Virus? Anyone recognise this one...?
Thread Starter
Joined: Apr 2001
Posts: 871
Likes: 0
From: Chichester, UK
Virus? Anyone recognise this one...?
Just received a rather strange e-mail
Anyone recognise the culprit?
Looks like it came from me, but it is very unlikely that it actually has. I'm running an up to date NAV2002, which finds nothing suspicious on my PC - and I've no idea who terry pullen is
FWIW, the e-mail address ([email protected]) is only used for this website.
This message was created automatically by mail delivery software (Exim).
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
[email protected]
This message has been rejected because it has
an apparently executable attachment Lt.pif
This is a virus prevention measure.
If you meant to send this file then please
package it up as a zip file and resend it.
------ This is a copy of the message, including all the headers. ------
------ The body of the message is 123991 characters long; only the first
------ 65536 or so are included here.
Return-path: <[email protected]>
Received: from modem-806.duckdive.dialup.pol.co.uk ([62.25.155.38] helo=Amrsckco)
by mail5.svr.pol.co.uk with smtp (Exim 3.35 #1)
id 17KOdk-0007lq-00
for [email protected]; Tue, 18 Jun 2002 20:27:45 +0100
From: pprune <[email protected]>
To: [email protected]
Subject: Darling
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=ChQf2crhv00
Message-Id: <[email protected]>
Date: Tue, 18 Jun 2002 20:27:45 +0100
--ChQf2crhv00
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:MEEi31567 height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY></HTML>
--ChQf2crhv00
Content-Type: audio/x-midi;
name=Lt.pif
Content-Transfer-Encoding: base64
Content-ID: <MEEi31567>
<lots of MIME snipped>
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
[email protected]
This message has been rejected because it has
an apparently executable attachment Lt.pif
This is a virus prevention measure.
If you meant to send this file then please
package it up as a zip file and resend it.
------ This is a copy of the message, including all the headers. ------
------ The body of the message is 123991 characters long; only the first
------ 65536 or so are included here.
Return-path: <[email protected]>
Received: from modem-806.duckdive.dialup.pol.co.uk ([62.25.155.38] helo=Amrsckco)
by mail5.svr.pol.co.uk with smtp (Exim 3.35 #1)
id 17KOdk-0007lq-00
for [email protected]; Tue, 18 Jun 2002 20:27:45 +0100
From: pprune <[email protected]>
To: [email protected]
Subject: Darling
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=ChQf2crhv00
Message-Id: <[email protected]>
Date: Tue, 18 Jun 2002 20:27:45 +0100
--ChQf2crhv00
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:MEEi31567 height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY></HTML>
--ChQf2crhv00
Content-Type: audio/x-midi;
name=Lt.pif
Content-Transfer-Encoding: base64
Content-ID: <MEEi31567>
<lots of MIME snipped>
Looks like it came from me, but it is very unlikely that it actually has. I'm running an up to date NAV2002, which finds nothing suspicious on my PC - and I've no idea who terry pullen is
FWIW, the e-mail address ([email protected]) is only used for this website.
Joined: Mar 2001
Posts: 2,335
Likes: 0
From: Wet Coast
These trojans pick a random entry from the infected address book and send themself to every other entry.
So the only thing known for sure is that both you and 'Terry' are in the address book of the person who does have the virus. Probably a PPruNer too.
Since it looks like you have been 'selected' as the from address, you can probably expect some more undeliverable mail messages. I got similarly hijacked without ever being infected a while back. Took about a week before the fallout subsided.
Pr!cks !
So the only thing known for sure is that both you and 'Terry' are in the address book of the person who does have the virus. Probably a PPruNer too.
Since it looks like you have been 'selected' as the from address, you can probably expect some more undeliverable mail messages. I got similarly hijacked without ever being infected a while back. Took about a week before the fallout subsided.
Pr!cks !
Joined: Aug 1998
Posts: 108
Likes: 1
From: ....
I've just spent two days removing W32Klez from my mum's PC - she had not updated her Norton sofware!
V Nasty virus - once it's in it wont let you install or update anti-virus programs. As stated above, the Norton website has comprehensive (10 pages+) information on how to remove the virus. A very long process
At least all of the e-mail forwarding computers are picking it up now. Mum had 250 returned e-mails that W32Klez had attempted to send out
V Nasty virus - once it's in it wont let you install or update anti-virus programs. As stated above, the Norton website has comprehensive (10 pages+) information on how to remove the virus. A very long process
At least all of the e-mail forwarding computers are picking it up now. Mum had 250 returned e-mails that W32Klez had attempted to send out
Thread Starter
Joined: Apr 2001
Posts: 871
Likes: 0
From: Chichester, UK
Thanks chaps.
