Letterville Bull Board Letterville | Bull Board
 


 

Front Page
A Letterhead History
About Us
Become A Resident
Edit Your Database Info
Find A Letterhead

Letterville Merchants
Resident Downloads
Letterville BookShop
Future Live Meets
Past Meets
Step-By-Steps
Past Panel Swaps
Past SOTM
Letterhead Profiles
Business Cards
Become A Merchant

Click on the button
below to chat with other
Letterville users.

http://www.letterville.com/ubb/chaticon.gif

Steve & Barb Shortreed
144 Hill St., E.
Fergus, ON, Canada
N1M 1G9

Phone: 519-787-2892
Fax: 519-787-2673
Email: barb@letterville.com

Copyright ©1995-2008
The Letterhead Website

 

 

The Letterville BullBoard Post New Topic  New Poll  Post A Reply
my profile login | search | faq | calendar | im | forum home

  next oldest topic   next newest topic
» The Letterville BullBoard » Letterhead/Pinstriper Talk » new level of malice found in virus code

 - UBBFriend: Email this page to someone!    
Author Topic: new level of malice found in virus code
Doug Allan
Resident


Member # 2247

Icon 1 posted      Profile for Doug Allan   Author's Homepage   Email Doug Allan   Send New Private Message       Edit/Delete Post   Reply With Quote 
I have been getting more suspicious emails with attachments & have been very strict with my policy of deleting any suspicious emails without ever having any viewed in the preview pane, & for sure not opening them.

I have been right-clicking to view properties occassionally & clicking on "message source" when I am curious for any reason.

Today I got an email with attachment claiming to be from administration@islandsign.com & since that is my domain & I have no mailbox by that name, I was curious.

What I found was not only that their had been a virus attached (no surprise there) but the message content was a completely malicious attempt to encourage any unsuspecting recipients to open the attachment, & such blatent continued misrepresentation of the association between that email & my company name (domain name) that I would think it borders on criminal slander.

As you can see from the highlighted areas in the image below, I guess the code in the virus is not only able to harvest address's from infected computers, & replicate itself with spoofed senders addresses... but it drops these domain names into message content to further slander the innocent owners of harvested email addresses.

What I'm not sure about is the "return path" shown at the top. I realize that the "from" line in the center is a "spoofed" address, but is the sign related address shown in the "return path" also an innocent victim whoose address was added by the virus?

 -

--------------------
Doug Allan
http://www.islandsign.com

"you get what you settle for"

Posts: 8981 | From: Kahului, HI, USA | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
Greg McRoberts
Resident


Member # 3501

Icon 1 posted      Profile for Greg McRoberts   Email Greg McRoberts   Send New Private Message       Edit/Delete Post   Reply With Quote 
This is the "Beagle" virus, and it's flat-out nasty according to a few people I've talked to today.

Make sure your virus protection is up-to-date!

--------------------
Greg McRoberts
MacSign
Dayton, Ohio

Posts: 388 | From: Dayton, Ohio USA | Registered: Dec 2002  |  IP: Logged | Report this post to a Moderator
Mark Smith

Member # 298

Icon 1 posted      Profile for Mark Smith   Author's Homepage   Email Mark Smith   Send New Private Message       Edit/Delete Post   Reply With Quote 
Doug,

I feel certain the top address is spoofed as well. This thing is likely fully automated and you are deep in a chain of "sends."

Good luck with it!

--------------------
Best Regards,
Mark Smith
EstiMate Sign Pricing Software
It's Not Luck. It's EstiMate.™
http://www.EstiMateSoftware.com
1-888-304-3300

Posts: 724 | From: Asheville, NC, USA | Registered: Nov 1998  |  IP: Logged | Report this post to a Moderator
Mike O'Neill
Resident


Member # 470

Icon 1 posted      Profile for Mike O'Neill   Author's Homepage   Email Mike O'Neill   Send New Private Message       Edit/Delete Post   Reply With Quote 
I seen loads like that a few weeks ago... I run my own domain and as postmaster I get all the undeliverables; I had mail addressed to bob, tom, harry, debbie etc... @copyshop.ca all the most popular names, hoping to get a hit.

