Virus help needed

Your company must have a rule setup in the email server which doesnt allow attachments of .exe, .vbs, or .pif files to be sent through so it automatically deletes them as they are sent out. Since you are receiving the email it is coming from the person sending it to you. I would check with that individual if it is a co-worker and let them know they most likely have a virus that is taking addresses from their address book and sending emails out (Either that or they are pissed you have not been replying back and are sending 20 emails per day )

If it is not a co-worker or someone you need to receive emails from you could simply create a rule to block everything coming from that email address which would solve your problem. Now this is not to say that you dont have a virus already but it sounds like you have searched everything on your machine and your Virus protection program was just updated right?

KyleS

 

Are all the emails the same or are there variations (e.g. exe file names, subject lines, body text different in each one)?

Do they appear to be coming from you or from someone else to you?

It's probably someone else who has a virus and has your email address on their computer. If you can post subject lines and body text (other than the scanmail blurb) we may be able to identify the virus.

 

What email client are you using? If you can view the headers in the message, look for a Return-Path, X-Apparently-From, or SMTPOriginator header and see if they're all coming from the same address. If it's Klez then this header should reveal the sender's email address so you can notify them.

 

The fact that you're getting .pif files as attachments means it's a virus/worm, probably Klez. It's probably someone in an organization who uses Scanmail for Lotus Notes, which is removing/blocking the attachment and then sending you that message.

What are you using for an email client? You may need to view the headers in the emails to get the actual sender's email address (look for a Return-Path, SMTPOriginator or X-Apparently-From header). Or if you know the domain they're coming from, maybe you can call someone in the IT dept. of the company that the emails are coming from, and they may be able to trace it from their end.

 

You're not sending the virus out, you're receiving it. Or you would be, if the sender didn't have Scanmail protection on their mail server.

Anyway, if you right-click on one of the messages and select Properties, you should be able to view the SMTP headers. One of these would be Return-Path or similar, usually at the top. This will have the actual sender's email address, at least if he's got Klez. Then you can send him an email and let him know. He (or she) might be blissfully unaware that his computer is sending out virus emails.

KJP

 

Klez spoofs sender email addresses. It uses a random address for the recipient as well as the sender.

Current corporate email anti-virus programs assume the sender of the message actually sent the message and issues a warning. This is not the case with Klez.

 

Mike, I'm thinking it's the 2nd scenario in my last post that is occurring. Another thing that occurred to me is if person B's machine is infected, and Klez is emailing itself out through the Notes SMTP server, since Klez uses From addresses other than the actual senders, Person B will never actually receive an alert from the server, since none of the messages appear to be coming "from" him.

What you might have to do is look at the info in the alert email to determine what company they are coming from, then try to get in touch with the Notes admin at that location. They should be able to pull the logs and determine who's infected.

 

I have on occasion gotten repeated infected messages (once every 8 minutes) that I had to move to the turf directory by sender. I have no idea how or why this is, so I blocked the email address.

Assuming you don't have a virus, there's a machine out there somewhere sending infected messages to someone at HUD with your address as the recipient. I've found many instances where the viral code is not written well and does not fully install or carry out all the damage it is supposed to. There could be a server somewhere in corporate America that no one is monitoring and has never been rebooted that is running poorly written Klez that is using the same email recipient and sender addresses over and over again.

I'd contact HUD email admin and explain that you are not the source of the messages. He should know this because it is Klez. If you're running Exchange server, just move them to the turfdir by sender address so you don't have to see them. Remember to empty out the turf directory on occasion.