|
Virus? Anyone recognise this one...?
Just received a rather strange e-mail
This message was created automatically by mail delivery software (Exim). A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: [email protected] This message has been rejected because it has an apparently executable attachment Lt.pif This is a virus prevention measure. If you meant to send this file then please package it up as a zip file and resend it. ------ This is a copy of the message, including all the headers. ------ ------ The body of the message is 123991 characters long; only the first ------ 65536 or so are included here. Return-path: <[email protected]> Received: from modem-806.duckdive.dialup.pol.co.uk ([62.25.155.38] helo=Amrsckco) by mail5.svr.pol.co.uk with smtp (Exim 3.35 #1) id 17KOdk-0007lq-00 for [email protected]; Tue, 18 Jun 2002 20:27:45 +0100 From: pprune <[email protected]> To: [email protected] Subject: Darling MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=ChQf2crhv00 Message-Id: <[email protected]> Date: Tue, 18 Jun 2002 20:27:45 +0100 --ChQf2crhv00 Content-Type: text/html; Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD><BODY> <iframe src=3Dcid:MEEi31567 height=3D0 width=3D0> </iframe> <FONT></FONT></BODY></HTML> --ChQf2crhv00 Content-Type: audio/x-midi; name=Lt.pif Content-Transfer-Encoding: base64 Content-ID: <MEEi31567> <lots of MIME snipped> Looks like it came from me, but it is very unlikely that it actually has. I'm running an up to date NAV2002, which finds nothing suspicious on my PC - and I've no idea who terry pullen is :) FWIW, the e-mail address ([email protected]) is only used for this website. |
Although a quick search discovered...
Terry Pullen Eaglescott: PPL 600hr DHC1, PA12, S1S, C206 |
NAV 2001 says that it picks it up. I think the removal tool is for people who only buy NAV after infection, or who don't subscribe to AutoUpdate.
|
These trojans pick a random entry from the infected address book and send themself to every other entry.
So the only thing known for sure is that both you and 'Terry' are in the address book of the person who does have the virus. Probably a PPruNer too. Since it looks like you have been 'selected' as the from address, you can probably expect some more undeliverable mail messages. I got similarly hijacked without ever being infected a while back. Took about a week before the fallout subsided. Pr!cks !:mad: |
I've just spent two days removing W32Klez from my mum's PC - she had not updated her Norton sofware!
V Nasty virus - once it's in it wont let you install or update anti-virus programs. As stated above, the Norton website has comprehensive (10 pages+) information on how to remove the virus. A very long process :mad: At least all of the e-mail forwarding computers are picking it up now. Mum had 250 returned e-mails that W32Klez had attempted to send out :eek: |
Thanks chaps.
My NAV2002 is up to date, but I've checked aisleman's link to be safe and I'm clean - that's a relief. It had me worried for a bit. :) |
The Symantec write-up is very interesting. It's a b@st@rd alright...
On the positive side, I've yet to receive any "you've sent me a virus" e-mails. I'm still slightly surprised that it doesn't trigger NAV though - presumably because the message lost the second half of the attachment when it was bounced? |
I got that b*****d of a virus too,hope to get it fixed tonight.
Downloaded the patch from symantec at work,anyone else tried it? THe cheeky bloody virus,it cut off my norton anti virus and anti virus update. I`m not a happy bunny!!! :mad: |
Viruses...
Quoth aisleman:
---8----- The curious thing is that it appears to be a bounced message from pol.co.uk which belongs to Energis. Does that mean their system is infected?!! Or is that part of the smoke screen. ---8<----- POL (Planet OnLine) are the company contracted to provide the infrastructure for FreeServe, amongst others, and no their system is not infected. POL's mail infrastructure is actually quite clever. As the error message says ("the clue is in the question" ;) ): "This message has been rejected because it has an apparently executable attachment Lt.pif This is a virus prevention measure. If you meant to send this file then please package it up as a zip file and resend it. " Their mailservers have been configure to reject messages which contain attachments which could "run" as an application (and thus infect you with a virus), either when you save them as files and double-click, or, in the case of poor unfortunates who have no choice other than to use LookOut!^H^H^H^HOutLook :eek:, if it decides to run the program anyway without asking. The PIF extension stands for Program Information File, and is a legacy from the DOS/Windows 3.1 days. HTH |
Well I've just found the one advantage of AOL. Because AOL doesn't use smtp (this is a real pain for me) this virus couldn't use my computer to spread itself! Not great, but I knew it had to be there :D
|
I appear to be a third party victim as well. My system is clean but I've been getting two or three emails a day for the last six weeks or so returned as they contain viruses. I have not sent these emails and do not know any of the recipients. Is there anything I can do... I'm considering changing my email ( which will be a complete pain) just to get away from it!
|
worzel
If your system is really clean (how up-to-date is your virus scanner?) then these messages are actually coming from somebody who happens to have your address in their addressbook, which has been siezed by the virus and used to forge the sender address in outgoing copies of itself.
It may be possible to work out who this is by reading the mail headers (Outlook doesn't display these by default.) Email me if you need further help with this. |
| All times are GMT. The time now is 13:46. |
Copyright © 2026 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.