ivarley Posted March 3, 2004 Share Posted March 3, 2004 Hey all - Just got a worm in my email that claimed to be from spamcop. The message said: "From: support[at]spamcop.net Subject: Warning about your e-mail account. Message: Dear user of Spamcop.net, Your e-mail account has been temporary disabled because of unauthorized access. For further details see the attach. Attached file protected with the password for security reasons. Password is 07511. The Management, The Spamcop.net team http://www.spamcop.net " Attached was "Information.zip", which my anti-virus software said was the Bagel worm (I got a very similar email yesterday from a different sender with a different message, but also with a zip file that turned out to be the bagel worm.) Watch out! And Spamcop admins, you may wish to post news about this (or even send an email to all subscribers). Ian ivarley[at]spamcop.net Link to comment Share on other sites More sharing options...
ivarley Posted March 3, 2004 Author Share Posted March 3, 2004 ps - Here are the message headers: Return-path: <stray.cat[at]verizon.net> Received: from mac.com (smtpin03-en2 [10.13.10.148]) by ms14.mac.com (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003)) with ESMTP id <0HTZ00JA8QI82G[at]ms14.mac.com> for ivarley[at]mac.com; Wed, 03 Mar 2004 00:06:08 -0800 (PST) Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49]) by mac.com (Xserve/smtpin03/MantshX 3.0) with ESMTP id i23867bb025516 for <ivarley[at]mac.com>; Wed, 03 Mar 2004 00:06:07 -0800 (PST) Received: from unknown (HELO blade1.cesmail.net) (192.168.1.211) by c60.cesmail.net with SMTP; Wed, 03 Mar 2004 03:06:07 -0500 Received: (qmail 24045 invoked by uid 1010); Wed, 03 Mar 2004 08:06:06 +0000 Received: (qmail 24016 invoked from network); Wed, 03 Mar 2004 08:06:05 +0000 Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by blade1.cesmail.net with SMTP; Wed, 03 Mar 2004 08:06:05 +0000 Received: (qmail 20371 invoked from network); Wed, 03 Mar 2004 08:06:05 +0000 Received: from c-24-9-106-13.client.comcast.net (HELO DF51Q941) (24.9.106.13) by mailgate.cesmail.net with SMTP; Wed, 03 Mar 2004 08:06:04 +0000 Date: Wed, 03 Mar 2004 01:06:03 -0700 From: support[at]spamcop.net Subject: Warning about your e-mail account. To: ivarley[at]spamcop.net Message-id: <bricfjnfoofxbftayok[at]spamcop.net> MIME-version: 1.0 Content-type: multipart/mixed; boundary=--------brasubxcecnsbwhkotls Delivered-to: spamcop-net-ivarley[at]spamcop.net X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade1 X-spam-Level: X-spam-Status: hits=0.3 tests=NO_REAL_NAME version=2.63 X-SpamCop-Checked: 192.168.1.101 24.9.106.13 Original-recipient: rfc822;ivarley[at]mac.com Link to comment Share on other sites More sharing options...
Wazoo Posted March 3, 2004 Share Posted March 3, 2004 this has been covered over in the newsgroups since yesterday ... but don't think anyone's been on here yet to stick a warning anywhere that would jump out at everybody. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted March 3, 2004 Share Posted March 3, 2004 To add my 2 cents worth, I received one overnight, but received it as a bounce from the news.spamcop.net server because they used my email address in the Return-Path but an invalid address on the news.spamcop.net server. Unfortunately, I sent an email off to support and deputies before I thought to check here. Just sent my apoligies to both of those addresses. Link to comment Share on other sites More sharing options...
turetzsr Posted March 3, 2004 Share Posted March 3, 2004 ...Attn deputies -- comment? But see next reply from me.... Link to comment Share on other sites More sharing options...
turetzsr Posted March 3, 2004 Share Posted March 3, 2004 ...Perhaps SpamCop does not send virus is relevant? Link to comment Share on other sites More sharing options...
yourbuddy Posted March 3, 2004 Share Posted March 3, 2004 Perhaps a "bagle" is the most you'll get from SpamCop ... This worm (and many other worms) use the Windows Address Book associated with Outlook or Outlook Express. It selects one Name from the Address Book as a Sender, and then sends to all the other Names. So, you got this worm/email from someone who has both your email address and SpamCops email address in their Address Book. Often, who this is can be determined from the headers - and you can thank them. Another good reason for not using Outlook or Outlook Express. Link to comment Share on other sites More sharing options...
turetzsr Posted March 3, 2004 Share Posted March 3, 2004 ...Okay, now we seem to have an official reply: Pinned: SpamCop is not sending you attachments . Link to comment Share on other sites More sharing options...
