Spam? Malicious posting?

[Oriolus]

Hi,

I received an e-mail from Postmaster [postmaster[at]yahoo.com], warning me that I should have sent an e-mail that contained a Win32.Patch.MyDoom.EXE in it's attachment. It also tells me that this attachment contained a virus called Hupigon.gen83.

There are very strange statements in this e-mail as well, though, reason why I try to find someone who can explain me (and the list) about such - to my opinion - dangerous e-mails.

Facts:

1. The e-mail states that I should have sent an e-mail at a moment that my PC was shut down for abt. 56 hours (I received this e-mail within the course of these 56 hours).

2. The original e-mail should have been sent nearly a year ago on June 12th, 2006!

> Received: oriol.. [at] ...doo.nl (HELO) (193.224.106.80) (Tracert gave me: sandragw.nyf.hu as originator)

> by oriol.. [at] ...doo.nl with SMTP; 12 Jun 2006 14:17:46 -0500

> To: thelist at lists.evolt.org

> Subject: Virus Detection

> Date: Mon, 12 Jun 2006 21:17:45 +0200

(I changed my e-mail address for security purposes)

3. It is said that the sending mail client was Outlook Exress: I don't use that software.

4. I offered this e-mail as a spam report to SpamCop.net; it was outdated, but gave me a clue that abuse[at]verizon.net would receive this report, if it were reported in time, so it had something to do with this (apparently) spam mail or even more evil.

I wonder:

1. Do I well in mentioning this as a strong warning to everybody?

2. Can I do anything more than only warning this group about this dangerous kind of e-mails?

BTW

3. If this post should reside in another category, would the moderator, please, be so kind to give this post its proper place?

For them who know more than I do about sources of e-mails, I quote the two-part contents of the e-mail underneath.

TIA, Oriolus

==============================

Return-Path: <postmaster[at]yahoo.com>

Received: from mwinf6407.orange.nl (mwinf6407.orange.nl)

by mwinb6003 (SMTP Server) with LMTP; Sun, 03 Jun 2007 05:15:16 +0200

X-Sieve: Server Sieve 2.2

Received: from me-wanadoo.net (localhost [127.0.0.1])

by mwinf6407.orange.nl (SMTP Server) with ESMTP id D9D421C00089

for <wnl000000000000000648784997[at]back60-mail01-02.me-wanadoo.net>; Sun, 3 Jun 2007 05:15:16 +0200 (CEST)

Received: from yahoo.com (pool-71-120-226-182.spknwa.dsl-w.verizon.net [71.120.226.182])

by mwinf6407.orange.nl (SMTP Server) with SMTP id 2E8691C00088

for <oriol.. [at] ...doo.nl>; Sun, 3 Jun 2007 05:15:15 +0200 (CEST)

X-ME-UUID: 20070603031516190.2E8691C00088[at]mwinf6407.orange.nl

From: "Postmaster" <postmaster[at]yahoo.com>

To: "oriolus" <oriol.. [at] ...doo.nl>

Subject: Yahoo PostMaster Alert - I-Worm.Mydoom.m detected at 8:15:16 PM.

Date: Sat, 2 Jun 2007 20:15:17 -0700

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_00CC_01C2A9A6.0EDFE7FA"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Message-Id: <20070603031515.2E8691C00088[at]mwinf6407.orange.nl>

==============================

Norman Virus Control heeft de bijlage verwijderd Win32.Patch.MyDoom.EXE omdat deze door het virus is geonfecteerd Hupigon.gen83

Content-Transfer-Encoding: 7bit

Attention: oriol.. [at] ...doo.nl - 8:15:16 PM - 6/2/2007 - This is an automatically generated message.

A virus was found in the last outgoing message you sent. Our incoming email scanner intercepted it and stopped the entire message before it could reach its intended recipient. The virus was reported to be: I-Worm.Mydoom.M

Technical details: I-Worm.Mydoom.m spreads via Google and Yahoo mail services as an attachment to infected messages.

The worm itself is a Windows PE EXE file approximately 27KB in size, packed using UPX.

The unpacked file is approximately 89KB in size.

The worm is only activated when a user opens an archive and launches the infected file by double-clicking on it. The worm will then install itself to your system and begin propagating. This worm also contains a dangerous backdoor function. When the worm opens TCP port 1034, it allows itself to receive remote commands. These ports were found to be open on your system during the message scan.

Please use the attached patch file to remove the virus and cleanse your system of any remaining parts of the worm.

Aliases: I-Worm.Mydoom.m (Kaspersky Lab), W32/Mydoom.o[at]MM (McAfee), W32.Mydoom.M[at]mm (Symantec), Win32.HLLM.MyDoom.54464 (Doctor Web), W32/MyDoom-O (Sophos), Win32/Mydoom.O[at]mm (RAV), WORM_MYDOOM.M (Trend Micro), Worm/Mydoom.M (H+BEDV), W32/Mydoom.O[at]mm (FRISK), Win32:Mydoom-M (ALWIL), I-Worm/Mydoom.O (Grisoft), Win32.MydooM[at]mm (SOFTWIN), Worm.Mydoom.M (ClamAV), W32/Mydoom.N.worm (Panda), Win32/Mydoom.R (Eset)

Description added: 6/2/2007 (new)

Self-Replicating Email Worm

Removal tool attached to oriol.. [at] ...doo.nl's message at: 8:15:16 PM on 6/2/2007

__________________________________________

Originating Message Headers:

Received: oriol.. [at] ...doo.nl (HELO) (193.224.106.80)

by oriol.. [at] ...doo.nl with SMTP; 12 Jun 2006 14:17:46 -0500

To: thelist at lists.evolt.org

Subject: Virus Detection

Date: Mon, 12 Jun 2006 21:17:45 +0200

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0002_4F80D187.6B2DD9E9"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Apply the attached patch to cleanse your system of any files that were dropped by the worm.

