"Mail Delivery Failed" messages

[Shirley Worrall]

Hi,

I've got NOD32 on Windows XP, and it updates automatically every day.

This afternoon I had 3 "Mail delivery failure" messages. They're
virtually identical, except that the attachment that they referred to
was different in each case. I've set one out below. I'm sure I haven't
got a virus. Does this mean that someone with a virus has my address
in their address book and that messages are going out in my name from
them?

Thanks for any help. I'm just trying to understand what's happening.

One of the messages below (minus the attachment)

Thanks,
--
Shirl
--------------

This message was created automatically by mail delivery software (Exim).

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

(e-mail address removed)
This message has been rejected because it has
a potentially executable attachment "wicked_scr.scr"
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from [194.196.100.34] (helo=IBM-K72BTRWHVU9)
by he102war.uk.vianw.net with esmtp (Exim 4.04)
id 19p5fj-0005hg-00
for (e-mail address removed); Tue, 19 Aug 2003 13:33:11 +0100
From: <[email protected]>
To: <[email protected]>
Subject: Re: Approved
Date: Tue, 19 Aug 2003 13:32:51 +0100
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_00DF9403"
Message-Id: <[email protected]>

This is a multipart message in MIME format

--_NextPart_000_00DF9403
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Please see the attached file for details.
--_NextPart_000_00DF9403
Content-Type: application/octet-stream;
name="wicked_scr.scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="wicked_scr.scr"

-------------------------------

 

[Shirley Worrall]

Someone who has your email in their address book as the sobig virus.

Read the article:

http://www.wral.com/technology/2415659/detail.html

FF

Many thanks, FF

Best,

 

[David W.E. Roberts]

Hi,

I've got NOD32 on Windows XP, and it updates automatically every day.

This afternoon I had 3 "Mail delivery failure" messages. They're
virtually identical, except that the attachment that they referred to
was different in each case. I've set one out below. I'm sure I haven't
got a virus. Does this mean that someone with a virus has my address
in their address book and that messages are going out in my name from
them?

Thanks for any help. I'm just trying to understand what's happening.

One of the messages below (minus the attachment)

Thanks,

Name and shame time for a large computer corporation:

inetnum: 194.196.100.0 - 194.196.100.255
netname: GB-AGNS-NET
descr: Network of AGNS
country: GB
admin-c: AM6759-RIPE
tech-c: AM6759-RIPE
status: ASSIGNED PA
remarks: Service: ICS
remarks: Please send SPAM reports to (e-mail address removed)
remarks: Please send ABUSE reports to (e-mail address removed)
mnt-by: EU-IBM-NIC-MNT
changed: (e-mail address removed) 20000218
source: RIPE
route: 194.196.0.0/16
descr: AT&T GNS Ranges
descr: For routing issues: (e-mail address removed)
descr: For NEW peering issues: (e-mail address removed)
descr: For SPAM: (e-mail address removed)
descr: For addressing issues: (e-mail address removed)
origin: AS2686
mnt-by: MAINT-AS2686
changed: (e-mail address removed) 20021223
source: RIPE
person: Anthony Michalakopoulos
address: AGNS Firewal
address: Mailpoint C2E, c/o
address: IBM North Harbour
address: Portsmouth PO6 3AU
address: GB
phone: +44 239 256 5327
nic-hdl: AM6759-RIPE
mnt-by: EU-IBM-NIC-MNT2
changed: (e-mail address removed) 19991125
source: RIPE

 

[MD Vid]

Consider yourself lucky, I had over 200 of em.

JTH

Hi,

I've got NOD32 on Windows XP, and it updates automatically every day.

This afternoon I had 3 "Mail delivery failure" messages. They're
virtually identical, except that the attachment that they referred to
was different in each case. I've set one out below. I'm sure I haven't
got a virus. Does this mean that someone with a virus has my address
in their address book and that messages are going out in my name from
them?

Thanks for any help. I'm just trying to understand what's happening.

One of the messages below (minus the attachment)

Thanks,
--
Shirl
--------------

This message was created automatically by mail delivery software (Exim).

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

(e-mail address removed)
This message has been rejected because it has
a potentially executable attachment "wicked_scr.scr"
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from [194.196.100.34] (helo=IBM-K72BTRWHVU9)
by he102war.uk.vianw.net with esmtp (Exim 4.04)
id 19p5fj-0005hg-00
for (e-mail address removed); Tue, 19 Aug 2003 13:33:11 +0100
From: <[email protected]>
To: <[email protected]>
Subject: Re: Approved
Date: Tue, 19 Aug 2003 13:32:51 +0100
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_00DF9403"
Message-Id: <[email protected]>

This is a multipart message in MIME format

--_NextPart_000_00DF9403
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Please see the attached file for details.
--_NextPart_000_00DF9403
Content-Type: application/octet-stream;
name="wicked_scr.scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="wicked_scr.scr"

-------------------------------

 

[Haim Guivon]

It is, again, virus SoBig.F. If you have a spam detector like MailWasher of
SpamCop, the best you can do is to delete them messages from the server. If
you look harder, you'll see that there is a pattern of subjects and
attachment names, that keep repeating themselves (like this wicked_scr.scr
of yours. It sure is the virus.

