Is this email a virus?

[Top Spin]

About once a week or so, I get an email message addressed to me with:

From: Mail Delivery Subsystem [[email protected]]

Subject: Returned mail: User unknown

The body of the email is copied below. There are always 2 attachments
with names like:

ATT00013.DAT & ATT00016.TXT

This looks like I tried to send an email to (e-mail address removed), but I
have no such email address anywhere in my contact list and I do not
recognize the address.

Can anyone tell me wat this is?

Thanks

==========================================================
The original message was received at Tue, 8 Feb 2005 12:16:36 -0500
(EST)
from ppp-64-175-164-2.ded.pacbell.net [64.175.164.2]


*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with
its
delivery. The address which was undeliverable is listed in the
section
labeled: "----- The following addresses had permanent fatal errors
-----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your
e-mail could
not be delivered. The next line contains a second error message which
is a
general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail
administrator.

--AOL Postmaster



----- The following addresses had permanent fatal errors -----
<[email protected]>

----- Transcript of session follows -----
.... while talking to air-yj02.mail.aol.com.:<<< 550 MAILBOX NOT FOUND
550 <[email protected]>... User unknown

 

[David H. Lipman]

The files; ATT00013.DAT & ATT00016.TXT are not indicative of email infectors. They are
most likely generated by two different email systems trying to communicate. Extensions such
as; BAT, PIF, COM or using double extensions are signs of infectors in email.

If you were to examine the two attachments they most likey contain the orginal email message
and/or headers.

Now it is possible that your email address was found on a friend's PC who was indeed
infected and the infector sent out email using your email address. Then the failed email
came back to you by assuming you had sent the email. So it is likely the failed mail
message is the result of a an emailed virus, but what you received is not neccessarily a
virus.

If you want to be sure, sbmit both ATT00013.DAT & ATT00016.TXT to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submissions will then be tested against several different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

Please post back the EXACT results.

--
Dave




| About once a week or so, I get an email message addressed to me with:
|
| From: Mail Delivery Subsystem [[email protected]]
|
| Subject: Returned mail: User unknown
|
| The body of the email is copied below. There are always 2 attachments
| with names like:
|
| ATT00013.DAT & ATT00016.TXT
|
| This looks like I tried to send an email to (e-mail address removed), but I
| have no such email address anywhere in my contact list and I do not
| recognize the address.
|
| Can anyone tell me wat this is?
|
| Thanks
|
| ==========================================================
| The original message was received at Tue, 8 Feb 2005 12:16:36 -0500
| (EST)
| from ppp-64-175-164-2.ded.pacbell.net [64.175.164.2]
|
|
| *** ATTENTION ***
|
| Your e-mail is being returned to you because there was a problem with
| its
| delivery. The address which was undeliverable is listed in the
| section
| labeled: "----- The following addresses had permanent fatal errors
| -----".
|
| The reason your mail is being returned to you is listed in the section
| labeled: "----- Transcript of Session Follows -----".
|
| The line beginning with "<<<" describes the specific reason your
| e-mail could
| not be delivered. The next line contains a second error message which
| is a
| general translation for other e-mail servers.
|
| Please direct further questions regarding this message to your e-mail
| administrator.
|
| --AOL Postmaster
|
|
|
| ----- The following addresses had permanent fatal errors -----
| <[email protected]>
|
| ----- Transcript of session follows -----
| ... while talking to air-yj02.mail.aol.com.:
| >>> RCPT To:<[email protected]>
| <<< 550 MAILBOX NOT FOUND
| 550 <[email protected]>... User unknown
|
|
| --
| Email: Usenet-20031220 at spamex.com
| (11/09/04)

 

[Top Spin]

The files; ATT00013.DAT & ATT00016.TXT are not indicative of email infectors. They are
most likely generated by two different email systems trying to communicate. Extensions such
as; BAT, PIF, COM or using double extensions are signs of infectors in email.

If you were to examine the two attachments they most likey contain the orginal email message
and/or headers.

Now it is possible that your email address was found on a friend's PC who was indeed
infected and the infector sent out email using your email address. Then the failed email
came back to you by assuming you had sent the email. So it is likely the failed mail
message is the result of a an emailed virus, but what you received is not neccessarily a
virus.

If you want to be sure, sbmit both ATT00013.DAT & ATT00016.TXT to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submissions will then be tested against several different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

Please post back the EXACT results.

OK. I forwarded the email with both attachments. The text of the reply
is below. It appears that it only scanned one of the files.

