Virus help needed (1 Viewer)

[Mike LS]

I keep getting an email at my work address as follows:

************************************************** *****

An attachment with an extension of .exe, .vbs, or .pif has been detected and removed from the e-mail message in accordance with HUD policy

Date: 4/7/2003 12:50:9
Subject: Privacy Certified
Virus: Blocked;
File: border.exe
From: msmith [email protected]**********.com
To: CN=SF Premiums/OU=HSNG/OU=HHQ/O=HUD @ HUD;
Action: Blocked;

Scanned by ScanMail for Lotus Notes 2.5
with scanengine 6.150-1001
and patternfile lpt$vpn.506

************************************************** ****

I started getting this a week or so ago, and now I'm probably getting 10-20 of these per day. It sounds like my machine is sending something out. I've done a search on "border.exe" and the only virus reference I get is a Klez variant.
Only thing is that I have up-to-date virus protection and do full system scans every week. After getting a few of these I did another scan with the newest virus definitions (Norton's 2002) and it found nothing.

Is this a problem on the other person's machine? I know that some viruses send false warnings out.

I don't think my machine is the problem, but I want to be sure because I'm getting tired of getting all of these messages.

Any ideas?

 

[KyleS]

Your company must have a rule setup in the email server which doesnt allow attachments of .exe, .vbs, or .pif files to be sent through so it automatically deletes them as they are sent out. Since you are receiving the email it is coming from the person sending it to you. I would check with that individual if it is a co-worker and let them know they most likely have a virus that is taking addresses from their address book and sending emails out (Either that or they are pissed you have not been replying back and are sending 20 emails per day )

If it is not a co-worker or someone you need to receive emails from you could simply create a rule to block everything coming from that email address which would solve your problem. Now this is not to say that you dont have a virus already but it sounds like you have searched everything on your machine and your Virus protection program was just updated right?

KyleS

 

[Kevin P]

Are all the emails the same or are there variations (e.g. exe file names, subject lines, body text different in each one)?

Do they appear to be coming from you or from someone else to you?

It's probably someone else who has a virus and has your email address on their computer. If you can post subject lines and body text (other than the scanmail blurb) we may be able to identify the virus.

 

[Mike LS]

KyleS,

There are no restrictions on our network. It's a fairly small setup and I do most of the administrative work on it, so I know most of the ins and outs of how it's set up. Nothing is blocked going out.
This isn't coming from from anyone I work with or know (never seen the address AFAIK). It's being automatically generated from the hud.gov server. Nobody at HUD that I know.
I do a fair amount of email exhanges with customers, but not using my personal address, so I'm not sure how someone I don't know could have gotten that particular address (I have about 10 here at work that I use, but I'm extremely careful of who I give my personal address)

Kevin P,

Come to think of it, there are 2 variations of the same email. Next time I get one I'll post the subject line, but the two I've noticed just vary a tad by the subject line. Only reason I noticed is that I have about 8 of them this morning when I got in, and the subject line lengths were a little different but the body of the message seemed the same.
They are definitely coming from outside our building, so either I'm broadcasting something that Norton's isn't catching or someone has my address in their book and their machine is bombarding me with messages.
I'll probably just block the address and be done with it, but I wanted to be sure that it's their problem first.

I would just reply to the person sending it, but it looks like it's some sort of an automated admin address that it's coming from. The server looks like it's catching a message coming from me and sending an auto reply. The actual recipients email doesn't seem to be showing up from what I can tell.

 

[Kevin P]

What email client are you using? If you can view the headers in the message, look for a Return-Path, X-Apparently-From, or SMTPOriginator header and see if they're all coming from the same address. If it's Klez then this header should reveal the sender's email address so you can notify them.

 

[Mike LS]

OK, I got another couple of messages about this....one of each variation that I've gotten.

I've done screen captures of each to show all the info....


http://www.pinelakemusic.com/temp/pics/1.jpg

http://www.pinelakemusic.com/temp/pics/2.jpg


Does this make any more sense?

 

[Kevin P]

The fact that you're getting .pif files as attachments means it's a virus/worm, probably Klez. It's probably someone in an organization who uses Scanmail for Lotus Notes, which is removing/blocking the attachment and then sending you that message.

What are you using for an email client? You may need to view the headers in the emails to get the actual sender's email address (look for a Return-Path, SMTPOriginator or X-Apparently-From header). Or if you know the domain they're coming from, maybe you can call someone in the IT dept. of the company that the emails are coming from, and they may be able to trace it from their end.

 

[Mike LS]

I'm using Outlook XP.

So if I'm sending out a virus, why is my Virus program not catching it?

 

[Kevin P]

You're not sending the virus out, you're receiving it. Or you would be, if the sender didn't have Scanmail protection on their mail server.

Anyway, if you right-click on one of the messages and select Properties, you should be able to view the SMTP headers. One of these would be Return-Path or similar, usually at the top. This will have the actual sender's email address, at least if he's got Klez. Then you can send him an email and let him know. He (or she) might be blissfully unaware that his computer is sending out virus emails.

KJP

 

[Hanson]

Klez spoofs sender email addresses. It uses a random address for the recipient as well as the sender.

Current corporate email anti-virus programs assume the sender of the message actually sent the message and issues a warning. This is not the case with Klez.

 

[Mike LS]

Ah. OK. So the senders system is catching the email on the way out and sending me notification of the attachments that were removed.

I'll see if I can get in touch with the person next time I get a message.

Thanks for all the help.

 

[Hanson]

So the senders system is catching the email on the way out and sending me notification of the attachments that were removed.

That's not it either.

