Virus help needed

Discussion in 'Computers' started by Mike LS, Apr 8, 2003.

  1. Mike LS

    Mike LS Supporting Actor

    Joined:
    Jun 29, 2000
    Messages:
    838
    Likes Received:
    0
    I keep getting an email at my work address as follows:

    ************************************************** *****

    An attachment with an extension of .exe, .vbs, or .pif has been detected and removed from the e-mail message in accordance with HUD policy

    Date: 4/7/2003 12:50:9
    Subject: Privacy Certified
    Virus: Blocked;
    File: border.exe
    From: msmith msmith@**********.com
    To: CN=SF Premiums/OU=HSNG/OU=HHQ/O=HUD @ HUD;
    Action: Blocked;

    Scanned by ScanMail for Lotus Notes 2.5
    with scanengine 6.150-1001
    and patternfile lpt$vpn.506

    ************************************************** ****

    I started getting this a week or so ago, and now I'm probably getting 10-20 of these per day. It sounds like my machine is sending something out. I've done a search on "border.exe" and the only virus reference I get is a Klez variant.
    Only thing is that I have up-to-date virus protection and do full system scans every week. After getting a few of these I did another scan with the newest virus definitions (Norton's 2002) and it found nothing.

    Is this a problem on the other person's machine? I know that some viruses send false warnings out.

    I don't think my machine is the problem, but I want to be sure because I'm getting tired of getting all of these messages.

    Any ideas?
     
  2. KyleS

    KyleS Screenwriter

    Joined:
    Jul 24, 2000
    Messages:
    1,232
    Likes Received:
    0
    Your company must have a rule setup in the email server which doesnt allow attachments of .exe, .vbs, or .pif files to be sent through so it automatically deletes them as they are sent out. Since you are receiving the email it is coming from the person sending it to you. I would check with that individual if it is a co-worker and let them know they most likely have a virus that is taking addresses from their address book and sending emails out (Either that or they are pissed you have not been replying back and are sending 20 emails per day [​IMG] )

    If it is not a co-worker or someone you need to receive emails from you could simply create a rule to block everything coming from that email address which would solve your problem. Now this is not to say that you dont have a virus already but it sounds like you have searched everything on your machine and your Virus protection program was just updated right?

    KyleS
     
  3. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    Are all the emails the same or are there variations (e.g. exe file names, subject lines, body text different in each one)?

    Do they appear to be coming from you or from someone else to you?

    It's probably someone else who has a virus and has your email address on their computer. If you can post subject lines and body text (other than the scanmail blurb) we may be able to identify the virus.
     
  4. Mike LS

    Mike LS Supporting Actor

    Joined:
    Jun 29, 2000
    Messages:
    838
    Likes Received:
    0
    KyleS,

    There are no restrictions on our network. It's a fairly small setup and I do most of the administrative work on it, so I know most of the ins and outs of how it's set up. Nothing is blocked going out.
    This isn't coming from from anyone I work with or know (never seen the address AFAIK). It's being automatically generated from the hud.gov server. Nobody at HUD that I know.
    I do a fair amount of email exhanges with customers, but not using my personal address, so I'm not sure how someone I don't know could have gotten that particular address (I have about 10 here at work that I use, but I'm extremely careful of who I give my personal address)

    Kevin P,

    Come to think of it, there are 2 variations of the same email. Next time I get one I'll post the subject line, but the two I've noticed just vary a tad by the subject line. Only reason I noticed is that I have about 8 of them this morning when I got in, and the subject line lengths were a little different but the body of the message seemed the same.
    They are definitely coming from outside our building, so either I'm broadcasting something that Norton's isn't catching or someone has my address in their book and their machine is bombarding me with messages.
    I'll probably just block the address and be done with it, but I wanted to be sure that it's their problem first.

    I would just reply to the person sending it, but it looks like it's some sort of an automated admin address that it's coming from. The server looks like it's catching a message coming from me and sending an auto reply. The actual recipients email doesn't seem to be showing up from what I can tell.
     
  5. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    What email client are you using? If you can view the headers in the message, look for a Return-Path, X-Apparently-From, or SMTPOriginator header and see if they're all coming from the same address. If it's Klez then this header should reveal the sender's email address so you can notify them.
     
  6. Mike LS

    Mike LS Supporting Actor

    Joined:
    Jun 29, 2000
    Messages:
    838
    Likes Received:
    0
  7. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    The fact that you're getting .pif files as attachments means it's a virus/worm, probably Klez. It's probably someone in an organization who uses Scanmail for Lotus Notes, which is removing/blocking the attachment and then sending you that message.