It looks like it's OK to examine the contents. Right?

I always thought that files with .dat and .txt extensions are safe to
open with WordPad or similar. Is that incorrect?

Thanks





VirustotalServer response

--------------------------------------------------------------------------------

Results of a file scan
This is the report of the scanning done over "ATT00016.txt" file that
VirusTotal processed on 02/08/2005 at 22:41:05 (GMT+1).
Antivirus Version Update Result
AntiVir 6.29.0.11 02.08.2005 no virus found
AVG 718 02.07.2005 no virus found
BitDefender 7.0 02.08.2005 no virus found
ClamAV devel-20050130 02.08.2005 no virus found
DrWeb 4.32b 02.08.2005 no virus found
eTrust-Iris 7.1.194.0 02.08.2005 no virus found
eTrust-Vet 11.7.0.0 02.08.2005 no virus found
Fortinet 2.51 02.08.2005 no virus found
F-Prot 3.16a 02.08.2005 no virus found
Kaspersky 4.0.2.24 02.08.2005 no virus found
NOD32v2 1.993 02.07.2005 no virus found
Norman 5.70.10 02.07.2005 no virus found
Panda 8.02.00 02.08.2005 no virus found
Sybari 7.5.1314 02.08.2005 no virus found
Symantec 8.0 02.08.2005 no virus found



VirusTotal is a free service offered by Hispasec Sistemas. There are
no guarantees about abailability and continuity of this service. Do
not reply this message, it has been sent by an automated process that
will not handle such responses. Even when the detection rate given by
the use of multiple antivirus engines is far superior to the one
offered by only one product, this results DONT guarantee the
harmlessness of a file. There is no such a solution that can offer a
100% rate of efectiveness recognizing virus and malware.

Terms of use
©1998-2005 Hispasec Sistemas.

 

[David H. Lipman]

Well, I didn't mean to "forward" the email to Virus Total, just submit the two ATT*.* files
for confirmation. ;-)

Yes, you can open .DAT and TXT files in WordPad.

--
Dave





|
| OK. I forwarded the email with both attachments. The text of the reply
| is below. It appears that it only scanned one of the files.
|
| It looks like it's OK to examine the contents. Right?
|
| I always thought that files with .dat and .txt extensions are safe to
| open with WordPad or similar. Is that incorrect?
|
| Thanks
|
|
|
|
|
| VirustotalServer response
|
| --------------------------------------------------------------------------------
|
| Results of a file scan
| This is the report of the scanning done over "ATT00016.txt" file that

< snip - clean report from Virus Total >

 

[Top Spin]

If you want to be sure, sbmit both ATT00013.DAT & ATT00016.TXT to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submissions will then be tested against several different AV vendor's scanners.

An odd thing happened when I went to that site. The CPU usage
immediately jumped from 2-3% to 85%. I can go a number of other sites
and the CPU usage drops back down to single digits, but it I return to
VirusTotal, it jumps back to 85% and stays there.

What is that site doing?

 

[Top Spin]

Well, I didn't mean to "forward" the email to Virus Total, just submit the two ATT*.* files
for confirmation. ;-)

It looked like I had two options: (1) I could "submit" the files,
which I thought meant that I would need to save them on my disk first,
or (2) send the files as an email attachment per the instructions on
the bottom half of the page.

The forwarding worked, but it only scanned 1 file.

I saved them both and then submitted them using the web site. Both
came back clean.

Yes, you can open .DAT and TXT files in WordPad.

OK, I did. The contents of each are below. I removed my email address
in the second one.

Is it possible that some spyware is sending messages from my machine?

I downloaded AdAware, but stopped running it because it never found
anything. I do have the corporate edition of Norton Antivirus running
and a hardware firewall on my DSL connection. Both are instaled and
maintained by the leasing company where I get my computer systems.

