sinking feeling.....

Discussion in 'malware problems & news' started by Detox, Oct 29, 2002.

Thread Status:
Not open for further replies.
  1. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    OK I got an email and this email was from a girl I know but it was not meant for me. It did have text in it that let me know she really did write this email. It also had an attachment "sumo1" with 2 file extensions including scr as the second. Anyway I knew it was a nasty but AVG didn't kick off at first so I saved the file in "my documents" so I could check it out. Every time I open "my documents" the screen turns black, sounds like its some sort of activation to the monitor itself. Ah ok scanning w/AVG now and it found "I-Worm/Bugbear" already.

    I knew it was a nasty I just wanted to see which one. Argh I guess from now on I won't play investigator. About time to send an email to my friend after I get cleaned up here. FFS!
     
  2. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    hmmm AV cleaned it just fine, dont see why it didnt find it before I saved it to disk though. The file name is sumo1.jpg.scr BTW and it tries to open itself in OE but I suppose it's my settings that make it ask first. Anyway AVG cleaned it for sure b/c I ran the NOD32 removal tool from "free tools" and it found nothing so ;-)
     
  3. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    OK another add-on, my inital reply to this person was mis-sent because the virus changed her address from

    XXXXXX@hotmail.com

    to

    XXXXXX@flash.net

    anyway I sent the removal tool link to her and I'm ready to delete this nasty email, unless someone pops in who would like a copy for analyzing, though I suppose it's the same old nasty.

    Detox
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Detox,

    Better safe than sorry: I would recommend changing all passwords.

    The email address most probably has been harvested. Chances are big, the girl you know has not been infected at all. Nice job, sending here the removal tool ;) - as a standard, I recommend using these in the Safe Mode.

    Sounds like a known variant allright.

    regards.

    paul
     
  5. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    roger that, passwords changing!

    I don't understand how the thing would get here without her being infected though, it used her full first and last name which I have in my addy book but it's also what she uses to my knowledge..... and then the email addy with the right #s even?
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Detox,

    I think what Paul means is that the virus came from a computer that has both yours en her e-mailadress on it.
    This is called spoofing: the virus active on computer C makes it look like it sent an e-mail from A to B.
    Correct me if I'm wrong.
    Have a look here: http://www.naavi.com/cl_editorial/edit_29april2_02_1.html

    Regards,

    Pieter
     
  7. Ghost

    Ghost Guest

    AVG isn't going to alert you unless you try to open the attachment.

    At least, that's the way it's always worked here.
     
  8. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Pieter - thing is, there is no computer like that... Or so I believe. Just a friend of mine from a college that I kept in touch with over email for a while; we've got no common friends whatsoever! That's whats confounding about it.
     
  9. controler

    controler Guest

    Ghost is correct AVG doesn't have POP scanning like some of the other AV's have. For instance, Norton scans while the mail is comming in.
    All good AV should be including mail scan by now.
    Get Norton damit and go get the daily updates. :D
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Quotes from: http://www.theage.com.au/articles/2002/10/04/1033538762070.html

    "In some cases the worm fakes the email address of the sender - making it look as if an innocent third party sent the worm. This creates further confusion and makes it difficult to warn the infected parties of the problem."

    and

    "Rod Fewster of NOD32 Antivirus Systems said Bugbear used more sophisticated "sender address" spoofing than Klez.
    "Bugbear can "mix and match" info from email addresses, combining the text prior to the @ symbol of one address with the text following the @ symbol of another address, which further confuses the identify of the real sender," he said."

    So it's even more complicated then I thought.

    Regards,

    Pieter
     
  11. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Hm so it is... But now I understand how it had the correct first part of her email address but at flash.net instead of hotmail.com...
     
Thread Status:
Not open for further replies.