Ideas Please - re virus w32.Beagle@mm!zip

[John L]

Hi all,
I would appreciate any input on this email that
I received today. I don't know how to interpret
this "returned mail" message, but that's not my
primary concern.

1.
I never emailed the recipient.

2.
I've never seen the recipient's address before - I
don't know them.

3.
I'm using the evaluation version of bitdefender
8 Standard, and the scans are clean.

4.
I just re-formatted my HDD and re-installed Win2K a
week ago, after it was trashed by CoolWebSearch.

Before re-connecting to the net I installed SpywareBlaster,
Ad-Aware, Spybot Search & Destroy. I have never opened IE or
Outlook - I use Mozilla and Eudora instead. I'm on the learning
curve re online security...CWW was a nightmare.

I'm confused. According to bitdefender, my system is
completely clean, and yet it seems that my PC attempted
to email someone - with that virus attached.
What is the reference to Symantic's detection of w32.Beagle@mm!zip ?
Did the recipient's PC receive the email and send it back ?

I've copied the text from the returned mail below - I've edited
sender and recipient addys with asterisks preserve anonymity.

Any and all ideas appreciated !
thanks,
John.

******************

Date: Wed, 15 Dec 2004 11:53:36 -0500 (EST)
From: Mail Delivery Subsystem <[email protected]>
To: <pc****@erols.com>
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)


The original message was received at Wed, 15 Dec 2004 11:53:32 -0500
(EST)
from pool-68-239-225-80.nwrk.east.verizon.net [68.239.225.80]


----- The following addresses had permanent fatal errors -----
<r****@twcny.rr.com>
(reason: 550 5.1.6 Recipient no longer on server:
(e-mail address removed))
----- Transcript of session follows -----
.... while talking to ms-mta-02-fn.nyroc.rr.com.:<<< 550 5.1.6 Recipient no longer on server: r****@twcny.rr.com
550 5.1.1 <r****@twcny.rr.com>... User unknown
<<< 554 5.5.0 No recipients have been specified.
Reporting-MTA: dns; nymx02.mgw.rr.com
Received-From-MTA: DNS; pool-68-239-225-80.nwrk.east.verizon.net
Arrival-Date: Wed, 15 Dec 2004 11:53:32 -0500 (EST)


Final-Recipient: RFC822; r****@twcny.rr.com
Action: failed
Status: 5.1.6
Remote-MTA: DNS; ms-mta-02-fn.nyroc.rr.com
Diagnostic-Code: SMTP; 550 5.1.6 Recipient no longer on server:
(e-mail address removed)
Last-Attempt-Date: Wed, 15 Dec 2004 11:53:36 -0500 (EST)
Received: from SYSTEM.net (pool-68-239-225-80.nwrk.east.verizon.net
[68.239.225.80])
by nymx02.mgw.rr.com (8.12.10/8.12.8) with SMTP id
iBFGrVmE021283
for <r****@twcny.rr.com>; Wed, 15 Dec 2004 11:53:32 -0500 (EST)
Date: Wed, 15 Dec 2004 11:53:29 -0500
To: "Rd" <r****@twcny.rr.com>
From: "Pc" <pc****@erols.com>
Subject: RE: Message Notify
Message-ID: <*************@twcny.rr.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------kkwmshtzcqqehtpkiqoy"
X-Virus-Scanned: Symantec AntiVirus Scan Engine
X-Virus-Scan-Result: Repaired 23577 W32.Beagle@mm!zip

 

[Beauregard T. Shagnasty]

Hi all,
I would appreciate any input on this email that
I received today. I don't know how to interpret
this "returned mail" message, but that's not my
primary concern.

1.
I never emailed the recipient.

You don't have to. Viruses pick any address from an infected machine,
so probably someone you know has this virus. Your address in in their
address book or other file.

2.
I've never seen the recipient's address before - I
don't know them.

See above. Some other person your friend knows.

3.
I'm using the evaluation version of bitdefender
8 Standard, and the scans are clean.

That's good.

4.
I just re-formatted my HDD and re-installed Win2K a
week ago, after it was trashed by CoolWebSearch.

Next time, get the CWShredder and use that - if you didn't this time.

Before re-connecting to the net I installed SpywareBlaster,
Ad-Aware, Spybot Search & Destroy. I have never opened IE or
Outlook - I use Mozilla and Eudora instead. I'm on the learning
curve re online security...CWW was a nightmare.

Did you go to Winders Update and get this new installation fully
patched? This is important.

And, which *firewall* are you using?

I'm confused. According to bitdefender, my system is
completely clean, and yet it seems that my PC attempted
to email someone - with that virus attached.

No, as explained above, someone with the virus forged your address as
the FROM field, and the recipient's mail server sent the bounce back
to you. Apparently, the recipient's address is no longer valid.

What is the reference to Symantic's detection of w32.Beagle@mm!zip ?
Did the recipient's PC receive the email and send it back ?

No, the server did. Perhaps its virus scanner did.

I've copied the text from the returned mail below - I've edited
sender and recipient addys with asterisks preserve anonymity.

Well, you could try to send a test email directly to the recipient
(r****@twcny.rr.com) and see if you get a bounce. Some short text such
as "I got a bounced email from you" would suffice, just in case it is
real. <g>

<schnipp>

 

[John L]

Hi bts,
Thanks very much for filling me in !

