Virus question for the experts... or who-ever

[Gerry]

Ok I'll try to be as brief as possible,

I got an email today from my ISP, claiming that I am sending out virus's,
which is a violation of the terms of use, (obviously) and I may not be aware
of the infection and they recommended several a/v scanners, of which I run 1
they recommend, AVG, I also run F-prot and 'The Cleaner"
all of these found nothing, I then ran Trends 'house call' and it found
nothing, to my relief.

So, my question to the group is, how can someone claim to have got an
infected email from me when my system shows up clean, is there a way of using
the i.p address I am connected to via a port scanner etc, to 'bounce' a virus
or am I in fantasy land??

Or has a contact of mine become infected and the virus/worm is using my email
address from their address book to implicate me??


thanks for any thoughts.

btw my friend that had the pulez trojan has his problem rectified,
ta for the advice on that one.

 

[bassbag]

Ok I'll try to be as brief as possible,

I got an email today from my ISP, claiming that I am sending out virus's,
which is a violation of the terms of use, (obviously) and I may not be aware
of the infection and they recommended several a/v scanners, of which I run 1
they recommend, AVG, I also run F-prot and 'The Cleaner"
all of these found nothing, I then ran Trends 'house call' and it found
nothing, to my relief.

So, my question to the group is, how can someone claim to have got an
infected email from me when my system shows up clean, is there a way of using
the i.p address I am connected to via a port scanner etc, to 'bounce' a virus
or am I in fantasy land??

Or has a contact of mine become infected and the virus/worm is using my email
address from their address book to implicate me??


thanks for any thoughts.

btw my friend that had the pulez trojan has his problem rectified,
ta for the advice on that one.

More than likely the latter explanation.
me

 

[Ken Taylor]

Ok I'll try to be as brief as possible,

I got an email today from my ISP, claiming that I am sending out virus's,
which is a violation of the terms of use, (obviously) and I may not be aware
of the infection and they recommended several a/v scanners, of which I run 1
they recommend, AVG, I also run F-prot and 'The Cleaner"
all of these found nothing, I then ran Trends 'house call' and it found
nothing, to my relief.

So, my question to the group is, how can someone claim to have got an
infected email from me when my system shows up clean, is there a way of using
the i.p address I am connected to via a port scanner etc, to 'bounce' a virus
or am I in fantasy land??

Or has a contact of mine become infected and the virus/worm is using my email
address from their address book to implicate me??


thanks for any thoughts.

btw my friend that had the pulez trojan has his problem rectified,
ta for the advice on that one.

I agree with the latter. Ask the help desk for a copy of headers of
virus-infected e-mails going out (presumably they've received a complaint).
The headers should show whether it's you or not. Likely they can't provide
the information, in which case ask them to justify their first message.

Ken

 

[Gerry]

I agree with the latter. Ask the help desk for a copy of headers of
virus-infected e-mails going out (presumably they've received a complaint).
The headers should show whether it's you or not. Likely they can't provide
the information, in which case ask them to justify their first message.

Ken

Thanks for the tip Ken,

Just spoke to the help desk, told them how many a/v programs I use and trojan
scanner etc, the cso was reasonably pc savvy, then I mentioned how many
fellow Optus customer port scans I see and never complain about as I figure
zonealarm is doing it's job..

They say they give a 7 day grace and if it happens again they contact you, by
phone, then after that a suspension of the account, though he seems to think
I don't/won't have a problem,

He couldnt tell me much more than that (how many complaints etc) even to the
point of when the virus email occurred, as I wasnt on line on the day when
they sent the email to me... sounds a bit sus to me...
I did suggest about a contact maybe being infected and he tended to agree.


I never thought about the headers, and never thought about having them prove
it, I guess I took them at their word, bad move eh! will see what transpires,
I might ask them to send proof...

I did offer to email them a screen capture of the 3 a/v's & trojan results,
but I said to him they probably wouldn't accept the attachments. (screen
caps kept anyway for future arguements.)

 

[FromTheRafters]

Ok I'll try to be as brief as possible,

I got an email today from my ISP, claiming that I am sending out virus's,
which is a violation of the terms of use, (obviously) and I may not be aware
of the infection and they recommended several a/v scanners, of which I run 1
they recommend, AVG, I also run F-prot and 'The Cleaner"
all of these found nothing, I then ran Trends 'house call' and it found
nothing, to my relief.

Not finding is not the same as not having. Some malware
will have disabled the scanners' ability to provide trusted
results. Did you scan from a clean DOS environment?
....or at least from "Safe Mode"?

....but that is sort of beside the point.

Your machine is "probably" not the culprit anyway.
(see the other answers to your query)

So, my question to the group is, how can someone claim to have got an
infected email from me when my system shows up clean, is there a way of using
the i.p address I am connected to via a port scanner etc, to 'bounce' a virus
or am I in fantasy land??

I don't know much about packet spoofing, but I suppose it *is* a
(very remote) possibility.

But consider:

What, to the ISP, may be a single IP# assigned to you at a time
when malware laden e-mails were purportedly sent, may be to
you, one of many machines using that IP# by IP masquerading.
If you have a wireless network (LAN), and have not secured it
- yes - someone else may have actually been sending out said
malware from *your* assigned IP#. It may be a bad assumption
on my part that the ISP involved would know better than to trust
addresses as they appear in e-mail headers - and would instead
use the valid connection information to ascertain that it was indeed
your assigned IP# that, at that time, that was responsible for sending
out the malware.

Or has a contact of mine become infected and the virus/worm is using my email
address from their address book to implicate me??