Thanks



ATT00013.DAT
Reporting-MTA: dns; rly-yj04.mx.aol.com
Arrival-Date: Tue, 8 Feb 2005 12:16:36 -0500 (EST)

Final-Recipient: RFC822; (e-mail address removed)
Action: failed
Status: 5.1.1
Remote-MTA: DNS; air-yj02.mail.aol.com
Diagnostic-Code: SMTP; 550 MAILBOX NOT FOUND
Last-Attempt-Date: Tue, 8 Feb 2005 12:16:58 -0500 (EST)



ATT00016.TXT
Received: from aol.com (ppp-64-175-164-2.ded.pacbell.net
[64.175.164.2]) by rly-yj04.mx.aol.com (v104.17) with ESMTP id
MAILRELAYINYJ48-8124208f3f32d5; Tue, 08 Feb 2005 12:16:35 -0500
From: (e-mail address removed) (This was my email address)
To: (e-mail address removed)
Subject: Re: Hello
Date: Tue, 8 Feb 2005 09:16:35 -0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0003_00006F0F.00001FC8"
X-Priority: 3
X-MSMail-Priority: Normal
X-AOL-IP: 64.175.164.2
X-AOL-SCOLL-SCORE: 0:0:0:
X-AOL-SCOLL-URL_COUNT: 0
Message-ID: <[email protected]>

 

[David H. Lipman]

It could be the Flash content.

--
Dave




| On Tue, 08 Feb 2005 21:25:15 GMT, "David H. Lipman"
|
| An odd thing happened when I went to that site. The CPU usage
| immediately jumped from 2-3% to 85%. I can go a number of other sites
| and the CPU usage drops back down to single digits, but it I return to
| VirusTotal, it jumps back to 85% and stays there.
|
| What is that site doing?
|
| --
| Email: Usenet-20031220 at spamex.com
| (11/09/04)

 

[David H. Lipman]

Pretty much what I expected to be in the ATT*.* files.

--
Dave




| On Tue, 08 Feb 2005 21:53:14 GMT, "David H. Lipman"
|
| >Well, I didn't mean to "forward" the email to Virus Total, just submit the two ATT*.*
files
| >for confirmation. ;-)
|
| It looked like I had two options: (1) I could "submit" the files,
| which I thought meant that I would need to save them on my disk first,
| or (2) send the files as an email attachment per the instructions on
| the bottom half of the page.
|
| The forwarding worked, but it only scanned 1 file.
|
| I saved them both and then submitted them using the web site. Both
| came back clean.
|
| >Yes, you can open .DAT and TXT files in WordPad.
|
| OK, I did. The contents of each are below. I removed my email address
| in the second one.
|
| Is it possible that some spyware is sending messages from my machine?
|
| I downloaded AdAware, but stopped running it because it never found
| anything. I do have the corporate edition of Norton Antivirus running
| and a hardware firewall on my DSL connection. Both are instaled and
| maintained by the leasing company where I get my computer systems.
|
| Thanks
|
|
|
| ATT00013.DAT
| Reporting-MTA: dns; rly-yj04.mx.aol.com
| Arrival-Date: Tue, 8 Feb 2005 12:16:36 -0500 (EST)
|
| Final-Recipient: RFC822; (e-mail address removed)
| Action: failed
| Status: 5.1.1
| Remote-MTA: DNS; air-yj02.mail.aol.com
| Diagnostic-Code: SMTP; 550 MAILBOX NOT FOUND
| Last-Attempt-Date: Tue, 8 Feb 2005 12:16:58 -0500 (EST)
|
|
|
| ATT00016.TXT
| Received: from aol.com (ppp-64-175-164-2.ded.pacbell.net
| [64.175.164.2]) by rly-yj04.mx.aol.com (v104.17) with ESMTP id
| MAILRELAYINYJ48-8124208f3f32d5; Tue, 08 Feb 2005 12:16:35 -0500
| From: (e-mail address removed) (This was my email address)
| To: (e-mail address removed)
| Subject: Re: Hello
| Date: Tue, 8 Feb 2005 09:16:35 -0800
| MIME-Version: 1.0
| Content-Type: multipart/mixed;
| boundary="----=_NextPart_000_0003_00006F0F.00001FC8"
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-AOL-IP: 64.175.164.2
| X-AOL-SCOLL-SCORE: 0:0:0:
| X-AOL-SCOLL-URL_COUNT: 0
| Message-ID: <[email protected]>
|
|
| --
| Email: Usenet-20031220 at spamex.com
| (11/09/04)

 

[Top Spin]

Pretty much what I expected to be in the ATT*.* files.

I thought maybe the virus writers had made it look like it came from
AOL so I would open the attachment and catch the virus. But this looks
like it is a real bounced email message from AOL. Right?

Is there any way to tell where the email that got bounced was sent
from? If it was from my machine, then I need to disinfect it. If from
someone I know, I would like to tell them so they can disinfect
theirs.

