VERY strange situation going on

Discussion in 'other anti-virus software' started by Chuck57, Nov 8, 2002.

Thread Status:
Not open for further replies.
  1. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    This may be in the wrong place. Feel free to move.

    Last night, I got an email from Kaspersky, advising that I had sent an infected email to them. I shrugged it off and, unfortunately deleted it from my Yahoo account.

    Today, I received an email from Panda below.
    ***
    Panda Antivirus a détecté les virus suivants dans le message:
       Server :   MESSAGERIE

       Envoyé par :   
       Adresse :   MAILER-DAEMON@kazmail.asdc.kz
       A :   list-15@webserver2.kaspersky-labs.com
       Objet :   Returned mail: see transcript for details
       Date :   08/11/2002 01:40

    VIRUS DETECTE

    Fichier : ~000003.txt
        Virus :   Exploit/iFrame - Désinfecté
    Fichier : README.EXE
        Virus :   W32/Bride - Désinfecté

    ***

    Then, by the time I finished the above, the one below appeared in my yahoo box.


    Date: Fri, 8 Nov 2002 00:44:20 +0300 (MSK)
    From: DrWeb-DAEMON@sandy.ru | This is Spam | Add to Address Book
    Subject: îÅÄÏÓÔÁ×ÌÅÎÎÏÅ ÓÏÏÂÝÅÎÉÅ: [unknown-subject]
    To: list-15@webserver2.kaspersky-labs.com




    õ×ÁÖÁÅÍÙÊ ïÔÐÒÁ×ÉÔÅÌØ,
    óÏÏÂÝÅÎÉÅ, ÐÏÓÌÁÎÎÏÅ Ó ×ÁÛÅÇÏ ÁÄÒÅÓÁ e-mail (ÁÄÒÅÓ ÍÏÇ ÂÙÔØ ÐÏÄÄÅÌÁÎ)
    ÎÁ <piotr@sandy.ru> ×ÅÒÏÑÔÎÏ ÉÎÆÉÃÉÒÏ×ÁÎÏ É ÎÅ ÂÙÌÏ ÄÏÓÔÁ×ÌÅÎÏ.
    ïÔÞÅÔ ÁÎÔÉ×ÉÒÕÓÎÏÇÏ ÆÉÌØÔÒÁ:

    ========================
    DrWeb found next viruses:
    ========================
    infected with Trojan.IframeExec
    infected with Win32.HLLM.Generic.95


    ðÏÌÕÞÁÔÅÌØ Õ×ÅÄÏÍÌÅÎ Ï ÄÁÎÎÏÍ ÐÉÓØÍÅ, ËÏÐÉÑ ÚÁÒÁÖÅÎÎÏÇÏ ÐÉÓØÍÁ ÅÍÕ
    ÄÏÓÔÕÐÎÁ.

    üÔÏ ÓÏÏÂÝÅÎÉÅ ÂÙÌÏ ÓÇÅÎÅÒÉÒÏ×ÁÎÏ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÏÇÒÁÍÍÏÊ ÄÏÓÔÁ×ËÉ
    ÐÏÞÔÙ.

    Dear Sender,
    message sent from your e-mail address (address may be spoofed)
    to <piotr@sandy.ru> was probably infected and was not delivered.
    Antiviral filter report:

    ========================
    DrWeb found next viruses:
    ========================
    infected with Trojan.IframeExec
    infected with Win32.HLLM.Generic.95


    Recipient was warned and can obtain a copy of infected message.

    This message was generated automatically by mail delivery software.

    ***

    I've scanned my machine, I use KAV, and have run two online scans and I'm clean according to all of them. Further, I'd never even been to either Panda or Dr. Web. I did use Panda for an online scan today. First time I've ever been there.

    Obviously somebody is using my email address for the above, and the one from kaspersky last night, that I didn't keep, insinuated that the virus was sent FROM my yahoo account. Do I advise Yahoo of the situation? I don't have any names in my address book, so that's not a problem and I've changed my password again. I'm sort of at a loss as to what to do about this.

    I run Spybot at the end of every day. It says I have no keyloggers or any other stuff on this computer. If some clown is sending infected mails around with my name, what the h**l do I do? I'm stuck.
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Chuck57

    Have you received any other emails from Kapersky lately?

    Have a look at the following on their site:
    http://www.avp.ru/news.html?id=965624

    Regards
    CrazyM
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Well, that clearly explains the "README.EXE" file and the iframe exploit. By being a KAV user, I'd guess your email address was in the list servers that were exploited at the KAV site.
     