Merlyn Posted March 3, 2004 Share Posted March 3, 2004 Another good reason for not using Outlook or Outlook Express. Been using Outlook and OE for years and never had a problem. Sounds more like a user problem than a software problem but many people like to blame the software for their lack of knowledge. Link to comment Share on other sites More sharing options...
yourbuddy Posted March 3, 2004 Share Posted March 3, 2004 There are certain things that you shouldn't do (unless you have absolute faith in the person sending it to you, and even then, it could be a forged sending address). Take great care in opening any of these attachments. If you have a program that can filter the attachments, have these put in a separate folder for a closer look. The following attachments (file extensions) are used by Viruses, Worms and Backdoor programs, and can damage or delete files or "take-over" your computer: .ASP - Application Service Provider .BAT - Batch Processing (DOS Batch File) .CMD - WinNT Command File, DOS CP/M Command Filed .COM - Command (executable file) .CPL - Control Panel Extension .EXE - Executable file .INS - Internet Communication Setting .ISP - Internet Communication Settings .JS - java scri_pt Source Code .JSE - JScript Encoded scri_pt File .OCX - Object Linking and Embedding (OLE) Control Extension .PIF - Program Information File .REG - Registry Data .SCR - Screen Saver .SHS - Shell Scrap Object File .VBE - VBScript Encoded scri_pt File .VBS - VBScript scri_pt File .WSC - Windows scri_pt Component .WSF - Windows scri_pt File .WSH - Windows scri_pt Host Settings File Any of the above can also be hidden in a .ZIP file, so a .ZIP extension should be treated with great care/caution. Practice "safe computing" - and always use a "filter". Link to comment Share on other sites More sharing options...
Merlyn Posted March 3, 2004 Share Posted March 3, 2004 There are certain things that you shouldn't do (unless you have absolute faith in the person sending it to you, and even then, it could be a forged sending address). Take great care in opening any of these attachments. If you have a program that can filter the attachments, have these put in a separate folder for a closer look. The following attachments (file extensions) are used by Viruses, Worms and Backdoor programs, and can damage or delete files or "take-over" your computer: .ASP - Application Service Provider .BAT - Batch Processing (DOS Batch File) .CMD - WinNT Command File, DOS CP/M Command Filed .COM - Command (executable file) .CPL - Control Panel Extension .EXE - Executable file .INS - Internet Communication Setting .ISP - Internet Communication Settings .JS - java scri_pt Source Code .JSE - JScript Encoded scri_pt File .OCX - Object Linking and Embedding (OLE) Control Extension .PIF - Program Information File .REG - Registry Data .SCR - Screen Saver .SHS - Shell Scrap Object File .VBE - VBScript Encoded scri_pt File .VBS - VBScript scri_pt File .WSC - Windows scri_pt Component .WSF - Windows scri_pt File .WSH - Windows scri_pt Host Settings File Any of the above can also be hidden in a .ZIP file, so a .ZIP extension should be treated with great care/caution. Practice "safe computing" - and always use a "filter". Nice answer! Link to comment Share on other sites More sharing options...
yourbuddy Posted March 3, 2004 Share Posted March 3, 2004 Merlyn ... The propagation of most virus/worm email is the result of them using the unencrypted Address Book of Outlook or Outlook Express, so if you use another email program (particularly one with an encrypted Address Book) then you will not be adding to the potential problem. Of course, if you use AV and a Firewall and you never open an attachment, then the use of Outlook or Outlook Express creates no problems, you're right. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted March 3, 2004 Share Posted March 3, 2004 Most (if not all) of the recent viruses will search through many different file types looking for email addresses, including the cache files from your web browser or a text or MS Word file. The address does not need to be in the address book any more. Link to comment Share on other sites More sharing options...
yourbuddy Posted March 3, 2004 Share Posted March 3, 2004 Yes, correct for recent virus/worm types. Getting "more" creative, aren't they Link to comment Share on other sites More sharing options...
