First time AV kicked in

[wayne_abx]

Your a scary fella Fraoch

-wayne

[Fraoch]

Quote:

Originally Posted by wayne

Your a scary fella Fraoch

-wayne

[Fraoch]

...and another one today. This was a business contact, I'm sure I was in this guy's address book for legitimate purposes.

What the heck's going on? Nothing for 6 years and suddenly half-a-dozen in a few weeks? Is there a big Netsky-C incident raging right now?

BTW to help this guy out I recommended McAfee Stinger. You don't have to get the IT department involved right away, it's a single executable, it scans reasonably fast and it's free. It's also current as of Dec. 14th.

Edit: at least things aren't as bad as Strong Bad...

[Fraoch]

I'm getting 1-2 of these per day now. Most seem to be from business contacts?

Today I have evidence that my webmail address has been hijacked! I can find no evidence that my machine is infected and the intended recipient is not in my address book. What's bizarre is that the intended recipient works for a company that COULD be a business contact, but isn't currently.

Below is a quoted message, with addys removed:

Quote:

--- The message cannot be delivered to the following address. ---

[unknown addy but possible contact] Mailbox unknown or not accepting mail.
550 No such recipient




Reporting-MTA: [removed]
Final-Recipient: [removed]
Action: failed
Status: 5.1.1
Diagnostic-Code: X-Notes; Cannot route mail to user ([removed]).



Subject:
only encrypted!
From:
[Fraoch's yahoo.ca address]
Date:
Wed, 29 Dec 2004 08:50:21 -0700
To:
[removed]

why should I?



File attachment: mails.zip
A file attached to this email was removed
because it was infected with a virus or was an executable attachment disallowed by policy.
If you have any questions, please contact [removed].

Result: Virus Detected
Virus Name: W32.Netsky.C@mm
File Attachment: mails.zip
Attachment Status: deleted

This is very worrisome. I know my machine isn't infected, but could my webmail have been hijacked?

[Fraoch]

Bump on this last question. Since then I've scanned my computer for viruses, spyware and adware and come up clean. This means someone has hijacked my e-mail address (or can they spoof it?)

I have changed my password to get into the e-mail account. Also I see that there are no suspicious e-mails in the sent items folder, meaning it wasn't done through conventional "hacking" into my account.

I will try some online virus scanning of my PC though from different AV manufacturers just to be sure.

[wallijonn]

What about trojans and worms? Did you run TDS-3 on it?

[Fraoch]

I've never heard of TDS-3 before, I'll give that a shot.

I tried McAfee Stinger, which can detect Netsky worms - clean.

Panda ActiveScan doesn't work on this PC.

[ABoard]

Quote:

Originally Posted by Fraoch

I'm getting 1-2 of these per day now. Most seem to be from business contacts?

Today I have evidence that my webmail address has been hijacked! I can find no evidence that my machine is infected and the intended recipient is not in my address book. What's bizarre is that the intended recipient works for a company that COULD be a business contact, but isn't currently.

<snip>

This is very worrisome. I know my machine isn't infected, but could my webmail have been hijacked?

Your machine isn't really involved as you have noted via scan results of various malware detectors. Based on your earlier posts, I got the impression you were aware of how Netsky (and similar worms) works. But in the quoted post, your comments / questions now leave me in doubt. At any rate, Netsky has "attacked" someone in your line of business who has you and / or other related contacts in their address book (others who in turn may have become infected and have you in their address books). However it resulted, your email address was obtained on someone else's machine and then an email was sent using your address to another ill-gotten contact. Thus, the cycle continues. You usually only become aware of this infection on someone else's machine when:

1. A very irate (and likely uninformed) recipient notifies you that you are sending him / her infected emails (though you aren't);

2. The recipient address is "bad", and the mail gets returned to your address, giving the appearance to even you that it originated from you or your machine (though it didn't);

This is not so much worrisome as bothersome, since there is very little you can do about it (determining who is actually infected and notifying them is difficult, to say the least, as evidenced by the specific scenario you described; neither you nor the recipient is the source of the infection, you are both targets of another [unknown] infected machine).

I have been passively following the ABXZone thread recently started discussing how some people claim to not need antivirus software. They seem to think if they get trashed, the impact is only to them, and they can withstand the hassle of reformatting. However illogical that may be even if it applied to only them, the truth is, when they get compromised, many other people suffer from their neglect. That is how virus writers get their viruses to propagate...through the lack of care of a vast number of computer users.

As to why this is sneaking through Yahoo mail scanners, I can only say that some newsgroup articles indicate that Yahoo's antivirus system is somewhat hit and miss, maybe by as much as 50% hit / 50% miss in some cases. I don't know if this is due to poor quality scanners or a matter related to volume and delivery expedition. I tend to suspect more of the latter than former, but it could be due to something entirely different.

