OT: Virus alert Options

[animaster]

From: "Stuart Rogers" stuart.rogers@clara.co.uk
Date: 2004-4-07 10:01:40

Some OT advice for list members.

I believe someone who's on the mailing list (either now or in
the past) has acquired a virus...

In the last few hours I've received three e-mails with attached
..pif files. The mails have subject lines along the line of
"Secure delivery", "Re: Old Photos", "Re: Is this your document?"
The attachments are about 40kB in size.

Two of the e-mails have 'from' & 'return path' that mention
"animationmaster.com", hence my suspicion that someone on the
list is infected. All of them mention prodigy.net.mx
The manner of the e-mails reek of nefariousness!

It's almost certainly a PC user that's affected. If any PC
users on the list/forum gets one of these, I suggest you don't
open the file, but do delete the e-mail.

Best wishes

Stuart

[johnl3d]

Yes I have received 2 here the old photos one was one of them and the address I use for the list is just for the list and so it points to a list member. THe message got flagged immediately by Mcafee

[animaster]

From: "Richard Harrowell" rick@rivernet.com.au
Date: 2004-4-07 23:12:51

Same here. I have received emails containing the Netsky.P virus from a Hash list
member.

The infected computer is a dialup connection to the PRODIGY.NET.MX network.  I
believe the dialup is located at Arizpe in Coahuila de Zaragoza, Mexico.  Please would
anyone using prodigy from around Arizpe check for the virus. The following links
describe the virus, and how to identify and remove it.

http://www.f-secure.com/v-descs/netsky_p.shtml

http://securityresponse.symantec.com/avcen...ta/w32.netsky.p@mm.html

Richard.

>

>

> Some OT advice for list members.

>

> I believe someone who's on the mailing list (either now or in

> the past) has acquired a virus...

>

> In the last few hours I've received three e-mails with attached

> .pif files.  The mails have subject lines along the line of

> "Secure delivery", "Re: Old Photos", "Re: Is this your document?"

> The attachments are about 40kB in size.

>

> Two of the e-mails have 'from' & 'return path' that mention

> "animationmaster.com", hence my suspicion that someone on the

> list is infected.  All of them mention prodigy.net.mx

> The manner of the e-mails reek of nefariousness!

>

> It's almost certainly a PC user that's affected.  If any PC

> users on the list/forum gets one of these, I suggest you don't

> open the file, but do delete the e-mail.

>

> Best wishes

>

> Stuart

>

>

> === Animaster Mailing list === Unsubscribe and other options @ www.hash.com/support/maillist.asp
===

>

.

[animaster]

From: "Gareth Hardy" animaster@dvdreams.co.uk
Date: 2004-4-7 15:27:40



How did you locate the infected computer so accurately? The best I can manage is "It's someone on this list 'cos I don't use this address for anything else."
> The infected computer is a dialup connection to the
> PRODIGY.NET.MX network. I believe the dialup is
> located at Arizpe in Coahuila de Zaragoza, Mexico.

Html-Removed

[ChrisThom]

I suppose this is good reason to use the forums vs. the maillist.

[jon]

these types of viruses usually find their victims in the address books of infected machines, but the spam/trojan email they create almost always has a forged 'from' address. you can find out the originating server by checking the detailed headers in the email, which is often hidden by email readers.

the best advice i can give is don't open an attachment from anyone unless you are expecting it, and don't use outlook!

-jon

[animaster]

From: pedro galvez galvezmanzo@prodigy.net.mx
Date: 2004-4-08 01:21:58

for every 10 mails i get from the animaster mailing list, 4 of them are
virus
----- Original Message -----
From: johnathan darkly
To:
Sent: Wednesday, April 07, 2004 11:48 AM
Subject: Re: OT: Virus alert
>
> From: jon : johnathan darkly :
>
> these types of viruses usually find their victims in the address books of
infected machines, but the spam/trojan email they create almost always has a
forged 'from' address. you can find out the originating server by checking
the detailed headers in the email, which is often hidden by email readers.
>
> the best advice i can give is don't open an attachment from anyone unless
you are expecting it, and don't use outlook!
>
> -jon
>
> *** View Entire Thread @
http://www.hash.com/forums/index.php?showt...view=getnewpost

>

www.hash.com/support/maillist.asp ===

[animaster]

