Virus Attacks
elisiaco
elisiaco
Thu Feb 15 13:36:48 CST 2001
For more information go to www.sexyfun.net
This is the information I have found and copied from the site:
Once infected, I believe that the virus makes all outgoing infected emails
have the Hahaha at sexyfun.net return address. I haven't been
infected myself, so I am gathering this from observations of the
infected emails that have been sent to me.
I urge everyone to get some antivirus software and make sure their systems
are clean.
Re: HEADERS
The tip of the iceburg:
For the most part when you are using your email client like Outlook,
Eudora, Netscape, pine, elm, etc. all that you see of the email header
looks something like this:
Date: Fri, 15 Dec 2000 06:12:01 -0600
From: Hahaha
Subject: Snowhite and the Seven Dwarfs - The REAL story!
But this is just the tip of the iceburg. As you can see with the
above example, which is a real email header from the virus that we have
all received (or
you would not be at this site most likely), most people including
some of you reading this header on your computer automatically say:
"Damit another SPAMMED email, well I think I am going to threten the
owner of the domain, the user (which in this case is the spoofed / faked
From:
field) and the people that are hosting the domains website (that
would be me slowmoe.com) with legal actions, report them to the FCC, FBI,
Local
Law, the government, they parents, their dog, etc..."
without digging a little deeper to find out what the real story
behind this SPAM is.
Digging a little deeper:
The below header information is altered, and is here only to help
you read other headers. This is only a guide, any similarities with actual
providers/people are
unintentional.
Now most email clients have some way to view the full email header of
a email message. I think with OutLook when you have the message open you
can do a FILE / PROPERTIES and the window that opens up will show you
the full header. Netscape I am sure has some why to do the same. Here
is a example of what the full email header looks like:
UPDATE: HERE is a link that tell you how to view the full email
header for may different email clients.
Return-Path: <>
Received: from emerald.somedomain.abc
(IDENT:root at emerald.somedomain.abc [10.46.57.20])
by nullspace.neonova.net (8.9.3/8.9.3) with ESMTP id
HAA25532
for ; Fri, 15 Dec 2000 07:12:20 -0500
Received: from zano (bar-pm3-1-11.somedomain.abc [10.145.183.26])
by emerald.somedomain.abc (Pro-8.9.3/Pro-8.9.3) with SMTP
id GAA28296
for ; Fri, 15 Dec 2000 06:12:01 -0600
Date: Fri, 15 Dec 2000 06:12:01 -0600
Message-Id: <200012151212.GAA28296 at emerald.somedomain.abc>
From: Hahaha
Subject: Snowhite and the Seven Dwarfs - The REAL story!
MIME-Version: 1.0
Being that the virus tries its best to hide itself, this header looks
smaller then a real header of a email sent from a normal email client. We
still have the
same information displayed that the normal header view above showed
but we also added the following Fields: Return-Path, Received, Message-Id
and MIME-Version.
The main thing we want to look at to find out who really sent this
email are the Received: fields. When a email is sent from your computer to
your ISP's
mail server the mail server reads in the email from your computer and
it will then add one of these Received: fields to your emails header. As
the email
get transfered from mail server to mail server, each mail server that
your email passes thru will add its own Received: field to your message on
top of
the one from the last server. In the above example our email has two
(2) Received: fields meaning that it passed thru two (2) email servers
before it got
to me.
So now to find out who really sent me this email all I need to do is
back track thru the Received: fields until I reach the computer that sent
this to me.
The first Received: field says:
Received: from emerald.somedomain.abc
(IDENT:root at emerald.somedomain.abc [10.46.57.20])
by nullspace.neonova.net (8.9.3/8.9.3) with ESMTP id
HAA25532
for ; Fri, 15 Dec 2000 07:12:20 -0500
You can pretty much read this line just like english. It says: My
mail server nullspace.neonova.net received a email going to
web at sexyfun.net from the
mail server emerald.somedomain.abc.
So I now know that the server that had this email right before it was
dropped off in my inbox on my mail server is: emerald.somedomain.abc, but
we
are not done yet.
The second (last) Received: field says:
Received: from zano (bar-pm3-1-11.somedomain.abc [10.145.183.26])
by emerald.somedomain.abc (Pro-8.9.3/Pro-8.9.3) with SMTP
id GAA28296
for ; Fri, 15 Dec 2000 06:12:01 -0600
Reading this like english again we get: The mail server
emerald.somedomain.abc received a email going to web at sexyfun.net from zano
(bar-pm3-1-11.somedomain.abc [10.145.183.26]).
Being that this is the last Received: field in our email header we
now know that this email was sent from the computer that has the internet
address of:
bar-pm3-1-11.somedomain.abc which converts to the IP of
???.145.183.26 and told their mail server their name was zano.
So now we know who sent the email, now what? :
So we now know that internet address and the IP of the user that
really did send the email to you, you can now do one of the following.
1) Well hey I know a friend that is named Zano or I know a friend
that uses somedomain.abc as their ISP, he must be infected with the virus,
I think I
will call him up and let them know they are infected and have them
visit http://www.sexyfun.net/ to help them clean their computer up.
2) I don't know a Zano, I don't know anyone that uses somedomain.abc
as their ISP, I think I will contact Zano's ISP and tell them that one of
their
users are sending SPAM with a virus attachment. You can find out who
Zano's ISP is by check the DNS Whois information of somedomain.abc being
that this is the network Zano is coming from. Or you can check out
who owns the IP that Zano is coming from at Arin's website. Either method
should
give you the contact information for their ISP.
When you contact Zano's ISP provide them with the Internet address
(bar-pm3-1-11.somedomain.abc) the IP (10.145.183.26) and the time date
stamp on the email. that way they should be able to go thru their
logs and find out which of their users were logged in with that IP /
internet address at
the time the email was sent and contact them to inform them they have
a virus or IF they are the virus creator, take the needed actions against
them.
If you have not noticed by now this email did not come form the
sexyfun.net domain or the company that is hosting this site :) .
On Thu, 15 Feb 2001 DaveAnt420 at aol.com wrote:
> Whoever keeps sending these viruses to the list needs to be hunted down,
> prosecuted, and sufficiently tortured. I volunteer. Anyone good at tracing
> headers?
>
> Bear
>
More information about the Mailman
mailing list