[JaGWiRE_abx]

Froach, maybe its just for us up nortrh people (i'm in to to ).

I got like 28 i thin kit was netsky or something viruses (found all by mcafee scanner and auto detected); deleted them and they kept coming back. That was pissing me off but i was okay with it untill my wireless was getting hijacked/ screwed and then my web was randomly getting hijacked by some wtdqsd something thing so i went googling and didn't find any positive results; ended up formating on the 10th and im clean now.

This was very strange, i rarely ever check my hotmail or gmail emails to be honest; although i just scanned with norton 2005 this time (dumped mcafee for now) been about 2-3 weeks after format and it found a key logger which imo is something to be very scared about. I removed it but those keyloggers make me very worried; i mean formatting my comp is one thing but knowing all my passwords..... thats just scarey . I then went and got instructions from norton to remove everything and they said go into add/ remove programs and remove it when i could not even find this keylogger. So i'm guessing hackers and virus coders are beginning to get through to us with some danger; although mot viruses such as netsky don't have much dangers these things do slow gamers down and really being hijacked badly is a pain in the *** usually i find resulting in for me a system restore or a format . I'm beginning to think I will add several more recommended scanners to my computer to have some extra safety; along with my brand newly installed zone alarm security suite due to my worries.

[Fraoch]

Aboard - thanks for your explanation. I'm sure this is the case as scans of my computer using multiple software products from multiple software vendors turn up nothing. Plus I have better protection than 95% of the average computer users out there, and even slightly better than the average ABXZone member.

You are probably bang on in the scenario - one infected contact is sending out e-mails to other contacts (one being me), more machines are getting infected, some of which have my e-mail address as a contact, etc.

I was not aware that the virus can spoof e-mail addresses based on what it finds in address books though. In fact, I don't see that based on a brief review of http://securityresponse.symantec.com...tsky.c@mm.html

You are right - I've done everything I can at my end. My computer remains secure and any other affected users will have to work on their own machines as there's nothing more I can do. I just hope some potential business contact doesn't think I'm sending him viruses when I actually am not. That could affect my sales.

[JaGWiRE_abx]

Fraoch, if it's going to affect your business at all; maybe its time for that format if your hearing me, although only idiot could tell you that. Although; you could get the virus again; i am confused that i did not get it again after i formatted, possibly because i am not going to any of these inappropriate sites . I always read your threads froach, even before i was registered for a long time; i find you to usually bring up a good point /topic about an item that we all learn something from; even the newbs .

offtopic

*i remember a while ago reading your thread about buying a laptop which you have talked about your new centrino many times in new threads; what did you end up buying? .

[ABoard]

Quote:

Originally Posted by Fraoch

I was not aware that the virus can spoof e-mail addresses based on what it finds in address books though. In fact, I don't see that based on a brief review of http://securityresponse.symantec.com...tsky.c@mm.html

You are right - I've done everything I can at my end. My computer remains secure and any other affected users will have to work on their own machines as there's nothing more I can do. I just hope some potential business contact doesn't think I'm sending him viruses when I actually am not. That could affect my sales.

From the quoted site:

"12. The email has the following characteristics:

From: (Spoofed)
Note: This email address could be one of the addresses retrieved by the worm, as indicated in step 9."



-------

If you are concerned about your contacts believing you are the source of possibly infected emails, you could send a notice to each explaining the situation (i.e., you are not the true source). This could serve the additional purpose of causing the recipient to check his own machine for compromise (without you having to be accusatory), but it could also lead to confusion amongst those that don't understand the sneaky modus operandi of such worms (i.e., your notice may cause more questions / discussion than it's worth). The call is yours, of course.

[Fraoch]

Quote:

Originally Posted by JaGWiRe

I always read your threads froach, even before i was registered for a long time; i find you to usually bring up a good point /topic about an item that we all learn something from; even the newbs .

offtopic

*i remember a while ago reading your thread about buying a laptop which you have talked about your new centrino many times in new threads; what did you end up buying? .

Thank you for the nice compliment, JaGWiRe!

Actually my parent company just gave me a spare laptop they already had. It's much better than the ones I was looking at - Pentium M 1.5 GHz "Banias" with Centrino. This was the supplier - it seems this company handles all the parent company's computer hardware requirements and they got a good deal on it. They have several of these configured identically so they can swap out components to repair them.

ABoard - I apologize for missing that. It was a very long document and I scrolled through it too quickly. But that would definitely explain what I'm seeing.

I should refrain from responding to these e-mails (done this twice now, but only with suppliers rather than customers) since it's potentially not them that's sending out the e-mails.

[mpparent]

What about a digital sig?

Mike

[Fraoch]

Quote:

Originally Posted by mpparent

What about a digital sig?

Mike

A very interesting suggestion, and fully supported by Thunderbird, but it's so rare I doubt any of my contacts are looking for it (or would notice its absence!)