I keep getting these message delivery failed emails for emails that I did not send. I have checked one of them and it has an attachment.( bdczvi.exe )Anyone have a similar problem? Would changing my email password help?
Posted on 2003-11-26 05:41:11 by Odyssey
Virus removaltool or Antivirus application & maybe firewall would help more then changing the password...

but what do i know...:rolleyes:
Posted on 2003-11-26 05:44:53 by Ranma_at
Well I have an antivirus(avg free edition) tool installed it must have missed it. I will do a virus scan though.
Posted on 2003-11-26 05:48:36 by Odyssey
Hi Odyssey,

You may just be on the mailing list of some people who have that virus. Some virii will spoof a returned mail notification and send it to everyone on the infected PC's mailing list hoping that some unsuspecting dupe will open it to see what has been returned. Check the message header and see if it is really returned mail or just another a**hole virus writers bullshit.
Posted on 2003-11-26 05:58:38 by donkey
From looking at the email header how do I determine if its really returned mail? I don't think that spoofing a return mail is a good strategy to send virii because it makes me suspicious. Why am I getting returned mails for emails I did not send? :) Here's the header for one of them.

 

X-Message-Info: UZmYcfFpTCewzfqvyl1d189+/FjrFUZX
Received: from vsmtp3.tin.it ([212.216.176.223]) by mc1-f41.hotmail.com
with Microsoft SMTPSVC(5.0.2195.6713);
Tue, 25 Nov 2003 09:44:47 -0800
Received: from msmwqem (80.181.166.27) by vsmtp3.tin.it (7.0.019)
id 3FC330800004E6C9; Tue, 25 Nov 2003 18:44:19 +0100
Date: Tue, 25 Nov 2003 18:44:19 +0100 (added by[imgmail]http://www.asmcommunity.net/board/cryptmail.php?tauntspiders=in.your.face@nomail.for.you&id=127237de2ed86c2291495e303bdf35d2[/imgmail])
Message-ID: <3FC330800004E6C9@vsmtp3.tin.it> (added by[imgmail]http://www.asmcommunity.net/board/cryptmail.php?tauntspiders=in.your.face@nomail.for.you&id=127237de2ed86c2291495e303bdf35d2[/imgmail])
FROM: "Postmaster" <mailform@freemail.com>
TO: "Net Recipient" <client@mxdomain.com>
SUBJECT: Letter
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="lxpsxjdz"
Return-Path:[imgmail]http://www.asmcommunity.net/board/cryptmail.php?tauntspiders=in.your.face@nomail.for.you&id=093076545e021a869a62c3640f22f6ba[/imgmail]
X-OriginalArrivalTime: 25 Nov 2003 17:44:48.0825 (UTC) FILETIME=[D25E4A90:01C3B37B]
Posted on 2003-11-26 06:22:06 by Odyssey
Well, since it has been forwarded by a real postmaster (virgilio is a large ISP in Italy) I would suspect that it is a valid returned mail. Better start checking your machine for worms, sounds like a W32.Mimail type thing.
Posted on 2003-11-26 06:27:33 by donkey
I have fake returns sometimes too, when someone is infected and my address is in their mailbox/addressbook

then they they sent a lot of spoofed mail as if it comes from you, when that mail bounces the mailer daemon returns it to where it *thinks* it comes from (spoofing) which is you.


so you didn't send anything but the mailerdaemon return is set as your address, hence the daemon acts upon it.
Posted on 2003-11-26 07:46:34 by Hiroshimator
Ok maybe you're right Hiroshimator. My virus scan didn't find anything. I just don't like the thought of my email account being used to spread virii.
Posted on 2003-11-26 08:12:25 by Odyssey
An interesting observation is that all the attachments are 106 kb in size and one of them is claiming to be a microsoft securtiy update. I heard about this one but I can't remember its name :) I guess its the same program but different names.
Posted on 2003-11-26 11:02:37 by Odyssey
Odyssey,

You can try also F-Prot antivirus to check your e.mails. The DOS version is free and very powerfull.
Posted on 2003-11-26 11:07:21 by Vortex

An interesting observation is that all the attachments are 106 kb in size and one of them is claiming to be a microsoft securtiy update. I heard about this one but I can't remember its name :) I guess its the same program but different names.