What is happening is that person A's system is sending out a message infected with Klez. The system uses address B as the recipient and C as the sender.

The server for recipient B gets an infected message and naturally tells C that they have sent them an infected file. Except they didn't because it was really A.

 

[Kevin P]

What is happening is that person A's system is sending out a message infected with Klez. The system uses address B as the recipient and C as the sender.

The server for recipient B gets an infected message and naturally tells C that they have sent them an infected file. Except they didn't because it was really A.

You have the right idea, but if this were the case, person C would also be receiving copies of Klez from person A, as well as the warnings from B's server. Any email address that Klez finds on a computer can not only be targeted for being the "sender" of infected emails, it will also be sent a copy of Klez. So for your argument to hold, person B's address as well as person C would have to reside on person A's computer, and Klez would send copies of itself to both addresses.

Mike, have you been receiving any Klez infected emails while all this has been going on? If so, Hanson's hypothesis is correct. If not, then it's person B (whoever's inside network w/the Notes server) that is infected with Klez and is attempting to send it out to person C (Mike) and their server is blocking it and sending out the warning.

KJP
P.S. Edited to correct original poster's name (oops)

 

[Hanson]

as well as the warnings from B's server

Not necessarily, since the warnings are coming from Mail server A/V software while the Klez would go out via a bulti-in SMTP engine, by-passing, say A/V software on an Exchange server. Besides, who's to say person A has any A/V software installed? Or has an email server?

Had person A had some local A/V software that scanned all email going in and out, it would catch it, but person A hasn't updated his A/V definitions since he installed the software.

Mike, is the recipient in your domain always the same?

 

[Kevin P]

Not necessarily, since the warnings are coming from Mail server A/V software while the Klez would go out via a bulti-in SMTP engine, by-passing, say A/V software on an Exchange server. Besides, who's to say person A has any A/V software installed? Or has an email server?

I don't know about Exchange, but I do know Lotus Notes will act as an SMTP server (if set up to do so) and (if equipped with a scanner) will scan emails whether they're sent through Notes or via SMTP. Therefore, if a Notes user is infected, and their Notes is set up for SMTP and has Scanmail, it will catch the infection and pass on the warnings.

To reiterate, here is how Hanson's scenario would play out (Klez infection exists outside of Notes network). In both these examples, Mike is "Person C", and the person behind the Notes Scanmail server is "Person B":

• Person A is infected with Klez, and has Person B through Q's addresses somewhere on their computer.
• Person B is behind a Lotus Notes server with ScanMail.
• Person A sends out copies of Klez to persons B through Q, with randomly selected "sender" addresses. For the sake of argument, let's say that Person B's copy of Klez has person C's address in the From line. Person C's copy of Klez has Person J's address in the from line.
• Person B's email server detects the infection and sends out an alert to person C, and person B.
• Person C receives a copy of Klez that appears to be from Person J, and a warning from Person B's server.

If the process repeats itself (as Klez tends to mail itself out again and again if it isn't cleaned), person C will receive another copy of Klez, perhaps "from" person F this time, and someone else (person H) may receive the warning from person B's server.

In my scenario, where person B is infected with Klez, the following happens:

• Klez emails itself out from person B's computer, using SMTP. It sends itself out to all addresses it can find on person B's computer, including person C.
• The Notes SMTP server captures the outgoing emails, and scans them with Scanmail, which flags them as infected.
• The Scanmail server sends out alert emails to the recipients of the original email, and to the faux "sender" addresses, including person C.
• Person C never receives an actual copy of Klez, and his anti-virus software never utters a peep.

So, Mike, which scenario is it? Are you getting infected emails, or just the alerts? Also if you check the from and to addresses on each of the alert messages, that might uncover some clues as to what's happening.

 

[Mike LS]

Kevin,

I have not recieved any actual infected mail in quite awhile. I do handle customer email for my company, so I get quite a bit of "mailing list" type mail from people that I don't know. So I'm usually getting a good bit of infected mail. But I haven't gotten anything since all of this started.

Hanson,

The recipient is always my personal email address here at work. I check 6 or 7 addressees at my domain personally, but the problem messages are always addressed to my personal address.
I don't know of anyone else on our domain that is getting them. The majority of folks around here are pretty much computer illiterate except what they have to do here, and I'm usually the one they ask if they get any suspicious messages. I would probably know if they were going to anyone else.

 

[Kevin P]

Mike, I'm thinking it's the 2nd scenario in my last post that is occurring. Another thing that occurred to me is if person B's machine is infected, and Klez is emailing itself out through the Notes SMTP server, since Klez uses From addresses other than the actual senders, Person B will never actually receive an alert from the server, since none of the messages appear to be coming "from" him.

What you might have to do is look at the info in the alert email to determine what company they are coming from, then try to get in touch with the Notes admin at that location. They should be able to pull the logs and determine who's infected.

 

[Hanson]

I have on occasion gotten repeated infected messages (once every 8 minutes) that I had to move to the turf directory by sender. I have no idea how or why this is, so I blocked the email address.

Assuming you don't have a virus, there's a machine out there somewhere sending infected messages to someone at HUD with your address as the recipient. I've found many instances where the viral code is not written well and does not fully install or carry out all the damage it is supposed to. There could be a server somewhere in corporate America that no one is monitoring and has never been rebooted that is running poorly written Klez that is using the same email recipient and sender addresses over and over again.

I'd contact HUD email admin and explain that you are not the source of the messages. He should know this because it is Klez. If you're running Exchange server, just move them to the turfdir by sender address so you don't have to see them. Remember to empty out the turf directory on occasion.