AlphaCentauri Posted March 3, 2004 Share Posted March 3, 2004 The Bagle.I's are not just spoofing SpamCop. They get the domain name from your email address and spoof that system's administrators. And my Norton Antivirus couldn't pick it up. Turns out that .zip file really is password protected. Link to comment Share on other sites More sharing options...
Bumpkin Posted March 3, 2004 Share Posted March 3, 2004 The virus searches drives C: thru Z: looking for e-mail addresses in just about any type of file.... html, txt, eml, etc etc etc. This isn't just an Outlook virus. Unfortunately, I discovered that my "safe" e-mail program (non-std address books saved as encrypted text) isn't as safe as I thought. I also discovered that my "auto-updating" AV software isn't as up-to-date as I'd like it to be. In a network full of non-IT people, those two things combined set off a bad sequence of events today. :angry: <rant> Thanks to a couple of whiney scri_pt kiddies who want more media coverage than the "netsky" writer, the bagle/beagle virus and mydoom virus are being updated and released daily with additional insults to each other written into the code. My users here got a surprise education in viruses and safe computing today. I would have sworn to you last week that I had the greatest users on any network. Being smart and safe is nothing when the AV companies can't keep up with a couple kids. </rant> Link to comment Share on other sites More sharing options...
turetzsr Posted March 3, 2004 Share Posted March 3, 2004 Another good reason for not using Outlook or Outlook Express. Been using Outlook and OE for years and never had a problem. Sounds more like a user problem than a software problem but many people like to blame the software for their lack of knowledge. ...Bravo, Merlyn! Link to comment Share on other sites More sharing options...
turetzsr Posted March 3, 2004 Share Posted March 3, 2004 There are certain things that you shouldn't do (unless you have absolute faith in the person sending it to you, and even then, it could be a forged sending address). Take great care in opening any of these attachments. If you have a program that can filter the attachments, have these put in a separate folder for a closer look. The following attachments (file extensions) are used by Viruses, Worms and Backdoor programs, and can damage or delete files or "take-over" your computer: <snip> Nice answer! ...Indeed, it was! ...Note, though, that Windows often (usually? always?) comes with a default setting that hides the display of the extensions, so what may appear to be a file called "innocent-looking.txt" may actually be "innocent-looking.txt.exe" and do lots of damage! Link to comment Share on other sites More sharing options...
yourbuddy Posted March 3, 2004 Share Posted March 3, 2004 Another good reason for not using Outlook or Outlook Express. Been using Outlook and OE for years and never had a problem. Sounds more like a user problem than a software problem but many people like to blame the software for their lack of knowledge. ...Bravo, Merlyn! True enough ... But having good software to begin with, will provide a good start. Link to comment Share on other sites More sharing options...
turetzsr Posted March 3, 2004 Share Posted March 3, 2004 Another good reason for not using Outlook or Outlook Express. Been using Outlook and OE for years and never had a problem. Sounds more like a user problem than a software problem but many people like to blame the software for their lack of knowledge. ...Bravo, Merlyn! True enough ... But having good software to begin with, will provide a good start. ...If only I had a choice and did not have to use what my employer insists I use! Link to comment Share on other sites More sharing options...
AlphaCentauri Posted March 3, 2004 Share Posted March 3, 2004 I don't use outlook, but I can spot the viruses before they get to my email program. I've got Mailwasher set to flag anything with a .exe, .pif, .zip, etc, extension. Then I view them in the text window. The executable extensions show up as base 64 code in addition to seeing the entire file name. The only time I've downloaded one was when I was trying to report this new version of Bagel.I to Norton, and it insists on it being a file on your computer to do so. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.