OESF Portables Forum

General Forums => Off Topic forum => Topic started by: bluey on June 01, 2004, 08:30:11 pm

Title: Virus
Post by: bluey on June 01, 2004, 08:30:11 pm

I received a report of someone who sent a virus stating being me, is this host anyones? Someone which has me and LilMikey address is infected with some virus/worm which spreads through the e-mail.

I use Linux, and this is NOT a host from my ISP.

<quote>
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  lil_mikey@lilmikey.com
    This message has been rejected because it has
    a potentially executable attachment \"MoreInfo.pif\"
    This form of attachment has been used by
    recent viruses or other malware.
    If you meant to send this file then please
    package it up as a zip file and resend it.

------ This is a copy of the message, including all the headers. ------

Return-path: <bluey@netcabo.pt>
Received: from [201.128.162.175] (helo=gate.org ident=ontsr)
        by cpanel5.fuitadnet.com with smtp (Exim 4.30)
        id 1BVJAc-0007yV-N3
        for lil_mikey@lilmikey.com; Tue, 01 Jun 2004 18:59:50 -0500
Date: Tue, 01 Jun 2004 16:59:51 -0800
To: lil_mikey@lilmikey.com
Subject: Important notify about your e-mail account.
From: staff@lilmikey.com
Message-ID: <qlfvkftlliugomtndgc@lilmikey.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary=\"--------iitwyhyjgpxbbwavgiok\"

----------iitwyhyjgpxbbwavgiok
Content-Type: text/html; charset=\"us-ascii\"
Content-Transfer-Encoding: 7bit

<html><body>
Dear user of  \"Lilmikey.com\" mailing system,<br>
<br>
Our  antivirus software has detected a  large ammount  of viruses  outgoing
<br>from your email account, you may use  our free  anti-virus tool to  clean up
<br>your computer software.<br><br>

Pay attention on attached file.<br>
<br>
Sincerely,<br>
&nbsp;  &nbsp;  The Lilmikey.com team  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  &nbsp;  &nbsp;  <a href=\"http://www.lilmikey.com\">http://www.lilmikey.com</a></body></html>

----------iitwyhyjgpxbbwavgiok
Content-Type: application/octet-stream; name=\"MoreInfo.pif\"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=\"MoreInfo.pif\"

(...base64 encoded file...)

----------iitwyhyjgpxbbwavgiok--
</quote>

Title: Virus
Post by: bluey on June 01, 2004, 08:35:14 pm

[bluey@soulsynth bluey]$ host 201.128.162.175
175.162.128.201.in-addr.arpa domain name pointer dsl-201-128-162-175.prod-infinitum.com.mx.
[bluey@soulsynth bluey]$

Title: Virus
Post by: tapjpa on July 03, 2004, 12:30:13 pm

I get several of these a week and usually ignore them.
But I did notice one thing of concern you IP did seem to match up with the IP info in the header.
You might want to double check and make sure someone hasn't set up a little something you don't know about yet on your machine.

Jim