I think someone is specifically after me

[Pinebear]

Beginning back on August 23 I began receiving emails purportedly from my ISP, not, which I will describe using the text I have been sending along to the abuse email address.

The following is a pseudo-phishing attempt which would have installed

the W32.Mytob.EA[at]mm worm. I had been receiving these once or twice a

day since August 23 and my ISP, Canaantv, had been working to get this stopped. It

appeared that they did, since I hadn't received one since Sept 5.

Previously, all had come from the same IP, 71.51.95.58.

They had again started up on 09-14-2006 and were all from Road Runner IPs.

I received 11 from four different RR IPs, with the last being on 09-24-2006.

They all have one of the following subjects which seem to rotate.

* Members Support

* Important Notification

* You have successfully updated your password

* Warning Message: Your services near to be closed

* YOUR ACCOUNT IS SUSPENDED FOR SECURITY REASONS

* Your Account is Suspended

* Your password has been successfully updated

* You have successfully updated your password

* Your new account password is approved

It appears whoever is sending these out has again jumped to a different ISP,

this time BellSouth, which is now the third, and the fourth different BellSouth IP.

It appears someone has it in for me. However, I don't see it as someone who is a casual user whose PC has been hijacked. That type of user wouldn't know it and probably would not have the smarts or inclination to jump across three different ISPs and almost two dozen different IPs in that short a period of time. My ISP, relatively small, has no reports of any similar activity against anyone else.

The latest I reported to SC is 1951139853.

Any ideas as to what I can do about this other than continuing to report?

[Farelf]

You don't appear to be alone. From the NGs (hopefully Miss Betsy will forgive my grabbing her post as an illustration to good effect)

From: "mikeyhsd" <mikeyhsd[at]sport.rr.com>

Newsgroups: spamcop

Subject: Re: New Virus / Worm propagation,

Date: Tue, 3 Oct 2006 08:03:19 -0500

Message-ID: <eftn2j$uu2$1[at]news.spamcop.net>

just got several this morning.

mikeyhsd[at]sport.rr.com

"Miss Betsy" <devnull[at]spamcop.net> wrote in message

news:efthl8$qrh$1[at]news.spamcop.net...

>

> <snip>

> speaking of viruses, does anyone know if there is a virus that pretends to

> be from an abuse desk 'serv' [at] domain and warns you that their firewall

> has detected a worm on your computer?

>

> I have gotten several - mostly at one address which has no filters, but

> one at another address (hotmail) which generally filters pretty

> aggressively. I haven't had time to pay attention to where they are

> really coming from, but it is not where they say they are. And it doesn't

> sell a program, but has an attachment.

>

> Miss Betsy

And this was in the midst of a thread of other reports. Most viruses are not "personal".

[Pinebear]

You don't appear to be alone. From the NGs (hopefully Miss Betsy will forgive my grabbing her post as an illustration to good effect)And this was in the midst of a thread of other reports. Most viruses are not "personal".

I may be wrong, but I believe mine are a bit different. They are not warning about a worm. The worm is in a ZIP attachment which my antivirus identifies and quarantines. They all pretend they are coming from some administrator at my ISP, but there is no such email address.

No one else at my ISP has reported this, but we all receive tons of the other spam

[StevenUnderwood]

I may be wrong, but I believe mine are a bit different. They are not warning about a worm. The worm is in a ZIP attachment which my antivirus identifies and quarantines. They all pretend they are coming from some administrator at my ISP, but there is no such email address.

No one else at my ISP has reported this, but we all receive tons of the other spam

These are not spam, they are viruses and you are getting them probably because someone in your circle of acquantenances was infected (on the first IP) which then infected someone else, etc. etc. etc.

host 71.51.95.58 = fl-71-51-95-58.dhcp.embarqhsd.net - First report Spamcop has from this host is Aug 24. Abuse to: sprintnetops.net (i.e. SprintDSL) This is likely the person that introduced it to your circle based on the dates.

Your system is detecting them. Almost every machine I am asked to look at because of problems turns out to be viruses because the owner did not keep their AV software current (yes, you need to pay them every year in some cases). I install AVG (free) and I get my weekends back

http://www.symantec.com/security_response/...-99&tabid=1

W32.Mytob.EA[at]mm is a mass-mailing worm that has back door capabilities and uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer.

Gather email addresses from Windows Address Book and temporary Internet files.

Gathers email addresses from files with the following extensions on all local drives from C to Y:

.adb*

.asp*

.cgi*

.dbx*

.htm*

.jsp*

.php*

.pl

.sht*

.tbb*

.txt

.wab

.xml*

[Miss Betsy]

Miss Betsy forgives you!

I feel like an old hand now because I recognized it as a virus/worm!

Miss Betsy

[Farelf]

I may be wrong, but I believe mine are a bit different. ...