    What are you using for an email client? You may need to view the headers in the emails to get the actual sender's email address (look for a Return-Path, SMTPOriginator or X-Apparently-From header). Or if you know the domain they're coming from, maybe you can call someone in the IT dept. of the company that the emails are coming from, and they may be able to trace it from their end.
     
  8. Mike LS

    Mike LS Supporting Actor

    Joined:
    Jun 29, 2000
    Messages:
    838
    Likes Received:
    0
    I'm using Outlook XP.

    So if I'm sending out a virus, why is my Virus program not catching it?
     
  9. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    You're not sending the virus out, you're receiving it. Or you would be, if the sender didn't have Scanmail protection on their mail server.

    Anyway, if you right-click on one of the messages and select Properties, you should be able to view the SMTP headers. One of these would be Return-Path or similar, usually at the top. This will have the actual sender's email address, at least if he's got Klez. Then you can send him an email and let him know. He (or she) might be blissfully unaware that his computer is sending out virus emails.

    KJP
     
  10. Hanson

    Hanson Producer

    Joined:
    Nov 1, 1998
    Messages:
    4,692
    Likes Received:
    147
    Real Name:
    Hanson
    Klez spoofs sender email addresses. It uses a random address for the recipient as well as the sender.

    Current corporate email anti-virus programs assume the sender of the message actually sent the message and issues a warning. This is not the case with Klez.
     
  11. Mike LS

    Mike LS Supporting Actor

    Joined:
    Jun 29, 2000
    Messages:
    838
    Likes Received:
    0
    Ah. OK. So the senders system is catching the email on the way out and sending me notification of the attachments that were removed.

    I'll see if I can get in touch with the person next time I get a message.

    Thanks for all the help.
     
  12. Hanson

    Hanson Producer

    Joined:
    Nov 1, 1998
    Messages:
    4,692
    Likes Received:
    147
    Real Name:
    Hanson
     
  13. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
     
  14. Hanson

    Hanson Producer

    Joined:
    Nov 1, 1998
    Messages:
    4,692
    Likes Received:
    147
    Real Name:
    Hanson
     
  15. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
     
  16. Mike LS

    Mike LS Supporting Actor

    Joined:
    Jun 29, 2000
    Messages:
    838
    Likes Received:
    0
    Kevin,

    I have not recieved any actual infected mail in quite awhile. I do handle customer email for my company, so I get quite a bit of "mailing list" type mail from people that I don't know. So I'm usually getting a good bit of infected mail. But I haven't gotten anything since all of this started.

    Hanson,

    The recipient is always my personal email address here at work. I check 6 or 7 addressees at my domain personally, but the problem messages are always addressed to my personal address.
    I don't know of anyone else on our domain that is getting them. The majority of folks around here are pretty much computer illiterate except what they have to do here, and I'm usually the one they ask if they get any suspicious messages. I would probably know if they were going to anyone else.
     
  17. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    Mike, I'm thinking it's the 2nd scenario in my last post that is occurring. Another thing that occurred to me is if person B's machine is infected, and Klez is emailing itself out through the Notes SMTP server, since Klez uses From addresses other than the actual senders, Person B will never actually receive an alert from the server, since none of the messages appear to be coming "from" him.

    What you might have to do is look at the info in the alert email to determine what company they are coming from, then try to get in touch with the Notes admin at that location. They should be able to pull the logs and determine who's infected.
     
  18. Hanson

    Hanson Producer

    Joined:
    Nov 1, 1998
    Messages:
    4,692
    Likes Received:
    147
    Real Name:
    Hanson
    I have on occasion gotten repeated infected messages (once every 8 minutes) that I had to move to the turf directory by sender. I have no idea how or why this is, so I blocked the email address.

    Assuming you don't have a virus, there's a machine out there somewhere sending infected messages to someone at HUD with your address as the recipient. I've found many instances where the viral code is not written well and does not fully install or carry out all the damage it is supposed to. There could be a server somewhere in corporate America that no one is monitoring and has never been rebooted that is running poorly written Klez that is using the same email recipient and sender addresses over and over again.

    I'd contact HUD email admin and explain that you are not the source of the messages. He should know this because it is Klez. If you're running Exchange server, just move them to the turfdir by sender address so you don't have to see them. Remember to empty out the turf directory on occasion.
     

Share This Page