I never emailed the recipient.

You don't have to. Viruses pick any address from an infected machine,
so probably someone you know has this virus. Your address in in their
address book or other file.
Ahhh....

4.
I just re-formatted my HDD and re-installed Win2K a
week ago, after it was trashed by CoolWebSearch.

Next time, get the CWShredder and use that - if you didn't this time.
I used it without success - it must have been on my sytstem for about
3 months before I realised it was malware.
WHO writes this f***ing crap, and WHY aren't they liable for the
poor user's repair costs ? ( I had a tech come to the house ).

Did you go to Winders Update and get this new installation fully
patched? This is important.
I think I'm up to date...but I'll double check.

And, which *firewall* are you using?
ZoneAlarm (free version)
I"m thinking of buying bitdefender 8 for AV, and ZoneAlarm Pro for
firewall.

Thanks again !
John

 

[Beauregard T. Shagnasty]

Hi bts,
Thanks very much for filling me in !

My pleasure.

Next time, get the CWShredder and use that - if you didn't this time.
I used it without success - it must have been on my sytstem for about
3 months before I realised it was malware.
WHO writes this f***ing crap,

People without morals. It must be a lucrative industry.

and WHY aren't they liable for the
poor user's repair costs ? ( I had a tech come to the house ).

What if someone sneezed on you in the train station and later you got
a flu? You have to pay for the medication.

(Yeah, not a terrific analogy, but you would have the same success as
trying to find that sneezer and make them pay.)

And, which *firewall* are you using?
ZoneAlarm (free version)
I"m thinking of buying bitdefender 8 for AV,

...or get a free one.

and ZoneAlarm Pro for firewall.

The free version is probably as good. Personally, I like Kerio.

 

[John L]

Hey bts,

..or get a free one.

Can you recommend a free AV app ?

The free version is probably as good.

The free ZoneAlarm does seem to work well....
I'll check out Kerio

Thanks mate,
John.

 

[Beauregard T. Shagnasty]

Hey bts,


Can you recommend a free AV app ?

Well, I've been using avast! for quite some time, and I like it.
http://www.avast.com/eng/avast_4_home.html

Others would recommend AVG 7.

The free ZoneAlarm does seem to work well....
I'll check out Kerio

Have fun!

 

[Gabriele Neukam]

On that special day, John L, ([email protected]) said...


Just FYI

The original message was received at Wed, 15 Dec 2004 11:53:32 -0500
(EST)
from pool-68-239-225-80.nwrk.east.verizon.net [68.239.225.80]

Look at the numbers in the line. They refer to a so called IP number,
that identifies the sending machine. The machine came over Verizon.

Received-From-MTA: DNS; pool-68-239-225-80.nwrk.east.verizon.net
Arrival-Date: Wed, 15 Dec 2004 11:53:32 -0500 (EST)

Again this number in the "name" of the sender's machine.

Received: from SYSTEM.net (pool-68-239-225-80.nwrk.east.verizon.net
[68.239.225.80])

The number in brackets is the real IP identity of the machine, in that
moment, when the worm sent the mail. The offical writing of IP numbers
goes a.b.c.d, with each of the numbers a through d being between zero
and 255 (the zero and 255 have specificc meaningsm, and shouldn't be
used in internet IP numbers)

by nymx02.mgw.rr.com (8.12.10/8.12.8)

That's the ISP where the "mail" was sent to.

X-Virus-Scanned: Symantec AntiVirus Scan Engine
X-Virus-Scan-Result: Repaired 23577 W32.Beagle@mm!zip

The receiving ISP sent the mail through a virusscan; and got a positive
result. Then it chose the "From:" line, to send the bounce to, although
such bounces don't make sense any more, fgor at least two years.

The IP number of the sender can be entered into a Whois interface, like

www.iks-Jena.de/cgi-bin/whois (or ARIN)

and will result in these data:

NetRange: 68.236.0.0 - 68.239.255.255
CIDR: 68.236.0.0/14
NetName: VIS-68-236
NetHandle: NET-68-236-0-0-1
Parent: NET-68-0-0-0-0
NetType: Direct Allocation
NameServer: NSDC.BA-DSG.NET
NameServer: GTEPH.BA-DSG.NET
Comment: Please send all abuse reports to (e-mail address removed).
Comment: DO NOT send e-mail to (e-mail address removed) as it will not
be answered.
RegDate: 2003-07-18
Updated: 2004-11-01

You may send a complaint to Verizon, that they have a customer who
caused false bounces, that led to this mail you received. Please include
the portion in the bounce, beginning with the "Final-Recipient" line (I
wouldn't call that a proper "header", but it does mainly contain what a
header would). I don't know if they will do something about it.


Gabriele Neukam

(e-mail address removed)

 

[John L]

Hi Gabriel,
Thanks for the info - thanks for going into detail.
I'm going to read up on headers....one needs to KNOW
these days. I learned SO much since my CWS episode.
If the average user only knew...keyloggers, trojans, etc.
I'm now using Mozilla and Eudora....and have more of an understanding
as to why so many people in the know aren't impressed with M/Soft.
I have Win2K...and M/Soft says no more patches for me until I go to XP
! - which I guess is what they want.
Your post very much appreciated.
John