Thanks

 

[David H. Lipman]

I'm not that good at knowing the real source of email but my guess would be...

ppp-64-175-164-2.ded.pacbell.net

--
Dave




| On Tue, 08 Feb 2005 22:32:35 GMT, "David H. Lipman"
|
| >Pretty much what I expected to be in the ATT*.* files.
|
| I thought maybe the virus writers had made it look like it came from
| AOL so I would open the attachment and catch the virus. But this looks
| like it is a real bounced email message from AOL. Right?
|
| Is there any way to tell where the email that got bounced was sent
| from? If it was from my machine, then I need to disinfect it. If from
| someone I know, I would like to tell them so they can disinfect
| theirs.
|
| Thanks
|
|
| --
| Email: Usenet-20031220 at spamex.com
| (11/09/04)

 

[GSV Three Minds in a Can]

I thought maybe the virus writers had made it look like it came from
AOL so I would open the attachment and catch the virus. But this looks
like it is a real bounced email message from AOL. Right?

Is there any way to tell where the email that got bounced was sent
from?

Look at the full header (or as much as AOL sent you back)

If it was from my machine, then I need to disinfect it. If from
someone I know, I would like to tell them so they can disinfect
theirs.

odds-on it was from some spammer who faked you as the 'from' domain. AOL
is not very canny about what it bounces or where it bounces it to. I get
them all the time.

 

[Gabriele Neukam]

On that special day, Top Spin, ([email protected]) said...

ATT00016.TXT
Received: from aol.com (ppp-64-175-164-2.ded.pacbell.net
[64.175.164.2]) by rly-yj04.mx.aol.com (v104.17) with ESMTP id
MAILRELAYINYJ48-8124208f3f32d5; Tue, 08 Feb 2005 12:16:35 -0500

Are you a Packard Bell customer? If not, follow the advice given in the
WHOIS info eg from
http://ww1.arin.net/whois/
re the IP number 64.175.164.2
"please send all abuse issue e-mails to (e-mail address removed)"

which means, send this file AT00016.TXT to said address, and tell them
you got a "bounce" because someone faked your address.


Gabriele Neukam

(e-mail address removed)

 

[David H. Lipman]

Packard Bell ?

And all along I thought it was Pacific Bell. ;-)

--
Dave




| On that special day, Top Spin, ([email protected]) said...
|
| > ATT00016.TXT
| > Received: from aol.com (ppp-64-175-164-2.ded.pacbell.net
| > [64.175.164.2]) by rly-yj04.mx.aol.com (v104.17) with ESMTP id
| > MAILRELAYINYJ48-8124208f3f32d5; Tue, 08 Feb 2005 12:16:35 -0500
|
| Are you a Packard Bell customer? If not, follow the advice given in the
| WHOIS info eg from
| http://ww1.arin.net/whois/
| re the IP number 64.175.164.2
| "please send all abuse issue e-mails to (e-mail address removed)"
|
| which means, send this file AT00016.TXT to said address, and tell them
| you got a "bounce" because someone faked your address.
|
|
| Gabriele Neukam
|
| (e-mail address removed)
|
|
| --
| Ah, Information. A property, too valuable these days, to give it away,
| just so, at no cost.

 

[Gabriele Neukam]

On that special day, David H. Lipman, ([email protected])
said...

Packard Bell ?

And all along I thought it was Pacific Bell. ;-)

Oops, soory.


Gabriele Neukam

(e-mail address removed)

 

[me]

About once a week or so, I get an email message addressed
to me with:

From: Mail Delivery Subsystem [[email protected]]

Subject: Returned mail: User unknown

The body of the email is copied below. There are always 2
attachments with names like:

ATT00013.DAT & ATT00016.TXT

-anip-

About the .DAT files
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q241538

About .TXT files
http://support.microsoft.com/?kbid=157735

J

 

[David H. Lipman]

I don't think those two MS KB articles are relevant as the contents of the DAT and TXT files
don't jive with the information in the KB articles.

--
Dave




| |
| > About once a week or so, I get an email message addressed
| > to me with:
| >
| > From: Mail Delivery Subsystem [[email protected]]
| >
| > Subject: Returned mail: User unknown
| >
| > The body of the email is copied below. There are always 2
| > attachments with names like:
| >
| > ATT00013.DAT & ATT00016.TXT
| >
| > -anip-
|
| About the .DAT files
| http://support.microsoft.com/default.aspx?scid=kb;EN-US;q241538
|
| About .TXT files
| http://support.microsoft.com/?kbid=157735
|
| J
| --
| Replies to: Nherr1professor2doktor31109(at)Oyahoo(dot)Tcom