For a while I was getting more virus emails than spam ... peaked out at 160 in one day; but it's been relatively quite in the past week

--------------------
Mike O'Neill


It has yet to be proven that intelligence has any survival value.
- Arthur C. Clarke


mike@copyshop.ca

Posts: 3094 | From: Labrador City, NF, Canada | Registered: Nov 1998  |  IP: Logged | Report this post to a Moderator
Doug Allan
Resident


Member # 2247

Icon 1 posted      Profile for Doug Allan   Author's Homepage   Email Doug Allan   Send New Private Message       Edit/Delete Post   Reply With Quote 
I'm seeing replies on the old familiar aspects of the virus itself or the spoofing of an address...

... but that paragraph at the bottom is what piszes me off the most, I never realized the domain info would get swapped into several places in a letter within an infected email to make it look as if I intentionally, maliciously encouraged someone to open an infected attachment.

--------------------
Doug Allan
http://www.islandsign.com

"you get what you settle for"

Posts: 8981 | From: Kahului, HI, USA | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
Si Allen
Resident


Member # 420

Icon 1 posted      Profile for Si Allen   Email Si Allen   Send New Private Message       Edit/Delete Post   Reply With Quote 
Igot one a little different version:
quote:

From: "Yahoo! Mail Virus Protection <mail-antivirus@yahoo-inc.com>"
To: siallen@sbcglobal.net
Date: Wed, 03 Mar 2004 08:23:09 -0600
Subject: "Alert: Virus Detected but not Cleaned - Attachment Removed" [E-mail account disabling warning.]
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="0-1905800192-1078366516-59522"

--0-1905800192-1078366516-59522
Content-Type: text/plain; charset=us-ascii
Content-Id:
Content-Disposition: inline

"Yahoo! Mail Virus Protection detected the virus '"W32.Beagle.J@mm"' in the file '"Attach.zip"', attached to the enclosed email message. We scanned the file using Norton AntiVirus but were unable to clean it. Therefore, we removed the content of the attachment from the message. Please contact the message sender if you want to receive the attachment. They must clean the file and resend it before we can deliver it to you safely.

"

"Yahoo! Mail successfully cleans most infected attachments, which protects you from viruses.
"

--0-1905800192-1078366516-59522
Content-Type: message/rfc822

X-Apparently-To: siallen@sbcglobal.net via web80605.mail.yahoo.com; Wed, 03 Mar 2004 06:23:12 -0800
Return-Path: <steve@letterhead.com>
Received: from yipvmd-ext.prodigy.net (EHLO yipvmd.prodigy.net) (207.115.63.31)
by mta828.mail.sc5.yahoo.com with SMTP; Wed, 03 Mar 2004 06:23:11 -0800
X-Header-NoReverseIP: IP.name.lookup.failed[12.155.252.192]
X-Originating-IP: [12.155.252.192]
Received: from S0026547145 ([12.155.252.192])
by yipvmd.prodigy.net (8.12.10/8.12.10) with SMTP id i23EN9TZ1358620
for <siallen@sbcglobal.net>; Wed, 3 Mar 2004 09:23:10 -0500
Date: Wed, 03 Mar 2004 08:23:09 -0600
To: siallen@sbcglobal.net
Subject: E-mail account disabling warning.
From: staff@sbcglobal.net
Message-ID: <hmjlpmusrkycacpqhth@sbcglobal.net>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------scpltyvxxmuixtxdyhkw"

----------scpltyvxxmuixtxdyhkw
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hello user of Sbcglobal.net e-mail server,

Your e-mail account will be disabled because of improper using in next
three days, if you are still wishing to use it, please, resign your
account information.

For details see the attach.

For security purposes the attached file is password protected. Password is "62815".

Kind regards,
The Sbcglobal.net team http://www.sbcglobal.net

----------scpltyvxxmuixtxdyhkw
Content-Type: application/octet-stream; name="Attach.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Attach.zip"


----------scpltyvxxmuixtxdyhkw--


--0-1905800192-1078366516-59522




--------------------
Si Allen #562
La Mirada, CA. USA

(714) 521-4810

si.allen on Skype

siallen@dslextreme.com

"SignPainters do It with Longer Strokes!"