It seems a little different - but of the familiar pattern. OK, if your "brand" is coming from a variety of sources, are these mostly mainstream ISPs? IOW, do they look like they were sent from ordinary PCs on ordinary networks (the usual propagation - which can be every bit as rapid "in the wild" as you have seen)? You named a couple, which are certainly in the "mainstream" category. The other feature of the infestations I have seen is that they tend to recur (the source IPs repeat after a short period, until they are detected and cleared, because individul computers are cycling through a finite set of addresses to send to).

If so, your defence IMO is to manually report to the abuse desks and ask them to locate and advise the owners. You can of course continue to report your virii/vermes through SC but I prefer a more directed form of appeal to the ISP myself. Admins tend to be more responsive that way, somehow.

If not then more details might be helpful (including tracking URLs with technical details turned on - I couldn't get much from the report ID you posted). It still could be consistent with a thin thread of infection which is being mopped up fairly efficiently after it activitates. Another possibility - are you seeing the full attack - is there maybe some filtering going on somewhere which might be hiding some instances (particularly any "repeat offenders")?

[Miss Betsy]

If you get no response from the abuse desk (for larger ISPs, it may take up to a week), then if you happen to have a correspondent with an address on that ISP, you can ask hir to talk to the IT department or abuse desk. They sometimes listen to customers faster than outsiders. Be sure you explain that you don't think the virus comes from your correspondent, but that it is coming from their network. It doesn't happen very often that you actually have a correspondent from an unresponsive abuse desk, but twice I have done that in desperation.

Miss Betsy

[Pinebear]

These are not spam, they are viruses and you are getting them probably because someone in your circle of acquantenances was infected (on the first IP) which then infected someone else, etc. etc. etc.

http://www.symantec.com/security_response/...-99&tabid=1

W32.Mytob.EA[at]mm is a mass-mailing worm that has back door capabilities and uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer.

When I first looked up the definition, I only looked at the Summary. After reading the Technical Details I now see that the emails I'm receiving have the exact wording described in the Technical Summary. I should have read further.

[Pinebear]

It seems a little different - but of the familiar pattern. OK, if your "brand" is coming from a variety of sources, are these mostly mainstream ISPs? IOW, do they look like they were sent from ordinary PCs on ordinary networks (the usual propagation - which can be every bit as rapid "in the wild" as you have seen)? You named a couple, which are certainly in the "mainstream" category. The other feature of the infestations I have seen is that they tend to recur (the source IPs repeat after a short period, until they are detected and cleared, because individul computers are cycling through a finite set of addresses to send to).

If so, your defence IMO is to manually report to the abuse desks and ask them to locate and advise the owners. You can of course continue to report your virii/vermes through SC but I prefer a more directed form of appeal to the ISP myself. Admins tend to be more responsive that way, somehow.

If not then more details might be helpful (including tracking URLs with technical details turned on - I couldn't get much from the report ID you posted). It still could be consistent with a thin thread of infection which is being mopped up fairly efficiently after it activitates. Another possibility - are you seeing the full attack - is there maybe some filtering going on somewhere which might be hiding some instances (particularly any "repeat offenders")?

All three ISPs were mainstream, first Sprint, then Road Runner and now BellSouth. The one thing they all have in common is that the "From:" is administrator(at)canaantv.tv, which is an invalid address.

In addition to reporting via SC I have been sending them to the abuse desks at each of the ISPs. It's my impression that they seem to be following up. I say this because I was orginally receiving up to three a day, all from the same IP. Then it stopped for awhile, jumped to another ISP, stopped and now to the third ISP.

I looked through my address book and found no correspondents with a Sprint ISP, the first from which I received. That's not to say that somehow someone had my email address that I'm not aware of.

Question, does this particular worm, when it spreads, also take along a copy of the email addresses it has already found or does it start afresh on the new computer?

[Farelf]

...In addition to reporting via SC I have been sending them to the abuse desks at each of the ISPs. It's my impression that they seem to be following up. ...

I think you're on top of it - that is the "right" process (with some extra effort sometimes indicated, as noted by Miss Betsy).

...I looked through my address book and found no correspondents with a Sprint ISP, the first from which I received. That's not to say that somehow someone had my email address that I'm not aware of...

Yeah, hard to tell, the tech details of this variety indicate it is fairly thorough in skimming an infected computer, including maybe picking your address from a forwarded email you may never have known about, perhaps just copied into the original.

...Question, does this particular worm, when it spreads, also take along a copy of the email addresses it has already found or does it start afresh on the new computer?

Don't know personally - that is certainly "doable", an obvious evolution which, if not already implemented would be in the pipeline. A parallel capability/technology - once established, IRC bots ("zombies") are routinely and regularly updated with new instructions/data, have been for years.