Much more likely, and *very* common these days.

thanks for any thoughts.

Your ISP *should* know the difference between an e-mail that is
pretending to be from you, and e-mail that actually did originate
from a computer using the IP# assigned to you by them.

....but some of them are as clueless as they come.

[snip]

 

[Unknown]

Ok I'll try to be as brief as possible,

I got an email today from my ISP, claiming that I am sending out virus's,
which is a violation of the terms of use, (obviously) and I may not be aware
of the infection and they recommended several a/v scanners, of which I run 1
they recommend, AVG, I also run F-prot and 'The Cleaner"
all of these found nothing, I then ran Trends 'house call' and it found
nothing, to my relief.

So, my question to the group is, how can someone claim to have got an
infected email from me when my system shows up clean, is there a way of using
the i.p address I am connected to via a port scanner etc, to 'bounce' a virus
or am I in fantasy land??

Simple. Many worms email themselves FROM an infected system as coming FROM
any name in the address book. Therefore, someone with your email details in
their address book who has infected themselves can unknowingly be sending
infected emails as if they came from you.

Go to http://us.mcafee.com/default.asp and near the bottom left of the page
is a FREE SCAN of your system. Doesnt get rid of anything but will identify
what you have. If you are clean after that, tell your ISP it isnt coming
FROM you and to do a better job of checking the headers. If you DO have an
infection, then whatever you are using as an AV scanner now is crap.

 

[Tony & Bronwen Smith]

Ok I'll try to be as brief as possible,

I got an email today from my ISP, claiming that I am sending out virus's,
which is a violation of the terms of use, (obviously) and I may not be aware
of the infection and they recommended several a/v scanners, of which I run 1
they recommend, AVG, I also run F-prot and 'The Cleaner"
all of these found nothing, I then ran Trends 'house call' and it found
nothing, to my relief.

So, my question to the group is, how can someone claim to have got an
infected email from me when my system shows up clean, is there a way of using
the i.p address I am connected to via a port scanner etc, to 'bounce' a virus
or am I in fantasy land??

Or has a contact of mine become infected and the virus/worm is using my email
address from their address book to implicate me??


thanks for any thoughts.

btw my friend that had the pulez trojan has his problem rectified,
ta for the advice on that one.

As the group consensus it probably is someone else.

Only this week a friend at work received an email from his old email
address,(no longer in use) to his new email with a virus attached.

Cheers Tony Smith

 

[nondisputandum.com - honest software - famous free]

Ok I'll try to be as brief as possible,

I got an email today from my ISP, claiming that I am sending out virus's,
which is a violation of the terms of use, (obviously) and I may not be aware
of the infection and they recommended several a/v scanners, of which I run 1
they recommend, AVG, I also run F-prot and 'The Cleaner"
all of these found nothing, I then ran Trends 'house call' and it found
nothing, to my relief.

So, my question to the group is, how can someone claim to have got an
infected email from me when my system shows up clean, is there a way of using
the i.p address I am connected to via a port scanner etc, to 'bounce' a virus
or am I in fantasy land??

Or has a contact of mine become infected and the virus/worm is using my email
address from their address book to implicate me??


thanks for any thoughts.

btw my friend that had the pulez trojan has his problem rectified,
ta for the advice on that one.

I think it's about time that we all disable the auto-response tot the
sender of an infected mailadres. Using the auto rersponse in an
antivirus soft is becoming hoaxy...

 

[Alex]

It is quite unlikely that an ISP would have gone to the trouble of possibly
offending and losing customer unless they had proof and were getting
complaints or receiving virus's themselves from the offending Internet
connection.

Is your Internet connection run from more than one PC? An friend of a friend
was in a simillar situation and was certain he didn't have a virus but was
also receiving warning from his ISP. Turned out his kid's laptop had a virus
on it....

 

[Unknown]

It is quite unlikely that an ISP would have gone to the trouble of possibly
offending and losing customer unless they had proof and were getting
complaints or receiving virus's themselves from the offending Internet
connection.

Ptttht to THAT! Many desk workers at ISPs like to THINK they know what they
are talking about and dont even know how to check a simple header! It isnt
rocket science. Anyone with interest who has never seen one before can work
it out in a short time. The danger for the deskies is that they see
themselves as knowledgeable and are, to a point. Go past that and they still
think they know what they are on about. Many people have caught their ISPs
out.

Is your Internet connection run from more than one PC? An friend of a

friend

AGH!! "A friend"! Not "An friend"!!

was in a simillar situation and was certain he didn't have a virus but was
also receiving warning from his ISP. Turned out his kid's laptop had a virus
on it....

So what? Many worms email themselves to an entire email address book as one
of the people IN that book. I actually got an email worm TO me coming FROM
me yet having come from Bigpond (even though the FROM didn't have a Bigpond
address) when I have never used them before.

Don't you remember, about 2 years ago, a Lib NSW MP had some of his "My
Documents" emailed to a Labor NSW MP? All strange things can happen in the
world of worms!

Make sure the backdoor is shut when you remove Sasser!

 

[Marc Liron MVP]

Hi,

With newer Sasser Worm varients appearing I also recommend you use a
Trojan Scanning
tool to make sure nothing elase has been placed on your PC.

Why?

The Sasser Worm did not have this as part of its code, HOWEVER the
newer varients could
be written to do more than the original worm!

A FREE online Trojan scanner is here:

http://www.trojanscan.com

More on the Sasser worm at:

http://www.sasser-worm.com

Kind Regards

Marc Liron
Microsoft MVP
http://www.updatexp.com