  4. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    No, but the message you pointed me to was there last night along with the email from Kaspersky. Didn't know what it was and opened it on Yahoo.

    Since then, I've run my three scans as I mentioned, and I'm clean. There was no attachment, so I'm guessing yahoo's av got rid of it. Nothing else has arrived today, so far.

    My server email is reserved for family and friends. Everything else goes through Yahoo or Hotmail.
     
  5. arj

    arj Guest

    Chuck57,
    It seems that KAV has been Hacked! See explanation below..Virus News. Friday, November 08, 2002
    ******************************************************************

    1. Beware of fakes!
    2. How to subscribe/unsubscribe

    ****

    1. Beware of fakes!
    Kaspersky Labs reports an attempt to hack its Web server

    Kaspersky Labs informs users that on the night the November 7th there
    was a massive attack against the company's Web server. The attack
    resulted in a group of hackers sending the subscribers of the Kaspersky
    Labs e-mail newsletter a message containing the recently discovered
    "Bridex" worm.

    The infected messages have the following appearance:

    "Bridex" is an e-mail aware worm that spreads in e-mail messages and
    infects computers in two ways: manually, if a user executes the attached
    file (README.EXE) automatically upon reading the message if the target
    PC has no Internet Explorer patch installed that thwarts the
    IFRAME-vulnerability

    Despite Kaspersky Labs not receiving any actual reports of infection
    caused by this hacker attack we recommend that users under no
    circumstances open messages having the aforementioned appearance and
    immediately to delete them. To strengthen your defense against "Bridex"
    we also advise you to urgently install the IFRAME-vulnerability patch
    available for free at Microsoft's Web site:
    http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp
    (http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp).

    Unfortunately, hacker attacks have become a part of computer users'
    every day life. Even the majority of the world's largest governmental
    and commercial institutions already felt victims to hackers. "During the
    last few years Kaspersky Labs has grown to become one of the leading
    virus experts and this status has attracted much attention from hackers
    resulting in daily attempts to penetrate of defenses, - said Eugene
    Kaspersky, Head of Anti-Virus Research. - Currently we are conducting an
    investigation to reveal the sources of this attack and are taking the
    necessary measures with our security system to ensure that this type of
    attack will never succeed in the future."

    Kaspersky Labs apologizes to all its newsletter subscribers. If your PC
    has become infected with "Bridex" as a result of this hacker attack we
    will provide you with immediate free assistance to neutralize this worm.
    We kindly ask you to contact our technical support available 24 hours a
    day by e-mail (support@kaspersky.com) or by phone (+7 095 797 87 07).

    Kaspersky Labs takes this opportunity to remind you of the security
    rules of the company's e-mail newsletters, which allow you to
    distinguish the hackers' messages from the real ones. Please, keep in
    mind that Kaspersky Labs newsletters come in plain text format and do
    not contain any attached objects. If you receive a message with attached
    objects - do not open them and submit them to Kaspersky Labs' technical
    support (support@kaspersky.com (mailto:support@kaspersky.com)) for an
    expert evaluation.

    You can find more details about the "Bridex" worm in the Kaspersky Virus
    Encyclopedia at http://www.viruslist.com/eng/viruslist.html?id=57756
    (http://www.viruslist.com/eng/viruslist.html?id=57756)



    **

    2. How to subscribe/unsubscribe

    If you would like to subscribe to other Kaspersky Lab news blocks or
    to unsubscribe from this news block, you can do so by visiting
    http://www.kaspersky.com/subscribenow.html

    If you experience any problems with this procedure, please contact us at:
    webmaster@kaspersky.com

    ****

    Best of Luck,

    Kaspersky Lab News Agent

    -----
    10 Geroyev Panfilovtcev St.,
    125363, Moscow
    Russia
    Telephone/Facsimile: +7 (095) 948 43 31
    WWW: http://www.kaspersky.com
    FTP: ftp://ftp.kasperskylab.ru
    E-mail: webmaster@kaspersky.com
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    As a subscriber on the Kaspersky newslists i too got the message and complaints of other subscribers mailer daemons, including many av/at security software developers, so it's bit of a mess in the inbox; be very careful with those messages in case you get them, as most of these complaints contain the worm too.
    The other official Kaspersky message you mention i did not see yet, so thanks for posting it here :)
     
  7. controler

    controler Guest

    Well that figures :mad:

    Just because I go to Kasperskys site the other night and download their Firewall Beta, Somebody has to hack them.
    Ok who is following me around these days? I hope she is pretty.
     
Loading...
Thread Status:
Not open for further replies.