German Email Virus



drive55
07-09-2005, 11:52 PM
XP/SP2/NIS/NAV- A variation of this question was addressed in the
WindowsUpdate group, but I think it's more appropriate here. Could receiving
one or two of these German emails every other day or so simply indicate that
your email address is on an infected computer ? I haven't opened any
attachments,links,etc; simply deleted them.

Mark Randall
07-09-2005, 11:52 PM
Yes. I have been recieving hundreds.

--
- Mark Randall
http://zetech.swehli.com

"drive55" <drive55@discussions.microsoft.com> wrote in message
news:188E5D00-2230-45CA-A164-EFDE9FC71E8F@microsoft.com...
> XP/SP2/NIS/NAV- A variation of this question was addressed in the
> WindowsUpdate group, but I think it's more appropriate here. Could
> receiving
> one or two of these German emails every other day or so simply indicate
> that
> your email address is on an infected computer ? I haven't opened any
> attachments,links,etc; simply deleted them.

Juergen Nieveler
07-09-2005, 11:52 PM
"Mark Randall" <markyr@REMOVETHISgoogle.ANDTHIScom> wrote:

> Yes. I have been recieving hundreds.

It's a Sober-variant, and searches the victim machine for anything
resembling an email address.

Currently it's spewing out Neonazi-propaganda, but apparently it
contains an internal timer and will try to download a new task on
Monday...

Juergen Nieveler
--
Laundry instructions on a shirt made by HEET: For best results, wash in
cold water separately, hang dry and iron with warm iron. For not so good
results, drag behind car through puddles, blow-dry on roofrack.

N. Miller
07-09-2005, 11:52 PM
On Fri, 20 May 2005 11:21:31 -0700, drive55 wrote:

> XP/SP2/NIS/NAV- A variation of this question was addressed in the
> WindowsUpdate group, but I think it's more appropriate here. Could receiving
> one or two of these German emails every other day or so simply indicate that
> your email address is on an infected computer ? I haven't opened any
> attachments,links,etc; simply deleted them.

Yes, and not just email addresses. From my mail logs:

------------------------------------------------------------------------------
>> T 20050520 122552 428d9f6e Connection from 216.67.254.97
>> T 20050520 122552 428d9f6e EHLO excaliber.first2host.com
>> T 20050520 122552 428d9f6e MAIL FROM:<polars@excaliber.first2host.com> SIZE=2931
>> T 20050520 122557 428d9f6e RCPT TO:<qo6gsnnsoe32.dlg@msn.******.net>
>> E 20050520 122557 428d9f6e 554 Clean up your infected computer. Please.
>> T 20050520 122557 428d9f6e Connection closed with 216.67.254.97, 5 sec. elapsed.
------------------------------------------------------------------------------

I had set up my news client, 40tude, to issue a message ID string with my
domain in it (masked to keep the harvesters at bay). If you can figure out
my domain name (access to my full headers would help), you could substitute
it, and find the message I posted in these groups by a message ID string
search. The ".dlg@" part identifies 40tude Dialog as the news client
creating that message ID string. I have mended my attempt at cuteness, and
now my message ID strings, in these groups, are tagged with
"@discussions.microsoft.com".

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

Imhotep
07-09-2005, 11:52 PM
This is not new. It has been going on for a couple of weeks now...

-Im

N. Miller wrote:

> On Fri, 20 May 2005 11:21:31 -0700, drive55 wrote:
>
>> XP/SP2/NIS/NAV- A variation of this question was addressed in the
>> WindowsUpdate group, but I think it's more appropriate here. Could
>> receiving one or two of these German emails every other day or so simply
>> indicate that your email address is on an infected computer ? I haven't
>> opened any attachments,links,etc; simply deleted them.
>
> Yes, and not just email addresses. From my mail logs:
>
>
------------------------------------------------------------------------------
>>> T 20050520 122552 428d9f6e Connection from 216.67.254.97
>>> T 20050520 122552 428d9f6e EHLO excaliber.first2host.com
>>> T 20050520 122552 428d9f6e MAIL FROM:<polars@excaliber.first2host.com>
>>> SIZE=2931 T 20050520 122557 428d9f6e RCPT
>>> TO:<qo6gsnnsoe32.dlg@msn.******.net> E 20050520 122557 428d9f6e 554
>>> Clean up your infected computer. Please. T 20050520 122557 428d9f6e
>>> Connection closed with 216.67.254.97, 5 sec. elapsed.
>
------------------------------------------------------------------------------
>
> I had set up my news client, 40tude, to issue a message ID string with my
> domain in it (masked to keep the harvesters at bay). If you can figure out
> my domain name (access to my full headers would help), you could
> substitute it, and find the message I posted in these groups by a message
> ID string search. The ".dlg@" part identifies 40tude Dialog as the news
> client creating that message ID string. I have mended my attempt at
> cuteness, and now my message ID strings, in these groups, are tagged with
> "@discussions.microsoft.com".
>


German Email Virus