Viruses and Worms in e-mails sent to me.. Please,.Any one can help?

[Ham]

Looks like it is the 40th time I face a self executive attachment posted to
me from an unknown sender.
Firstly , more than 30 e-mails from Microsoft. I know they contain worms ,so
using my filter rules in hotmail ,blocked them. But still receive these
infected messages. Today Received a message from: < Net Email Delivery
Service> with the subject : < Abort Report> . Opening the message, suddenly
my McAfee alert came on and warned about a new worm. Also Outlook Express
warned
about trying to open a dangerous attachment( though I even did not open the
attachment). All I did was deleting the infected attachment with McAfee .
Next thing was looking at the source of the message:


X-Message-Info: CGfHVPHfZ44MnYcvh8R4FQdJlbbvm8WlwRSO/bKKRIQ=
Received: from mc9-f21.hotmail.com ([65.54.166.28]) by mc9-s5.hotmail.com
with Microsoft SMTPSVC(5.0.2195.5600);
Sat, 27 Sep 2003 01:40:18 -0700
Received: from rwcrmhc13.comcast.net ([204.127.198.39]) by
mc9-f21.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
Sat, 27 Sep 2003 01:38:12 -0700
Date: Sat, 27 Sep 2003 08:38:00 +0000 (GMT)
X-Comment: Sending client does not conform to RFC822 minimum requirements
X-Comment: Date has been added by Maillennium.
Received: from wrvp (h0010dc6ed576.ne.client2.attbi.com[24.91.252.135])
by comcast.net (rwcrmhc13) with SMTP
id <2003092708375801500ifctke>; Sat, 27 Sep 2003 08:37:58 +0000
FROM: "Net Email Delivery Service" <[email protected]>
TO: "Email Recipient" <[email protected]>
SUBJECT: Abort Report



I looked for the IP : 24.91.252.135 and also :204.127.198.39 using
www.ripe.net , but nothing was found for any of them.
Then how can I get rid of this mass of infected mails sent to my Hotmail
accout every day?


Ay help is so much regarded



------


------
Technical Information
Complete message source:


X-Message-Info: CGfHVPHfZ44MnYcvh8R4FQdJlbbvm8WlwRSO/bKKRIQ=
Received: from mc9-f21.hotmail.com ([65.54.166.28]) by mc9-s5.hotmail.com
with Microsoft SMTPSVC(5.0.2195.5600);
Sat, 27 Sep 2003 01:40:18 -0700
Received: from rwcrmhc13.comcast.net ([204.127.198.39]) by
mc9-f21.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
Sat, 27 Sep 2003 01:38:12 -0700
Date: Sat, 27 Sep 2003 08:38:00 +0000 (GMT)
X-Comment: Sending client does not conform to RFC822 minimum requirements
X-Comment: Date has been added by Maillennium.
Received: from wrvp (h0010dc6ed576.ne.client2.attbi.com[24.91.252.135])
by comcast.net (rwcrmhc13) with SMTP
id <2003092708375801500ifctke>; Sat, 27 Sep 2003 08:37:58 +0000
FROM: "Net Email Delivery Service" <[email protected]>
TO: "Email Recipient" <[email protected]>
SUBJECT: Abort Report
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="wmnqqejiagoxf"
Return-Path: (e-mail address removed)
Message-ID: <[email protected]>
X-OriginalArrivalTime: 27 Sep 2003 08:38:12.0757 (UTC)
FILETIME=[B0043450:01C384D2]

--wmnqqejiagoxf
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD></HEAD>
<BODY>
<iframe src=3D"cid:hwcnlo" height=3D0 width=3D0></iframe>
<BR><BR>Hi.
<BR>Message from puremail.net
<BR><BR>I'm afraid =
the message returned below could not be delivered =
to the following addresses:<BR>
<BR><BR><BR>Undelivered mail to <B>[email protected]</B>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>
</BODY></HTML>

--wmnqqejiagoxf
Content-Type: audio/x-wav; name="ehqrjfd.exe"
Content-Transfer-Encoding: base64
Content-Id: <hwcnlo>







---------

 

[GoumbaYa]

The first address belongs to Comcast, the second one to AT&T. I'm not sure
how this info helps you though.

