Oh my god what do i do .... !!!!

[dw]

After seeing some of the abuse people get when posting here, I am a
little nervous with this question...

I run Mozilla Firebird & Thunderbird email on a W98 computer. I get
volumes every day of emails from "Microsoft Network Security Division"
or "Microsoft Public Support", or "Microsoft Corporation Program
Security Division", etc referring to critical updates .... which at the
moment I just filter out using my Junk controls.

But .... are these viruses?

I also get mail every day from various mail servers which have a message
along the lines of "Undeliverable mail to (e-mail address removed)". This
worries me as this would seem to indicate my system is sending stuff out....

I am running AVG and this does not detect any virus infection.

I have just tried Trend 'HouseCall' and this is reporting that I have
WORM_BADTRANS_B in my Mozilla profile, and that it is non-cleanable.

Sigh .... do I need to torch my computer ?, shall I visit the clinic,
light some incense sticks, sacrifice some chickens??

....Help .... !!!!

DW

 

[Frederic Bonroy]

dw a écrit :

After seeing some of the abuse people get when posting here, I am a
little nervous with this question...

Abuse? Some people are a little bit trigger-happy, yes, but ask your
question anyway. If we like it we will throw flowers at you, if it sucks
you will be flamed. ;-)

I run Mozilla Firebird & Thunderbird email on a W98 computer. I get
volumes every day of emails from "Microsoft Network Security Division"
or "Microsoft Public Support", or "Microsoft Corporation Program
Security Division", etc referring to critical updates .... which at the
moment I just filter out using my Junk controls.

But .... are these viruses?

Yes - most probably Swen. Remember that Microsoft does NOT send out
updates via email.

I also get mail every day from various mail servers which have a message
along the lines of "Undeliverable mail to (e-mail address removed)". This
worries me as this would seem to indicate my system is sending stuff out....

No. Addresses can be forged. I'm too lazy to look up Swen's description
right now so I can't tell you how these messages come into being
exactly, but they are not indicative of a virus infection on your computer.

I am running AVG and this does not detect any virus infection.

If it's up-to-date then the reason is probably simply that you are not
infected, and that it does not scan your Thunderbird mailbox.

I have just tried Trend 'HouseCall' and this is reporting that I have
WORM_BADTRANS_B in my Mozilla profile, and that it is non-cleanable.

You probably have an infected message lying around in one of your mail
folders. That doesn't matter because Thunderbird is not vulnerable to
Badtrans.B, so if you did not explicitly click on the attachment then
everything is fine. Nevertheless you may want to locate the infected
message and delete it. Then delete it from the Trash folder also and
finally, compact your mail folders (or compress or purge or whatever
Thunderbird calls it).

 

[Jeffrey A. Setaro]

After seeing some of the abuse people get when posting here, I am a
little nervous with this question...

I run Mozilla Firebird & Thunderbird email on a W98 computer. I get
volumes every day of emails from "Microsoft Network Security Division"
or "Microsoft Public Support", or "Microsoft Corporation Program
Security Division", etc referring to critical updates .... which at the
moment I just filter out using my Junk controls.

But .... are these viruses?

Yes... Probably W32/Swen.

You may want to read the links:

1) "Information on Bogus Microsoft Security Bulletin E-mails"
<http://www.microsoft.com/technet/security/news/patch_hoax.asp>

2) "Microsoft Policies on Software Distribution"

I also get mail every day from various mail servers which have a message
along the lines of "Undeliverable mail to (e-mail address removed)". This
worries me as this would seem to indicate my system is sending stuff out....

Not necessarily... It could also mean your e-mail address is in the
address book on one or more infected machines.

I am running AVG and this does not detect any virus infection.

AVG should be able to detect any of the current mass mailing worms that
pose as a Microsoft patch. Make sure you have the latest version and
current definition file(s).

I have just tried Trend 'HouseCall' and this is reporting that I have
WORM_BADTRANS_B in my Mozilla profile, and that it is non-cleanable.

