They sent out a patch last Friday and I believe they had a problem with it, not sure what it was for. Although one person who installed the patch crashed her hard drive during it and hasn't been able to use it.”

“More Weirdness......



Experts Study Developing Internet Attack

Updated: Friday, Jun. 25, 2004 - 9:06 AM

By TED BRIDIS
AP Technology Writer

CHICAGO (AP) - Government and industry experts warned late Thursday of a mysterious, large-scale Internet attack against thousands of popular Web sites. The virus-like infection tries to implant hacker software onto the computers of all Web site visitors.

(more)



Handlers Diary June 25th 2004

Updated June 25th 2004 14:11 UTC (Handler: Deb Hale)

Compromised Web Sites Infect Web Surfers

(for more details, also see yesterday's diary: http://isc.sans.org/diary.php?date=2004-06-24 )
Updates will be posted here.


A large number of web sites, some of them quite popular, were compromised earlier this week to distribute malicious code. The attacker uploaded a small file with javascript to infected web sites, and altered the web server configuration to append the script to all files served by the web server. The Storm Center and others are still investigating the method used to compromise the servers. Several server administrators reported that they were fully patched.

(more)”

“F-Secure Virus Descriptions : Scob

NAME: Scob
ALIAS: JS.Scob.Trojan, JS/Scob
ALIAS: JS.Toofer, JS/Exploit-DialogArg.b


Summary

Scob is a trojan downloader written in JavaScript. It has been found from a number of web sites at June 24th, 2004. The trojan has been found to be appended to existing files at those web servers, for example pictures such as jpeg files. Accoding to reports, the script has not been appeded by modifying the actual files on the server but using the so called footer feature from Microsoft's Internet Information Server.

(more)”

“Dear Gabrielle,
Ever since I downloaded the ads you made for me from your email, my computer kepts deleting any preferences from my programs, and or not allowing programs to open. This all started happening after I downloaded your ads you made for me. I am on a Mac, so usually there are not very many bugs, or virus problems as in the PC platform. You should check to see just in case so others don't get it. I will research the virus sites and see if the symptoms can be linked to one.

I am having to email at school because I can't open my email or other programs now. Janet

==========
what do you think? possible?? I am running a full system scan every single day and I keep norton pretty much updated.”

“It could be coincidence. I don't know anything about Macs, so I don't even really have a handle on what she's talking about.”

“My husband got an e-mail from "mailer-demon", meaning that he sent an e-mail that had a bad address and it was returned. He opened it to see who he had mailed and BAM, it says "I love you", and our computer is now acting wacky.

Hubby downloaded or uploaded "whatever" Mc Afee or whatever it is, but maybe the horse has left the barn already. I think he did one of those scans too where you get people that are tracking your internet movements off your computer.”

“Gem - I would say it's pretty unlikely that your friend's problems are a result of your email, but I guess it could be possible, macs are very rarely affected by viruses, especially viruses from PC's
If you haven't changed HD's yet you may wanna just do a clean install on the new drive, that way you're sure it's clean :)

LH - sounds to me like maybe you got a backdoor or worm virus...sometimes McAffee won't even pick those up :(
Also just an fwi....just because a email says it's from a mail-dameon doesn't necessarily mean it is...it's pretty easy to spoof a email addy!”

“I'm gonna strangle my kid when he comes home from school. I got to the monthly maintaince of his computer a little late. hoping he would at least keep the virus program up to date.

I went on his computer and woahhh...he don't have a virus program anymore. Why? I have no #&%!$ing idea!!! He should have one!

I installed a new free version and it's running about hmm...10 minutes and already found over 20 infections!! 20!!!!!

I am gonna kill him!!!! Would not surprise me if his whole computer is #&%!$ed up and I will have to reinstall everything!!”

“He was probably on "My Space", it's huge with the younger crowd. One of the gals at work checked her site out at work and it screwed up the computer so bad we had to reformat it. The site itself is OK, just some of the files that get passed around are bad. They also found at least one site that gives you a virus or Trojan just by visiting.”

“He may not have removed the anti-virus software. It may have been a trojan or virus that removed it.”

“My kids use My Space too. I had a Trojan on my computer last week and it took my virus protection 5 days to rid it. It wasn't fun. I couldn't even go on line due to it. I've warned them to NOT click on anything that pots up.”

“Thank goodness, I thought this was going to be yet another person posting a warning for that damn OBL virus...”