Looks like it is the 40th time I face a self executive attachment posted to
me from an unknown sender.
Firstly , more than 30 e-mails from Microsoft. I know they contain worms ,so
using my filter rules in hotmail ,blocked them. But still receive these
infected messages. Today Received a message from: < Net Email Delivery
Service> with the subject : < Abort Report> . Opening the message, suddenly
my McAfee alert came on and warned about a new worm. Also Outlook Express
warned
about trying to open a dangerous attachment( though I even did not open the
attachment). All I did was deleting the infected attachment with McAfee .
Next thing was looking at the source of the message:


X-Message-Info: CGfHVPHfZ44MnYcvh8R4FQdJlbbvm8WlwRSO/bKKRIQ=
Received: from mc9-f21.hotmail.com ([65.54.166.28]) by mc9-s5.hotmail.com
with Microsoft SMTPSVC(5.0.2195.5600);
Sat, 27 Sep 2003 01:40:18 -0700
Received: from rwcrmhc13.comcast.net ([204.127.198.39]) by
mc9-f21.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
Sat, 27 Sep 2003 01:38:12 -0700
Date: Sat, 27 Sep 2003 08:38:00 +0000 (GMT)
X-Comment: Sending client does not conform to RFC822 minimum requirements
X-Comment: Date has been added by Maillennium.
Received: from wrvp (h0010dc6ed576.ne.client2.attbi.com[24.91.252.135])
by comcast.net (rwcrmhc13) with SMTP
id <2003092708375801500ifctke>; Sat, 27 Sep 2003 08:37:58 +0000
FROM: "Net Email Delivery Service" <[email protected]>
TO: "Email Recipient" <[email protected]>
SUBJECT: Abort Report



I looked for the IP : 24.91.252.135 and also :204.127.198.39 using
www.ripe.net , but nothing was found for any of them.
Then how can I get rid of this mass of infected mails sent to my Hotmail
accout every day?


Ay help is so much regarded



------


------
Technical Information
Complete message source:


X-Message-Info: CGfHVPHfZ44MnYcvh8R4FQdJlbbvm8WlwRSO/bKKRIQ=
Received: from mc9-f21.hotmail.com ([65.54.166.28]) by mc9-s5.hotmail.com
with Microsoft SMTPSVC(5.0.2195.5600);
Sat, 27 Sep 2003 01:40:18 -0700
Received: from rwcrmhc13.comcast.net ([204.127.198.39]) by
mc9-f21.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
Sat, 27 Sep 2003 01:38:12 -0700
Date: Sat, 27 Sep 2003 08:38:00 +0000 (GMT)
X-Comment: Sending client does not conform to RFC822 minimum requirements
X-Comment: Date has been added by Maillennium.
Received: from wrvp (h0010dc6ed576.ne.client2.attbi.com[24.91.252.135])
by comcast.net (rwcrmhc13) with SMTP
id <2003092708375801500ifctke>; Sat, 27 Sep 2003 08:37:58 +0000
FROM: "Net Email Delivery Service" <[email protected]>
TO: "Email Recipient" <[email protected]>
SUBJECT: Abort Report
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="wmnqqejiagoxf"
Return-Path: (e-mail address removed)
Message-ID: <[email protected]>
X-OriginalArrivalTime: 27 Sep 2003 08:38:12.0757 (UTC)
FILETIME=[B0043450:01C384D2]

--wmnqqejiagoxf
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD></HEAD>
<BODY>
<iframe src=3D"cid:hwcnlo" height=3D0 width=3D0></iframe>
<BR><BR>Hi.
<BR>Message from puremail.net
<BR><BR>I'm afraid =
the message returned below could not be delivered =
to the following addresses:<BR>
<BR><BR><BR>Undelivered mail to <B>[email protected]</B>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>
</BODY></HTML>

--wmnqqejiagoxf
Content-Type: audio/x-wav; name="ehqrjfd.exe"
Content-Transfer-Encoding: base64
Content-Id: <hwcnlo>

 

[Bruce Chambers]

Greetings --

What you received is either a very common malicious hoax or the
output of a computer infected by one of several wide-spread, mass
emailing worms. The most widely-known are:

W32.Swen.A_mm
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

W32.Dumaru_mm
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

W32.Gibe_mm
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

Microsoft never has, does not currently, and never will email
unsolicited security patches. At the most, if, and only if, you
subscribe to their security notification newsletter, they will send
you an email informing you that a new patch is available for
downloading.