More than likely you have an infected attachment in your mail box...
nothing to worry about... As long as you don't run the attachment.

Sigh .... do I need to torch my computer ?, shall I visit the clinic,
light some incense sticks, sacrifice some chickens??

Nope...

1) Browse through you in box for the message with the infected
attachment and delete it (make sure you compact you mail folders
afterwards).

2) Make sure your copy of AVG is up to date and/or try a different anti-
virus product. Both F-Prot for Windows <http://www.f-prot.com> and Nod32

...Help .... !!!!

HTH.

--
Cheers-

Jeff Setaro
jasetaro <at> mags.net
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[dw]

dw a écrit :



Abuse? Some people are a little bit trigger-happy, yes, but ask your
question anyway. If we like it we will throw flowers at you, if it sucks
you will be flamed. ;-)



Yes - most probably Swen. Remember that Microsoft does NOT send out
updates via email.



No. Addresses can be forged. I'm too lazy to look up Swen's description
right now so I can't tell you how these messages come into being
exactly, but they are not indicative of a virus infection on your computer.



If it's up-to-date then the reason is probably simply that you are not
infected, and that it does not scan your Thunderbird mailbox.



You probably have an infected message lying around in one of your mail
folders. That doesn't matter because Thunderbird is not vulnerable to
Badtrans.B, so if you did not explicitly click on the attachment then
everything is fine. Nevertheless you may want to locate the infected
message and delete it. Then delete it from the Trash folder also and
finally, compact your mail folders (or compress or purge or whatever
Thunderbird calls it).

Sigh - what a feeling of relief !!!
Many thanks for your response !!
I also found my way to the Symantec site that another mail thread
referred to, and downloaded the BTRANS cleaner ... but it reported that
it could not find anything.
Perilous times !!

Many Thanks Peeps
DW

 

[yoyo]

I run Mozilla Firebird & Thunderbird email on a W98 computer. I get
volumes every day of emails from "Microsoft Network Security Division"
or "Microsoft Public Support", or "Microsoft Corporation Program
Security Division", etc referring to critical updates .... which at the
moment I just filter out using my Junk controls.

Hello.........I came to this group in desperation having today received 16
of these damned things. I have been getting them every day for about three
months and I seem to get more each day. I came home from work to find 19
emails waiting for me........thought I was greatly in demand until I found
only 3 were genuine emails from nice humans and the rest were all as above.
I have tried to filter them straight into my deleted folder of Outlook
Express using critical words in the subject line or From line but that
doesnt seem to work or else I am not doing it properly. Why have I been
targeted and is there anything I can do? I changed my email address about 6
months ago as I was getting about 20 emails a day from Korea in
Korean........and some of them very distasteful I have to say (I don't speak
Korean.......I mean the moving pictures...yeuk)
I have Sophos anti-virus so nothing has done any damage apart to my nerves!

Yolanda

 

[David W. Hodgins]

Hello.........I came to this group in desperation having today received 16
of these damned things. I have been getting them every day for about three
months and I seem to get more each day. I came home from work to find 19

The email messages you are receiving are being generated by an email worm,
that has been installed on many computers, by people who have either opened
the attachment to one of these messages, or are running old versions of
microsoft software, that automatically installs the worm, just by viewing
the messages.

From the headers on your post...
X-Newsreader: Microsoft Outlook Express 5.50.4133.2400

You are running a very old version, of outlook, that will auto install the worm.
You are not only receiving these messages, but your computer is also sending
them out (almost guarenteed). Note that the worm will hide any copies of
itself, sent from your computer, to your computer.

In order to find email addresses to send new copies of the worm to, it looks
in usenet messages, for unmunged addresses, like yours. The more you post
to usenet, without munging your address, the more likely you are, to have
the swen messages sent to you. Look at my email address, and my signature,
on this post, for an example of how to munge your address.

You need to remove the worm from your computer. Any uptodate virus scanner
should be able to do this.

