Clusterheadaches.com Message Board
        (http://www.clusterheadaches.com/cgi-bin/yabb/YaBB.cgi)
      

        New Message Board Archives >> Oct-Dec 2003 >> Trojan Report
        
(Message started by: Mark C on Oct 27th, 2003, 12:25am)
Title: Trojan Report
Post by Mark C on Oct 27th, 2003, 12:25am
I believe someone has a Trojan and is spoofing addresses. I have received 5 e-mails today alone. The info I have is the following.....

Number 1....

The original message was received at Sun, 26 Oct 2003 09:52:36 -0500 (EST)
from sccrmhc13.comcast.net [204.127.202.64]

----- The following addresses had permanent fatal errors -----
<sweetlouisianne1@aol.com>

  ----- Transcript of session follows -----
... while talking to air-zd04.mail.aol.com.:
>>> DATA
<<< 554 TRANSACTION FAILED - Unrepairable Virus Detected. Your mail has not been
sent.
554 <sweetlouisianne1@aol.com>... Service unavailable

Number 2....

The original message was received at Sun, 26 Oct 2003 09:52:49 -0500 (EST)
from sccrmhc11.comcast.net [204.127.202.55]
  ----- The following addresses had permanent fatal errors -----
<wispysmoke@aol.com>

  ----- Transcript of session follows -----
... while talking to air-xm02.mail.aol.com.:
>>> DATA
<<< 554 TRANSACTION FAILED - Unrepairable Virus Detected. Your mail has not been
sent.
554 <wispysmoke@aol.com>... Service unavailable


Number 3....

The original message was received at Sun, 26 Oct 2003 11:44:08 -0500 (EST)
from rwcrmhc11.comcast.net [204.127.198.35]
  ----- The following addresses had permanent fatal errors -----
<wispysmoke@aol.com>

  ----- Transcript of session follows -----
... while talking to air-xb02.mail.aol.com.:
>>> DATA
<<< 554 TRANSACTION FAILED - Unrepairable Virus Detected. Your mail has not been
sent.
554 <wispysmoke@aol.com>... Service unavailable


Number 4...

The original message was received at Sun, 26 Oct 2003 11:43:46 -0500 (EST)
from rwcrmhc13.comcast.net [204.127.198.39
 ----- The following addresses had permanent fatal errors -----
<sweetlouisianne1@aol.com>

  ----- Transcript of session follows -----
... while talking to air-xm01.mail.aol.com.:
>>> DATA
<<< 554 TRANSACTION FAILED - Unrepairable Virus Detected. Your mail has not been
sent.
554 <sweetlouisianne1@aol.com>... Service unavailable


Number 5.....

The original message was received at Sun, 26 Oct 2003 11:45:19 -0500 (EST)
from rwcrmhc12.comcast.net [216.148.227.85]
  ----- The following addresses had permanent fatal errors -----
<vwautohaus@aol.com>

  ----- Transcript of session follows -----
... while talking to air-xl03.mail.aol.com.:
>>> DATA
<<< 554 TRANSACTION FAILED - Unrepairable Virus Detected. Your mail has not been
sent.
554 <vwautohaus@aol.com>... Service unavailable


Yall check you stuff...someone we know is infected...be careful.

Latest Virus Threats (http://www.symantec.com/avcenter/vinfodb.html)

Happy surfing,
http://www.drfeller.com/Mark/mark.gif
Title: Re: Trojan Report
Post by ClusterChuck on Oct 27th, 2003, 1:51am
Something like this happened to me on my  old AOL account.  When I contacted AOL, they told me that someone is using my name, and then sending out garbage mail in my name.  I even got some nasty emails back from some people that were demanding that I never send that crap to them again!

I was told to change my password, and ignore it.  I did, and it has not happened again.

Chuck
Title: Re: Trojan Report
Post by Opus on Oct 27th, 2003, 2:24am
hmmm.....

If you are recieving the rejection notices and your address isn't the spoofed sender then what is the deamon going off of? Check the properties and see what the IP is of the mail and see if the configuration matches your own, if it does then you know what....

Opus/Paul
Title: Re: Trojan Report
Post by Mark C on Oct 27th, 2003, 2:32am
Thanks guys,
Paul I received a couple of these last week and just blew them off. I have a better header tracer proggie at the house and I will delve a little deeper into this. I am almost certain it is not coming from my home machine, it's so secure I can't even use it!  ;;D

See ya,
Mark
Title: Re: Trojan Report
Post by Svenn on Oct 27th, 2003, 5:10am
Well folks,JUST HOPE YOU ALL KNOW WHAT TO DO NOW,
that means :  DO NOT OPEN ANY ATTACHEMENT


UPDATE ANY AV&FW AND TROJAN-SNIFFERS YOU MIGHT USE


Svenn
Title: Re: Trojan Report
Post by Kirk on Oct 27th, 2003, 5:14am
Gettig the mail server name from the headers would bea good Idea.

TTFN

Kirk

PS I didn't do it.
Title: Re: Trojan Report
Post by nancyc on Oct 27th, 2003, 11:25am
I had this happen to me too about  a few months ago..AOL shut me down for several hours...AOL said someone at my house had gone in a site they were not suppose to and got a virus and a bunch of emails were sent out from my computer...I just had my computer wiped clean...Now, I have a firewall, spyware and the whole internet security system. :Dnancyc
Title: Re: Trojan Report
Post by Mark C on Oct 27th, 2003, 10:35pm
The saga continues...I ran the orgin URL (at least I think it's the origin URL) through a traceoute and came up with the attached from each url. Do you think they are genunine and should I report this to their abuse department. I doubt they care or already know....anyway here is what I came up with.

204.127.202.64 (http://www.drfeller.com/Mark/01.txt)
204.127.202.55 (http://www.drfeller.com/Mark/02.txt)
204.127.198.35 (http://www.drfeller.com/Mark/03.txt)
204.127.198.39 (http://www.drfeller.com/Mark/04.txt)
216.148.227.85 (http://www.drfeller.com/Mark/05.txt)


The reports are kinda lenghty but if you guys get a chance take a look and tell me what you think.

PFDAN's
http://www.drfeller.com/Mark/mark.gif
Title: Re: Trojan Report
Post by brain_cramps on Oct 27th, 2003, 11:43pm
While we're at it, here's another one...

<<
SOBER WORM PRETENDS TO BE VIRUS FIX

SearchSecurity.com
A new mass-mailing worm is in the wild, spreading via some old techniques. Sober-A does have a couple of new twists, including a flair for German.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci933663,00.html?track=NL-102

http://tinyurl.com/smyo
>>
Title: Re: Trojan Report
Post by Opus on Oct 28th, 2003, 8:04am
Mark,
  If it were me I would send them 1 original email as an attachment or send the properties of one email and tell them there are more. It looks like someone is using your IP #to send spam ( some antispam/virus programs see them as the same thing and send them back to the sender) but in actuality you are just getting the returned mail you never sent.  There shouldn't be any harm in sending it and if the e-mails have stopped the spammers probably have moved on to another address. To see how URL's can be spoofed check this out.

http://www.pc-help.org/obscure.htm

Of course this is just my opinion,

Opus/Paul


Clusterheadaches.com Message Board » Powered by YaBB 1 Gold - SP 1.3.1!
YaBB © 2000-2003. All Rights Reserved.