Microsoft Policies on Software Distribution
http://www.microsoft.com/technet/treeview/?url=/technet/security/policy/swdist.asp

Information on Bogus Microsoft Security Bulletin Emails
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news/patch_hoax.asp

How to Tell If a Microsoft Security-Related Message Is Genuine
http://www.microsoft.com/security/antivirus/authenticate_mail.asp

Any and all legitimate patches and updates are readily available
at http://windowsupdate.microsoft.com/. (Notice that this is the true
URL, rather than the bogus one that may have been contained in the
email you received.) Any messages that point to any other source(s) or
claim to have the patch attached are bogus.

You're receiving these emails because your email address is in
the address book of someone infected with a worm, and/or because you
posted your real email address somewhere on-line, either in a forum
accessible to the public and spambots, such as Usenet, or on an
untrustworthy web site that subsequently sold your address as part of
a mailing list. One thing you can do is notify _everyone_ with whom
you've ever corresponded via email that one or more of them may be
infected with a mass emailing worm, and should take the appropriate
steps.

There's probably no way of blocking all of the bogus messages, but
you can greatly reduce the number you get by creating a rule, based
upon the most commonly used subject lines, to delete the emails from
the server without ever downloading them.


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[N. Miller]

Opening the message, suddenly
my McAfee alert came on and warned about a new worm. Also Outlook Express
warned
about trying to open a dangerous attachment( though I even did not open the
attachment).

Just McAfee doing its job. However, if you have reason to suspect malicious
content of a message, don't ever open the message. With MSOE you can just
check the properties; this is not the same as opening the message.

The MSOE warning is built into the default operation of the program, and it
will *always* be displayed when there is an attachment to the message. MSOE
is just too stupid to be able to know malicious from safe; that is why you
are running McAfee!

You can't stop the messages from coming; I can't even do that, though I am
running my own mail server. All I can do is reject messages based on some
standard criteria; in my case, I just closed the account, and then read the
log to see how many rejects there are. Because it is unlikely that you are
in control of the server, all you can do is try and filter; and, maybe, call
your provider and see if they will set up filters.

 

[Wesley VogelX]

GoumbaYa;
FYI Comcast bought AT&T's cable network. Some of Comcast's address's
show up as att......
Wes

The first address belongs to Comcast, the second one to AT&T. I'm not sure
how this info helps you though.

Looks like it is the 40th time I face a self executive attachment posted to
me from an unknown sender.
Firstly , more than 30 e-mails from Microsoft. I know they contain worms ,so
using my filter rules in hotmail ,blocked them. But still receive these
infected messages. Today Received a message from: < Net Email Delivery
Service> with the subject : < Abort Report> . Opening the message, suddenly
my McAfee alert came on and warned about a new worm. Also Outlook Express
warned
about trying to open a dangerous attachment( though I even did not open the
attachment). All I did was deleting the infected attachment with McAfee ..
Next thing was looking at the source of the message:


X-Message-Info: CGfHVPHfZ44MnYcvh8R4FQdJlbbvm8WlwRSO/bKKRIQ=
Received: from mc9-f21.hotmail.com ([65.54.166.28]) by mc9-s5.hotmail.com
with Microsoft SMTPSVC(5.0.2195.5600);
Sat, 27 Sep 2003 01:40:18 -0700
Received: from rwcrmhc13.comcast.net ([204.127.198.39]) by
mc9-f21.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
Sat, 27 Sep 2003 01:38:12 -0700
Date: Sat, 27 Sep 2003 08:38:00 +0000 (GMT)
X-Comment: Sending client does not conform to RFC822 minimum requirements
X-Comment: Date has been added by Maillennium.
Received: from wrvp (h0010dc6ed576.ne.client2.attbi.com[24.91.252.135])
by comcast.net (rwcrmhc13) with SMTP
id <2003092708375801500ifctke>; Sat, 27 Sep 2003 08:37:58 +0000
FROM: "Net Email Delivery Service" <[email protected]>
TO: "Email Recipient" <[email protected]>
SUBJECT: Abort Report



I looked for the IP : 24.91.252.135 and also :204.127.198.39 using
www.ripe.net , but nothing was found for any of them.
Then how can I get rid of this mass of infected mails sent to my Hotmail
accout every day?