You need to update your software, or better yet, avoid microsoft as much as
possible.

See http://www.claymania.com/nav-map.html for a lot of info, and links, on
how to protect your computer.

Regards, Dave Hodgins

 

[Peter Seiler]

David W. Hodgins - 09.12.2003 22:09 :

In order to find email addresses to send new copies of the worm to, it looks
in usenet messages, for unmunged addresses, like yours. The more you post
to usenet, without munging your address, the more likely you are, to have
the swen messages sent to you. Look at my email address, and my signature,
on this post, for an example of how to munge your address.

I did manipulate my address exactly the same way as you do. Well, but
your way of manipulating your address is forbidden here in Germany by
many ISPs, mine too. These ISPs make a real address as a condition.
Otherwise they close your access to that provider. Perhaps a common
behavior in Germany?

 

[David W. Hodgins]

I did manipulate my address exactly the same way as you do. Well, but
your way of manipulating your address is forbidden here in Germany by
many ISPs, mine too. These ISPs make a real address as a condition.
Otherwise they close your access to that provider. Perhaps a common
behavior in Germany?

Look at the headers on one of your posted articles.

Don't specify a reply-to address, or at least munge it too.

Regards, Dave Hodgins

 

[Gabriele Neukam]

On that special day, Peter Seiler, ([email protected]) said...

your way of manipulating your address is forbidden here in Germany by
many ISPs, mine too. These ISPs make a real address as a condition.
Otherwise they close your access to that provider. Perhaps a common
behavior in Germany?

You can still change your *real* address in a way that it will not be
targeted by Swen (although that doesn't work against other worms), by
inserting "spam" or "delete" into the local part.


Gabriele Neukam

(e-mail address removed)

 

[Peter Seiler]

Gabriele Neukam - 10.12.2003 18:58 :

On that special day, Peter Seiler, ([email protected]) said...


You can still change your *real* address in a way that it will not be
targeted by Swen (although that doesn't work against other worms), by
inserting "spam" or "delete" into the local part.

as I posted above, many ISPs here in Germany *claim* an unchanged real
address! Otherwise, when one should simple klick "reply to sender only"
not removing "Spam" from a changed/manipulated address by hand, this
Email can not be delivered. That's the reason for my ISP insisting upon
a real (unchanged, unmanipulated) address :-( Otherwise, as I posted,
the provider could suspend my account. I made this experience - It's
really a terrible situation.

 

[Bart Bailey]

You can still change your *real* address in a way that it will not be
targeted by Swen (although that doesn't work against other worms), by
inserting "spam" or "delete" into the local part.

What's t-online's policy about using the privacynet deadbox?
([email protected])
http://news.individual.de/faq.html#5.3
also, does the Message-ID: generated by your server put a valid addy
that will resolve to your account? (I snipped it just in case)?

 

[Frederic Bonroy]

as I posted above, many ISPs here in Germany *claim* an unchanged real
address! Otherwise, when one should simple klick "reply to sender only"
not removing "Spam" from a changed/manipulated address by hand, this
Email can not be delivered. That's the reason for my ISP insisting upon
a real (unchanged, unmanipulated) address :-( Otherwise, as I posted,
the provider could suspend my account. I made this experience - It's
really a terrible situation.

The Germans are stubborn blinders-wearing bureaucrats as far as the
netiquette is concerned. Either you kiss your current ISP goodbye and
try to find another more liberal one, or you set up a throw-away email
account and use that one in newsgroups - it's still a valid address.
This is what I do (I am in Germany, but I use the famous "call by call"
system so I do not depend on any single ISP. Still the throw-away
address is very useful).

 

[David W. Hodgins]

as I posted above, many ISPs here in Germany *claim* an unchanged real
address! Otherwise, when one should simple klick "reply to sender only"
not removing "Spam" from a changed/manipulated address by hand, this
Email can not be delivered. That's the reason for my ISP insisting upon
a real (unchanged, unmanipulated) address :-( Otherwise, as I posted,
the provider could suspend my account. I made this experience - It's
really a terrible situation.