My NAV2002 is up to date, but I've checked aisleman's link to be safe and I'm clean - that's a relief. It had me worried for a bit.
My NAV2002 is up to date, but I've checked aisleman's link to be safe and I'm clean - that's a relief. It had me worried for a bit.
Last edited by Evo7; 19th June 2002 at 08:09.
Thread Starter
Joined: Apr 2001
Posts: 871
Likes: 0
From: Chichester, UK
The Symantec write-up is very interesting. It's a b@st@rd alright...
On the positive side, I've yet to receive any "you've sent me a virus" e-mails. I'm still slightly surprised that it doesn't trigger NAV though - presumably because the message lost the second half of the attachment when it was bounced?
On the positive side, I've yet to receive any "you've sent me a virus" e-mails. I'm still slightly surprised that it doesn't trigger NAV though - presumably because the message lost the second half of the attachment when it was bounced?
Joined: May 2002
Posts: 220
Likes: 0
From: West Sussex, UK
I got that b*****d of a virus too,hope to get it fixed tonight.
Downloaded the patch from symantec at work,anyone else tried it?
THe cheeky bloody virus,it cut off my norton anti virus and anti virus update.
I`m not a happy bunny!!!
Downloaded the patch from symantec at work,anyone else tried it?
THe cheeky bloody virus,it cut off my norton anti virus and anti virus update.
I`m not a happy bunny!!!
Joined: Mar 2002
Posts: 448
Likes: 0
From: London, UK
Viruses...
Quoth aisleman:
---8-----
The curious thing is that it appears to be a bounced message from pol.co.uk which belongs to Energis. Does that mean their system is infected?!! Or is that part of the smoke screen.
---8<-----
POL (Planet OnLine) are the company contracted to provide the infrastructure for FreeServe, amongst others, and no their system is not infected.
POL's mail infrastructure is actually quite clever. As the error message says ("the clue is in the question"
):
"This message has been rejected because it has
an apparently executable attachment Lt.pif
This is a virus prevention measure.
If you meant to send this file then please
package it up as a zip file and resend it. "
Their mailservers have been configure to reject messages which contain attachments which could "run" as an application (and thus infect you with a virus), either when you save them as files and double-click, or, in the case of poor unfortunates who have no choice other than to use LookOut!^H^H^H^HOutLook, if it decides to run the program anyway without asking.
The PIF extension stands for Program Information File, and is a legacy from the DOS/Windows 3.1 days.
HTH
---8-----
The curious thing is that it appears to be a bounced message from pol.co.uk which belongs to Energis. Does that mean their system is infected?!! Or is that part of the smoke screen.
---8<-----
POL (Planet OnLine) are the company contracted to provide the infrastructure for FreeServe, amongst others, and no their system is not infected.
POL's mail infrastructure is actually quite clever. As the error message says ("the clue is in the question"
):"This message has been rejected because it has
an apparently executable attachment Lt.pif
This is a virus prevention measure.
If you meant to send this file then please
package it up as a zip file and resend it. "
Their mailservers have been configure to reject messages which contain attachments which could "run" as an application (and thus infect you with a virus), either when you save them as files and double-click, or, in the case of poor unfortunates who have no choice other than to use LookOut!^H^H^H^HOutLook
, if it decides to run the program anyway without asking.The PIF extension stands for Program Information File, and is a legacy from the DOS/Windows 3.1 days.
HTH
Jet Blast Rat
Joined: Jan 2001
Posts: 2,081
Likes: 0
From: Sarfend-on-Sea
Well I've just found the one advantage of AOL. Because AOL doesn't use smtp (this is a real pain for me) this virus couldn't use my computer to spread itself! Not great, but I knew it had to be there 
Joined: Jun 2002
Posts: 80
Likes: 0
From: uk
I appear to be a third party victim as well. My system is clean but I've been getting two or three emails a day for the last six weeks or so returned as they contain viruses. I have not sent these emails and do not know any of the recipients. Is there anything I can do... I'm considering changing my email ( which will be a complete pain) just to get away from it!
Joined: Mar 2002
Posts: 448
Likes: 0
From: London, UK
worzel
If your system is really clean (how up-to-date is your virus scanner?) then these messages are actually coming from somebody who happens to have your address in their addressbook, which has been siezed by the virus and used to forge the sender address in outgoing copies of itself.
It may be possible to work out who this is by reading the mail headers (Outlook doesn't display these by default.) Email me if you need further help with this.
It may be possible to work out who this is by reading the mail headers (Outlook doesn't display these by default.) Email me if you need further help with this.