Postmaster Security Encryption Algorithm:

RNVTEZOSPUQZCIIWLHHZNTZDFOBVLBBSLRHYGG

====================================

[Farelf]

Certainly this looks malicious - postmaster Yahoo would never send an unsolicited patch - and the message did not originate with Yahoo anyway. This reminds me of some attempts at infection which were taking place some time ago. Anyway, it is being tried again. I see one other report of this one (in Italian):

http://altagradazione.blogspot.com/2007/06...rt-fasullo.html

I think this belongs in the lounge area, there is no issue with SC reporting. Thank you for raising the issue - it is always good to remind/alert people of the "human engineering" devices the zombie recruiters might use to overcome the proper understanding that unknown attachments should never be opened. Virus emails are reportable through SpamCop. This one is, of course, too old now but you could use SC parsing or other tools to identify the sender's abuse desk: (pool-71-120-226-182.spknwa.dsl-w.verizon.net [71.120.226.182]) = abuse[at]verizon.net

-and send your own report/complaint.

[Oriolus]

This one is, of course, too old now but you could use SC parsing or other tools to identify the sender's abuse desk: (pool-71-120-226-182.spknwa.dsl-w.verizon.net [71.120.226.182]) = abuse[at]verizon.net

-and send your own report/complaint.

This is what abuse[at]verizon.net sent me as an automatic answer:

"Thank you for your E-mail message to Verizon Online Abuse.

This is an automated response, in order to confirm the receipt of your report and to provide you with some additional general information. We understand that in some cases this general information may not pertain to your specific report, but please rest assured your message will be reviewed and investigated.

We apologize for any inconvenience the reported incident has caused you. Because we receive a large number of complaints each day, regretfully, a response to each message is not possible. If additional information is required in order to complete our investigation, we will contact you regarding this information.

Verizon Online Security investigates each reported incident, and will take the appropriate action as permitted by Verizon's Internet Access Agreement and Acceptable Use Policy, which can be viewed at the website listed below.

Additionally, you may find the following pertinent information beneficial:

To better understand the problems with Unsolicited Commercial E-mail ("spam"), we have provided information about filtering spam with your e-mail software, answers to several frequently asked questions and links to some useful online information about spam:

http://www.verizon.net/security

If you are reporting an unauthorized access attempt, please note that we cannot take action if the offender is not a Verizon Online Customer. These reports will need to be sent directly to the Internet Service Provider/IP space owner used by the offender.

The following web site may be helpful in determining the owner of the originating IP space:

http://www.arin.net/whois

Additionally, for faster routing, security related issues such as hacking, port probes, scans, and other similar issues may be delivered directly to: security[at]verizon.net ."

I sent them, like I do when reporting to SpamCop.net the two-part report. As can be seen above they point to their ISP. My reports very often appear to conclude that verizon.net is addressed to as one of the alerted domains. I cannot judge whether its ISP would have been alerted in my case. Neither can I judge whether it is useful sending this information to this group now; I hope it is. It's a miracle to me how SpamCop.net figures out who should be alerted anyway

Oriolus

[Farelf]

That looks like their standard autoresponder. Depending how reporters have their reporting preferences set they may not see these when they report through SpamCop.

...My reports very often appear to conclude that verizon.net is addressed to as one of the alerted domains. ...

Verizon is right up there at the moment (weekly) spam statistics by domain ("Hall of Shame"). Apparently this is well spread by IP address over time, as they don't feature so highly in SenderBase daily spamsource but that is not necessarily the same as SpamCop experience. Their degree of "spamminess" has to take into account their total volumes - SenderBase email senders by domain, again this is just what is monitored by SB but obviously they are huge and generally there is a correlation between the total volume and the spam volume. (Though, to the contrary, Road Runner for instance is apparently doing comparatively well on the spam ratios at this instant since it is 2nd in total volume, 18th in the Hall of Shame.) Ratio-based analyses are available at SpamCop.net Statistics, scroll down to Netblock reports where "block" in this context means groups of contiguous IP addresses (not what is obstructed)..

...I cannot judge whether its ISP would have been alerted in my case. Neither can I judge whether it is useful sending this information to this group now; I hope it is. It's a miracle to me how SpamCop.net figures out who should be alerted anyway

Earlier reporting is much better than late reporting and within several days is what most ISPs would prefer, I think, but they can use all the help they can get to enforce their Terms of Service/Acceptable User Policies so you did the right thing. If you had reported through SC the report would have gone to the same place, I trust (without bothering to test that).

dbiel put together a brief note about the parser's abuse address facilities in Abuse email addresses, How the parser choses which one to use with some further refinement there by Miss Betsy. Which accounts for the instances where the parser result is sometimes different to that indicated by Abuse net (apart from the fact you can never trust the purported domain in spam - the mailhosting and parsing processes, whois lookups and so on are additional but very relevant topics which you might like to research).