Specially, beware not to download any message containing an attachment (the
"return mail" generally has the attachmente stripped off, and are, therefore
harmless), and if you do, not to open any attachment! Delete the mail.

As a rule never open any executable attachment (EXE, PIF, SCR) or even DOC,
even if they are from a friend. Tell your friend that this is your policy,
and "please forgive me". And to be on the safe side, don't make sex without
a condom, except with your wife/husband/longstanding mate.

cordially,
haim

===========================================================

Consider yourself lucky, I had over 200 of em.

JTH

Hi,

I've got NOD32 on Windows XP, and it updates automatically every day.

This afternoon I had 3 "Mail delivery failure" messages. They're
virtually identical, except that the attachment that they referred to
was different in each case. I've set one out below. I'm sure I haven't
got a virus. Does this mean that someone with a virus has my address
in their address book and that messages are going out in my name from
them?

Thanks for any help. I'm just trying to understand what's happening.

One of the messages below (minus the attachment)

Thanks,
--
Shirl
--------------

This message was created automatically by mail delivery software (Exim).

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

(e-mail address removed)
This message has been rejected because it has
a potentially executable attachment "wicked_scr.scr"
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from [194.196.100.34] (helo=IBM-K72BTRWHVU9)
by he102war.uk.vianw.net with esmtp (Exim 4.04)
id 19p5fj-0005hg-00
for (e-mail address removed); Tue, 19 Aug 2003 13:33:11 +0100
From: <[email protected]>
To: <[email protected]>
Subject: Re: Approved
Date: Tue, 19 Aug 2003 13:32:51 +0100
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_00DF9403"
Message-Id: <[email protected]>

This is a multipart message in MIME format

--_NextPart_000_00DF9403
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Please see the attached file for details.
--_NextPart_000_00DF9403
Content-Type: application/octet-stream;
name="wicked_scr.scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="wicked_scr.scr"

-------------------------------

 

[Roy]

Specially, beware not to download any message containing an attachment (the
"return mail" generally has the attachmente stripped off, and are, therefore
harmless), and if you do, not to open any attachment! Delete the mail.

At best this is incomplete advice, at worst it's nonsense.

Any unexpected attachment received via e-mail should be treated with
caution, no matter how good you believe your AV software to be, even if
(particularly if?) it appears to come from a friend/acquaintance without
explanation. What's to stop you e-mailing (or even phoning) them to ask
if they really meant to send it?

If, on the other hand, you were referring to unsolicited e-mail from
complete strangers, I wouldn't (and don't) hesitate a moment before
deleting it.

But why let criminals make your use of e-mail practically worthless?

Cheers,

Roy

(still regularly using attachments, in both directions, but taking
precautions - including the use of my brain)

 

[Gabriele Neukam]

On that special day, Haim Guivon, ([email protected]) said...

And to be on the safe side, don't make sex without
a condom, except with your wife/husband/longstanding mate.

And make sure that your wife/husband/longstanding mate didn't have
unsafe sex with someone else...

Many women got infected although they had been true, it was the husband
who infected them. The same applies to mails. I would treat a mail from
my sister exactly the same way as any other.


Gabriele Neukam

(e-mail address removed)

 

[David]

Definitely fits somewhere in between as you infer Roy. Some people simply
have to deal with attachments. For someone who doesn't need or desire to
exchange attachments it is sound advice. And you will always have people
that are uninformed, too trustworthy, or too curious. I think too many
people are listening to people like Leo LaPorte without questioning when
something applies and when a different solution is necessary.

At best this is incomplete advice, at worst it's nonsense.

And I can't put it any better than this:

But why let criminals make your use of e-mail practically worthless?

There are a lot of different schemes in use to reduce one's risk as far as
attachments are concerned.
It is obviously worth taking whatever precautions one can to reduce the
risks, but there will "always" be the possibility of getting infected when
new or relatively obscure outbreaks occur. As much as I can keep up with
what is being done as far as virus's are concerned I still accept the fact
they will always be one step ahead. So really all you can do is keep up with
what is happening so you don't fall two steps behind, backup your important
data religiously, balance using functionality vs.the amount of risk one is
willing to assume, and realize that if you do by chance get infected it
probability isn't going to be the end of the world.

It's good to see that the current rash of activity is getting some coverage
on the major news networks. I guess it has finally gotten to a level where
it is worth the air time. Or maybe their own computer networks have been
affected enough for them to deem "public service" pieces more importantly
than useless sensationalism?