Probably the W32/Gibe.gen@MM virus.
Posted on 2003-11-26 11:09:40 by donkey
Odyssey,

It sounds like what you have is a normal worm that spoofs an address out of the address book of the machine that sent it. The important thing is to make sure you NEVER run the attachments.

A friend of mine went to the download site and got the patch that was supposed to be a Microsoft upgrade, ran it and trashed their machine big time so make sure you never fall for these tricks. Microsoft do NOT send patches to people by email. Lucky we had the machine set up with a ghost image of the boot partition so it only took about 5 minutes to fix it.

I was getting about 400 a day a few months back when a particuar worm had just been released and while I was not worried about getting infected, the bandwidth was a problem and it flooded my normal email. I found a toy called PopTray that lest you edit the email at the server end so you don't even need to download it.

Regards,
http://www.asmcommunity.net/board/cryptmail.php?tauntspiders=in.your.face@nomail.for.you&id=2f46ed9f24413347f14439b64bdc03fd
Posted on 2003-11-26 18:18:08 by hutch--
yes its probably a worm but what isn't my antivirus program detecting it. No need to worry about me opening it. I'm suspcicious of any emails with executable attachments. The virii coders need to do a better job to get me to run their attachments :)
Posted on 2003-11-27 02:17:31 by Odyssey
Hi Odyssey,

Antivirus programs are like your immune system. They handle known quantities, and can sometimes handle similar quantities; but exotics they can't handle at first. Like your immune system, totally new parasites take time to recognize and kill; but once known, they can be handled in the future.

Charles
Posted on 2003-11-28 16:29:00 by cdquarles
You're right cdquarles but the symptoms suggest that this is a well known worm. It could be that I'm just on one of their mailing lists or something because my antivirus software isn't detecting anything.
Posted on 2003-11-28 16:34:36 by Odyssey
I do not have any anti-virus program or fire-wall and I got a similar thing too, got me pretty paranoid... So I ended up mailing every contact about it, it was a pretty embarrising feeling I thought, if somebody close to me might have thought I tried to mail them a worm/virus.
Anyhow I found out, It was one of my email contacts in asia who got infected, the worm snatching my email address from outlook.
Just like already told.
Anyhow, whatever, it is pretty annoying situation.
Posted on 2003-11-28 17:11:36 by david
It's an annoying situation yes, the emails are all over 100 kb and they fill up my 2mb hotmail account quickly.
Posted on 2003-11-28 17:15:01 by Odyssey
Maybe ask the support at hotmail for help... or activate some kind of spam-filter to stop these mails.
I don't know if its possible though, ( both alternatives ) I stopped use hotmail, for other use than fake-email-address, long ago... just because of all the spam that hit my hotmail address.

If not possible, maybe change mail server/name, and inform your friends about the problem?

luckily, I never got more than like 10 of these virus mailbacks to my private mail, before it stopped.
Posted on 2003-11-28 17:23:59 by david
Don't assume !!

You claim "your antivirus isn't finding anything" - what makes you sure your antivirus is capable of detecting this "virus" ? Why do you assume that your antivirus itself has not been altered by it? Also, if these returned mails are real, you're lucky, because some worms carry their own mailserver code now, and don't require an external mailserver at all !! Blinkers off !!
I've even had a worm which injected code into the process space of my firewall, and then was able to send mail from my machine without triggering the wall since most walls don't monitor their own process space... grrr ...
Posted on 2003-11-29 00:36:05 by Homer
EvilHomer2K is absolutely correct, I got the Blaster Worm before NAV could detect and stop it causing me no end of problems. I eventually formatted my drive and did a complete re-install only to find out that when I finally got back onto the web the worm was completely removable. The problem was that the worm was blocking my AV softwares ability to get the update so I could not know what was going on.
Posted on 2003-11-29 00:44:08 by donkey