posted
I know many of you don't visit GreNME very often, so I thought I would repost this here. Someone who knows both John and I (this has been verified by the IP address of the email's sender) has been infected with the MyDoom.M virus and is repeatedly sending us virus emails. Twinky has also gotten one, but we're not sure if it was from the same person. The infected computer's IP address resolves to a domain in Florida, but that may or may not be conclusive. In any case, if you have ever sent both me (and mike@sakeriver.com) and John (at a grenme.com address) an email, please check your computer for this virus. If you are using virus scanning software to do this check, make sure your virus definitions are up to date. If you want to try finding it manually, you can find information here. The removal tool can be found here.
posted
I'm 97% sure it wasn't me, but it would probably be easier for everyone if you could give us a time this happened. I know when my computer was, and was not on so if it happened durring the later...
posted
I don't know that they actually had to have recently purposefully SENT you an e-mail even, Saxon75 -- maybe they just had your addresses in their e-mail address book. Doesn't this virus just pull addresses from their local address book and replicate itself out to them?
posted
I'm not sure whether this particular virus looks through the address book or the recently sent mail or what, but it makes a certain amount of sense that the people who would have my email address on their computers would be those who have ever sent me an email (whether recently or otherwise).
Hobbes, looking through my trash folder, I see virus emails with the following dates and times:
There may be others, but I think I switched to the new host on or around 7/26, so those would have gone to a different webmail server. Plus some may already have been purged from my trash. All of the times listed are shown as -0400, which I assume is GMT -4 hours.
Posts: 4534 | Registered: Jan 2003
| IP: Logged |
posted
yeah - according to that info link you posted, in fact, it says that this virus does "large scale e-mailing" which it then goes on to define as:
quote: Large scale e-mailing
This type of payload involves sending emails to large numbers of people. This is usually done by accessing a local address book and sending emails to a certain number of people within that particular address book
So I would be looking for someone that maybe has you both in their e-mail address book. (I don't)
The virus will also harvest email addresses from any Outlook window that is active on the victim machine.
and
quote: From: (spoofed From: header) Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.
The From: address may be spoofed with a harvested email address. Additionally, it may be constructed so as to appear as a bounce, using the following addresses:
Of course, I know that Saxon already knows this -- I'm putting this out for others to be aware. Since he's tracing it by IP -- he knows what he is doing..... FG
Posts: 9538 | Registered: Aug 2003
| IP: Logged |