Never mess with your profile while in a drunken stupor!!!

Brushasaurus on Chat

Posts: 8831 | From: La Mirada, CA, USA | Registered: Nov 1998  |  IP: Logged | Report this post to a Moderator
Steve Burke
Visitor
Member # 2674

Icon 1 posted      Profile for Steve Burke   Author's Homepage   Email Steve Burke       Edit/Delete Post   Reply With Quote 
I got the exact same message, Si. Luckily my corporate scan caught it on the way in, because it was deceiving enough to be believable, as we get LOTS of messages from our IT people to run these scans they forward us.

--------------------
Steve Burke
Cascades Inc
NS Canada

If at first you don't succeed, skydiving isn't for you

Posts: 359 | From: NS Canada | Registered: Jan 2002  |  IP: Logged | Report this post to a Moderator
faye welsh
Visitor
Member # 2524

Icon 1 posted      Profile for faye welsh   Email faye welsh   Send New Private Message       Edit/Delete Post   Reply With Quote 
doug, just got one from a friend in georgia describing the new virus visitor. i am not opening anything , even if i am afraid it is genuinely intended for me. they make too much of a mess. a tip i once received to thwart an email address theft is to go in your address book and make the first entry aaa@aaa. this stumps the thief and stops any further attept at taking over addresses. no complaints so far. faye [FYI]

--------------------
Faye Welsh (fiddles)
4848 cherry street
allison park, pa. 15101
fiddles51@yahoo.com

Posts: 259 | From: 4848 Cherry St. Allison Park,Pa. 15101 | Registered: Dec 2001  |  IP: Logged | Report this post to a Moderator
Barry Branscum
Visitor
Member # 445

Icon 1 posted      Profile for Barry Branscum   Author's Homepage   Email Barry Branscum   Send New Private Message       Edit/Delete Post   Reply With Quote 
yep!I got the same one, appearing to be from my local provider....good ol' Norton, nabbed and deleted the attachment though..

--------------------
Barry Branscum

Master's Touch
DESIGNS
www.masterstouchsigns.com

no, my signshop website is not finished....still.

218 Hwy 65 B
Clinton, AR
501.745.6246

Posts: 2500 | From: Clinton, AR USA | Registered: Nov 1998  |  IP: Logged | Report this post to a Moderator
Doug Allan
Resident


Member # 2247

Icon 1 posted      Profile for Doug Allan   Author's Homepage   Email Doug Allan   Send New Private Message       Edit/Delete Post   Reply With Quote 
quote:
Your e-mail account will be disabled because of improper using in next
three days, if you are still wishing to use it, please, resign your
account information.

fortunantly some of these emails believability is "disabled because of improper using" of the english language.

As for the ways to protect email addresses from being harvested on my machines, not only have I avoided any infections through maintaining up to date virus definitions etc. but I also delete all emails & keep no address book or contact list.

--------------------
Doug Allan
http://www.islandsign.com

"you get what you settle for"

Posts: 8981 | From: Kahului, HI, USA | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
Adrienne Pereira
Visitor
Member # 1046

Icon 5 posted      Profile for Adrienne Pereira   Email Adrienne Pereira   Send New Private Message       Edit/Delete Post   Reply With Quote 
I was just thinking this week that IF I was to keep my address book but add a '1' or a single letter to the beginning of each address, making it undeliverable until I remove the added number or letter before hitting send...so I don't have to look up each email address i need.

Won't this solve the problem of any access of my address book being copied by a virus?

A:)

--------------------
Adrienne Pereira
Splash Signs

Port Angeles, WA
----------------
"Sure, it's colder in the Northwest, but...it's a damp cold!"

360-477-5656
splashsigns@msn.com

Posts: 4868 | From: Port Angeles, Washington, USA | Registered: Sep 1999  |  IP: Logged | Report this post to a Moderator
Rick Beisiegel
Resident


Member # 3723

Icon 6 posted      Profile for Rick Beisiegel   Author's Homepage   Email Rick Beisiegel       Edit/Delete Post   Reply With Quote 
There is nothing that irks me more than an empty subject line with an attachment. I think all these replies shows how important it is to be sure to fill it in, so we can determine the legitimacy of an email. I delete everything that looks even remotely weird to me.