Ay help is so much regarded



------


------
Technical Information
Complete message source:


X-Message-Info: CGfHVPHfZ44MnYcvh8R4FQdJlbbvm8WlwRSO/bKKRIQ=
Received: from mc9-f21.hotmail.com ([65.54.166.28]) by mc9-s5.hotmail.com
with Microsoft SMTPSVC(5.0.2195.5600);
Sat, 27 Sep 2003 01:40:18 -0700
Received: from rwcrmhc13.comcast.net ([204.127.198.39]) by
mc9-f21.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
Sat, 27 Sep 2003 01:38:12 -0700
Date: Sat, 27 Sep 2003 08:38:00 +0000 (GMT)
X-Comment: Sending client does not conform to RFC822 minimum requirements
X-Comment: Date has been added by Maillennium.
Received: from wrvp (h0010dc6ed576.ne.client2.attbi.com[24.91.252.135])
by comcast.net (rwcrmhc13) with SMTP
id <2003092708375801500ifctke>; Sat, 27 Sep 2003 08:37:58 +0000
FROM: "Net Email Delivery Service" <[email protected]>
TO: "Email Recipient" <[email protected]>
SUBJECT: Abort Report
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="wmnqqejiagoxf"
Return-Path: (e-mail address removed)
Message-ID: <[email protected]>
X-OriginalArrivalTime: 27 Sep 2003 08:38:12.0757 (UTC)
FILETIME=[B0043450:01C384D2]

--wmnqqejiagoxf
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD></HEAD>
<BODY>
<iframe src=3D"cid:hwcnlo" height=3D0 width=3D0></iframe>
<BR><BR>Hi.
<BR>Message from puremail.net
<BR><BR>I'm afraid =
the message returned below could not be delivered =
to the following addresses:<BR>
<BR><BR><BR>Undelivered mail to <B>[email protected]</B>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>
</BODY></HTML>

--wmnqqejiagoxf
Content-Type: audio/x-wav; name="ehqrjfd.exe"
Content-Transfer-Encoding: base64
Content-Id: <hwcnlo>

 

[Ham]

[Just McAfee doing its job. However, if you have reason to suspect malicious
content of a message, don't ever open the message. With MSOE you can just
check the properties; this is not the same as opening the message.]
------
------
Greetings,

First of all , I thought this damn problem with IE6 and OE6 in XP about
letting the attachments to self execute is solved (with those claims from
Microsoft about the patch for this vulnerability and .....)...However, I see
those attachments again try to self execute , using the infected MIME header
of the message....(How can Microsoft say that??!)........

Second , I can not view the property of a message in my Hotmail server from
OE,
unless I open the message and view its content( Then, what the hell the
does the property stand for?)....Looks like the OE is always living with
these
vulnerabilities and no one can solve the problems forever..(How many other
Hotfixes
and Security patches shall we install on our systems?....every day a new
vulnerability in XP or OE is discovered...Then why were they released sooooo
soooon?
2001-2002?.....)

 

[N. Miller]

[Just McAfee doing its job. However, if you have reason to suspect malicious
content of a message, don't ever open the message. With MSOE you can just
check the properties; this is not the same as opening the message.]

First of all , I thought this damn problem with IE6 and OE6 in XP about
letting the attachments to self execute is solved (with those claims from
Microsoft about the patch for this vulnerability and .....)...However, I see
those attachments again try to self execute , using the infected MIME header
of the message....(How can Microsoft say that??!)........

What have you done to lock down your browser? MSIE will still try to auto
execute scripts if you don't turn of scripts in your security settings; but
that should only happen when you open a message. You shouldn't be opening
the message! Or your security settings should be higher. Or both.

Second , I can not view the property of a message in my Hotmail server from
OE,
unless I open the message and view its content...

The you are doing something wrong. In MSOE, when logged in to a Hotmail
account, you have to download the message; but that can be done *without*
opening the message! Then you right-click on the message, or highlight it
and tap the Alt+Enter keys (if something tries to happen when you just
highlight the message, you have not patched the "iframe" exploit!) From the
resulting dialogue box you click the "Details" tab, then click the "Message
Source" button. In that way you can examine the message properties without
opening the message.

( Then, what the hell the
does the property stand for?)....Looks like the OE is always living with
these
vulnerabilities and no one can solve the problems forever..(How many other
Hotfixes
and Security patches shall we install on our systems?....every day a new
vulnerability in XP or OE is discovered...Then why were they released sooooo
soooon?

(I'm gonna learn "Linux" the next week!)

Or, you could learn Pegasus Mail.