First, remove your reply-to address, or make it the same as your from address.

If your isp insists on using real addresses, when you use their
news server, don't use their news server.

Use one like http://News.Individual.net/ (also in Germany), which will
allow you to specify an address of (e-mail address removed), in your usenet
postings, although you do have to provide a real email address, when
you register.

Regards, Dave Hodgins

 

[Peter Seiler]

David W. Hodgins - 10.12.2003 23:30 :

First, remove your reply-to address, or make it the same as your from address.

If your isp insists on using real addresses, when you use their
news server, don't use their news server.

Use one like http://News.Individual.net/ (also in Germany), which will
allow you to specify an address of (e-mail address removed), in your usenet
postings, although you do have to provide a real email address, when
you register.

Regards, Dave Hodgins

THX for your kind hints.

 

[Gabriele Neukam]

On that special day, Bart Bailey, ([email protected]) said...

What's t-online's policy about using the privacynet deadbox?
([email protected])

Dunno, but I think they are closing their eyes on that, if someone is
doing it successfully. With successfully, I mean that these customers
are using a special service that doesn't force their real mail address
into the header, as the TOL mail servers do it with the mails of their
ordinary customers (some are only slightly more intelligent than AOL
users, and don't have the slightest idea how to insert *any* address).


Gabriele Neukam

(e-mail address removed)

 

[Gabriele Neukam]

On that special day, Peter Seiler, ([email protected]) said...

as I posted above, many ISPs here in Germany *claim* an unchanged real
address!

Peter, my address *is* real, with each and every letter at its proper
place! I said: "change the *real* adress", and I meant "change it to
another *real* address". I thought this was intelligible enough.

You won't reach me at something like Gabriele.fighter.Neukam(at)TOL.de
at all, because that doesn't exist. The address given below exists. Got
the point?


Gabriele Neukam

(e-mail address removed)

 

[Larry Sabo]

David W. Hodgins - 10.12.2003 23:30 :
Not according to their Rules of Usage...

Accurate Sender Address
The e-mail addresses in From:, Reply-To:, and Sender: fields must
belong to you and they have to be valid. Using identifiers of other
individuals without their permission or e-mail addresses that will
bounce is not permitted.

Larry

 

[David W. Hodgins]

Not according to their Rules of Usage...
Accurate Sender Address
The e-mail addresses in From:, Reply-To:, and Sender: fields must
belong to you and they have to be valid. Using identifiers of other
individuals without their permission or e-mail addresses that will
bounce is not permitted.

That's just saying don't forge someone elses address *without their
permission*.

In http://news.individual.net/faq.html#5.3, they state that privacy.net
has given permission to use (e-mail address removed)

Regards, Dave Hodgins

 

[MickKi]

Hi Gabriele,

On that special day, Peter Seiler, ([email protected]) said...


Peter, my address *is* real, with each and every letter at its proper
place! I said: "change the *real* adress", and I meant "change it to
another *real* address". I thought this was intelligible enough.

You won't reach me at something like Gabriele.fighter.Neukam(at)TOL.de
at all, because that doesn't exist. The address given below exists. Got
the point?

How do you deal with spam using an unmunged address? Aren't you inundated
with it?

Regards,

Mick

 

[Gabriele Neukam]

On that special day, MickKi,
([email protected]) said...

How do you deal with spam using an unmunged address? Aren't you inundated
with it?

Interestingly, the spam has drastically decreased since I changed my
address. Before, I had been sent about half a dozen make-your-non-
existing-thingie-bigger (I am female) each day.

By now, there is one or so from the east asia region, per week, which I
cannot read because I don't have Chinese or Korean character sets on my
machine. And then there is this one Nigerian, "Chris Taylor", who seems
not to bother if he is swamping servers with messages to non existing
addresses. But else, it is is rather quiet in my inbox.


Gabriele Neukam

(e-mail address removed)