Occasionally I wonder "What if it is a job?" Oh well, it's worth the risk not to have the shop go down for a day or two just because I was curious.

Regards,

--------------------
Rick Beisiegel
Vital Signs & Graphics
Since 1982
(231) 452-6225 / (231) 652-3300
www.vitalsignsandgraphics.com
www.facebook.com/VitalSignsNewaygo

""Good judgment comes from experience; and a lot of that comes from bad judgment" - Will Rogers

Posts: 3488 | From: Beautiful Newaygo, Michigan | Registered: Mar 2003  |  IP: Logged | Report this post to a Moderator
Doug Allan
Resident


Member # 2247

Icon 1 posted      Profile for Doug Allan   Author's Homepage   Email Doug Allan   Send New Private Message       Edit/Delete Post   Reply With Quote 
Adrienne,
I've heard suggestions like that too, & I would think that will surely work to avoid any of your contacts recieving any infected mail, if your conputer became infected by a virus that was harvesting from your address book.

As I think about it, the altered email address's would also get written in to the "from" line... so as the monster moves around, grows & evolves... other recipients at valid address's will get infected mail from 1splashsigns2@hotmail.com or 1signshop@islandsign.com

That scenario could still generate some negative perception twords a domain name, although I don't think too many people still think the "from" address is valid anymore.

Another possibly better twist on your idea is using the * instead of the @ symbol. This would probably make the string of characters not be harvested at all.

--------------------
Doug Allan
http://www.islandsign.com

"you get what you settle for"

Posts: 8981 | From: Kahului, HI, USA | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
VICTORGEORGIOU
Visitor
Member # 474

Icon 1 posted      Profile for VICTORGEORGIOU   Email VICTORGEORGIOU   Send New Private Message       Edit/Delete Post   Reply With Quote 
Doug, during the last big virus, I found that my address was being spoofed by the virus. The virus checkers on the receiving end would send them back to me. They looked like tom@anchorblanks.com, susan@, anyname@ and so on. Nothing I ever use. I knew they were not coming out of my computer. I ran full computer virus scans multiple times and the computer was always clean. So, someone who had vic@anchorblanks on their machine got the virus, the virus spoofed the return address, and sent out to their mailing list.

A couple of people sent me angry notes telling me to take them off their mailing list. I sent back a note trying to explain about spoofs, but I doubt if they believed it.

In any event, I don't know what any of us can do other than to keep a good current virus checker running at all times. Vic G

--------------------
Victor Georgiou
Danville, CA , USA

Posts: 1746 | From: Danville, CA , USA | Registered: Dec 1998  |  IP: Logged | Report this post to a Moderator
Doug Allan
Resident


Member # 2247

Icon 1 posted      Profile for Doug Allan   Author's Homepage   Email Doug Allan   Send New Private Message       Edit/Delete Post   Reply With Quote 
quote:
I don't know what any of us can do other than to keep a good current virus checker running at all times.
I agree Vic, & I think not saving anyones email address on our hard drives is also a neccessary, though inconvenient, additional courtesy that should be considered these days.

The spoofed return address is so commonplace now, I hardly think anyone, in our business circles at least, still misunderstands that.

Although I had grown used to the idea that people may get infected mail that says it is from islandsign.com I wasn't prepared for them to get email that basically says:
"islandsign.com has recieved indication that your computer may need this attached fix...
cheers, the islandsign.com team"

--------------------
Doug Allan
http://www.islandsign.com

"you get what you settle for"

Posts: 8981 | From: Kahului, HI, USA | Registered: Sep 2001  |  IP: Logged | Report this post to a Moderator
   

Quick Reply
Message:

HTML is not enabled.
UBB Code™ is enabled.

Instant Graemlins
   


Post New Topic  New Poll  Post A Reply Close Topic   Feature Topic   Move Topic   Delete Topic next oldest topic   next newest topic
 - Printer-friendly view of this topic
Hop To:


Contact Us | Letterville. A Community Of Letterheads & Pinheads!

Powered by Infopop Corporation
UBB.classic™ 6.7.2

Search For Sign Supplies
Category:
 

                  

Letterhead Suppliers Around the World