From: pedro galvez galvezmanzo@prodigy.net.mx
Date: 2004-4-08 16:35:12

yes i had it but not anymore because i had to format my pc, and yes my anti
virus don't detect it Thanks
----- Original Message -----
From: Richard Harrowell
To: pedro galvez
Sent: Thursday, April 08, 2004 1:52 AM
Subject: RE: OT: Virus alert
> Pedro,
>
> Have you checked to see if you have the Netsky.P virus? (Do you
> have a file FVProtect.exe in your C:Windows or C:Winnt folder?)
>
> The point is that your dialup connects using the 200.64.130.xxx subnet.
> I have received 2 infected emails sent from an infected computer on
> the 200.64.130.xxx subnet.
>
> This virus has its own SMTP mail server and will quite happily send
> infected emails back to yourself. this would explain the fact you are
> getting the 4 out of 10 infected messages.
>
> It is not enough that you have an anti-virus package - once you are
> infected, most modern viruses often disable the antivirus protection.
>
> If they are not coming from you, have you looked at the IP addresses
> that the viruses are coming from?
>
> Regards
>
> Richard.
> >
> > for every 10 mails i get from the animaster mailing list, 4 of them are
> > virus
> > ----- Original Message -----
> > From: johnathan darkly
> > To:
> > Sent: Wednesday, April 07, 2004 11:48 AM
> > Subject: Re: OT: Virus alert
> >
> >
> > >
> > > From: jon : johnathan darkly :
> > >
> > > these types of viruses usually find their victims in the address
books of
> > infected machines, but the spam/trojan email they create almost always
has a
> > forged 'from' address. you can find out the originating server by
checking
> > the detailed headers in the email, which is often hidden by email
readers.
> > >
> > > the best advice i can give is don't open an attachment from anyone
unless
> > you are expecting it, and don't use outlook!
> > >
> > > -jon
> > >
> > >
> > >
> > > *** View Entire Thread @
> > http://www.hash.com/forums/index.php?showt...view=getnewpost
> > >

> > >
> > >
> > >
> > >

> >
> > >
> >
> >

www.hash.com/support/maillist.asp ===

[animaster]

From: pedro galvez galvezmanzo@prodigy.net.mx
Date: 2004-4-08 16:40:41

i had that file and it cause me a lot of troubles, so i had to format my
entire HD, but, how or from where i got infected with this virus?
----- Original Message -----
From: Richard Harrowell
To: pedro galvez
Sent: Thursday, April 08, 2004 1:52 AM
Subject: RE: OT: Virus alert
> Pedro,
>
> Have you checked to see if you have the Netsky.P virus? (Do you
> have a file FVProtect.exe in your C:Windows or C:Winnt folder?)
>
> The point is that your dialup connects using the 200.64.130.xxx subnet.
> I have received 2 infected emails sent from an infected computer on
> the 200.64.130.xxx subnet.
>
> This virus has its own SMTP mail server and will quite happily send
> infected emails back to yourself. this would explain the fact you are
> getting the 4 out of 10 infected messages.
>
> It is not enough that you have an anti-virus package - once you are
> infected, most modern viruses often disable the antivirus protection.
>
> If they are not coming from you, have you looked at the IP addresses
> that the viruses are coming from?
>
> Regards
>
> Richard.
> >
> > for every 10 mails i get from the animaster mailing list, 4 of them are
> > virus
> > ----- Original Message -----
> > From: johnathan darkly
> > To:
> > Sent: Wednesday, April 07, 2004 11:48 AM
> > Subject: Re: OT: Virus alert
> >
> >
> > >
> > > From: jon : johnathan darkly :
> > >
> > > these types of viruses usually find their victims in the address
books of
> > infected machines, but the spam/trojan email they create almost always
has a
> > forged 'from' address. you can find out the originating server by
checking
> > the detailed headers in the email, which is often hidden by email
readers.
> > >
> > > the best advice i can give is don't open an attachment from anyone
unless
> > you are expecting it, and don't use outlook!
> > >
> > > -jon
> > >
> > >
> > >
> > > *** View Entire Thread @
> > http://www.hash.com/forums/index.php?showt...view=getnewpost
> > >

> > >
> > >
> > >
> > >

> >
> > >
> >
> >

www.hash.com/support/maillist.asp ===

[jon]

i had that file and it cause me a lot of troubles, so i had to format my
entire HD, but, how or from where i got infected with this virus?

you got the virus by opening an infected attachment from an email sent from yet another computer user who did the same thing.

these latest email viruses spread out thanks to ms outlook's swiss cheese security.

-jon

[zacktaich]

The infected computer is a dialup connection to the PRODIGY.NET.MX network.  I
believe the dialup is located at Arizpe in Coahuila de Zaragoza, Mexico.  Please would
anyone using prodigy from around Arizpe check for the virus. The following links
describe the virus, and how to identify and remove it.

Unfortunately, when you see a virus coming from outside the US, 50% of the time, the IP is forged. For the person who didn't know how to find out this info: He found the IP in the extednded Headers. Then he just used an IP address locator.