Re: [expert] Did someone else get this also?????
On Friday 05 Sep 2003 1:05 am, Charlie wrote: IIRC also doesn't infect win98 and Millennium boxes. [or is there just no patch for these from M$ because they no longer support those O/S's?] As I understand it, it uses a 'feature' introduced into NT and present in all related versions :-) Anne -- Registered Linux User No.293302 Have you visited http://twiki.mdklinuxfaq.org yet? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Did someone else get this also?????
On Thursday 04 September 2003 07:58 pm, Charlie wrote: On Thu, 4 Sep 2003 11:00 pm, many eyes noted that Mark Belanger wrote: On Thu, 4 Sep 2003 20:36:42 +1000 Charlie [EMAIL PROTECTED] wrote: [expert] Re: Approved From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] See the attached file for details Inserted here was:- thank_you.pif I suppose it was quite harmless but naturally it went in the bin. It is probably not harmless .pif is some sort of MS executable format. -Mark Certainly the ToBig virus came through in .pif attachments. Hey, I propose that we change the naming convention on viruses/worms to more accurately reflect their nature. SoBig.F becomes WinSoBig.F, Blaster becomes WinBlaster. MS is quick to take credit for the large variety of applications available for the platform, they should take credit for ALL applications available for the platform. -- Bryan Phinney Software Test Engineer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Did someone else get this also?????
On Fri, 2003-09-05 at 07:34, Bryan Phinney wrote: On Thursday 04 September 2003 07:58 pm, Charlie wrote: On Thu, 4 Sep 2003 11:00 pm, many eyes noted that Mark Belanger wrote: On Thu, 4 Sep 2003 20:36:42 +1000 Charlie [EMAIL PROTECTED] wrote: [expert] Re: Approved From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] See the attached file for details Inserted here was:- thank_you.pif I suppose it was quite harmless but naturally it went in the bin. It is probably not harmless .pif is some sort of MS executable format. -Mark Certainly the ToBig virus came through in .pif attachments. Hey, I propose that we change the naming convention on viruses/worms to more accurately reflect their nature. SoBig.F becomes WinSoBig.F, Blaster becomes WinBlaster. MS is quick to take credit for the large variety of applications available for the platform, they should take credit for ALL applications available for the platform. the papers here are calling blaster MSblaster -- ++ Mandrake HowTo's More: http://twiki.mdklinuxfaq.org Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[expert] Did someone else get this also?????
[expert] Re: Approved From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] See the attached file for details Inserted here was:- thank_you.pif Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com I suppose it was quite harmless but naturally it went in the bin. The source was:- Return-Path: [EMAIL PROTECTED] Received: from mta03bw.bigpond.com ([192.168.115.88]) by mailms4aps.email.bigpond.com (Netscape Messaging Server 4.15 mailms4aps Apr 29 2002 13:22:02) with ESMTP id HKOIRJ01.GAY for [EMAIL PROTECTED]; Thu, 4 Sep 2003 17:42:55 +1000 Received: from tbf-daemon.mta03bw.email.bigpond.com by mta03bw.email.bigpond.com (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) id [EMAIL PROTECTED] for [EMAIL PROTECTED] (ORCPT [EMAIL PROTECTED]); Thu, 04 Sep 2003 17:42:55 +1000 (EST) Received: from smtp.mandrake.org ([144.135.24.87]) by mta03bw.email.bigpond.com (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) with SMTP id [EMAIL PROTECTED]; Thu, 04 Sep 2003 17:42:54 +1000 (EST) Received: from smtp.mandrake.org ([212.43.244.24]) by bwmam07.bigpond.com(MAM REL_3_3_2d 56/16228274); Thu, 04 Sep 2003 17:42:51 + Received: from smtp.mandrax.org (smtp.mandrax.org [80.67.180.169]) by smtp.mandrake.org (Postfix) with ESMTP id 2B5FC4A9122; Thu, 04 Sep 2003 09:49:54 +0200 Received: by smtp.mandrax.org (Postfix, from userid 500)id B0FA256A08; Thu, 04 Sep 2003 03:54:44 +0200 Received: from KRIS (ca-dibar-cuda1-c1d-204.anhmca.adelphia.net [24.48.211.204]) by smtp.mandrax.org (Postfix) with ESMTP id C8D4556A1D for [EMAIL PROTECTED]; Thu, 04 Sep 2003 03:53:10 +0200 Date: Thu, 04 Sep 2003 00:38:50 +0700 From: [EMAIL PROTECTED] Subject: [expert] Re: Approved Sender: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Reply-to: [EMAIL PROTECTED] Message-id: [EMAIL PROTECTED] MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 6.00.2600. Content-type: multipart/mixed; boundary=_NextPart_000_00309D6F Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Precedence: list X-Loop: expert@ Delivered-to: [EMAIL PROTECTED] X-Mailscanner: Found to be clean X-Sequence: 1040 X-Validation-BY: [EMAIL PROTECTED] Status: R X-Status: N X-KMail-EncryptionState: X-KMail-SignatureState: This is a multipart message in MIME format --_NextPart_000_00309D6F Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit See the attached file for details --_NextPart_000_00309D6F Content-Type: application/octet-stream; name=thank_you.pif Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=thank_you.pif -- I am not afraid of storms, because I am learning to sail my ship. Louise May Alcot. This email is guaranteed to be wholly Linux Mandrake 9.1, Kmail v1.5 and OpenOffice.org1Beta Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Did someone else get this also?????
On Thursday 04 Sep 2003 11:36 am, Charlie wrote: I suppose it was quite harmless but naturally it went in the bin. Yes - I got one for both the expert and the newbie list. I sent this to the newbie list when it was the first to arrive: Looking at the headers, I'm confused. I was looking for something that could categorically say that it had come from the Mandrake lists. This is what I found: X-POPFile-TimeoutPrevention: 0 Return-Path: [EMAIL PROTECTED] Received: from smtp.mandrake.org (212.43.244.24) by mk-cpfrontend.uk.tiscali.com (6.7.018) id 3F547F72003A439B for [EMAIL PROTECTED]; Thu, 4 Sep 2003 09:10:51 +0100 Received: from smtp.mandrax.org (smtp.mandrax.org [80.67.180.169]) by smtp.mandrake.org (Postfix) with ESMTP id 940C94A916C; Thu, 4 Sep 2003 10:17:58 +0200 (CEST) Received: by smtp.mandrax.org (Postfix, from userid 500) id 78D7956A07; Thu, 4 Sep 2003 04:25:21 +0200 (CEST) Delivered-To: [EMAIL PROTECTED] Received: from TOSHIBA-LT (adsl-67-122-222-126.dsl.snfc21.pacbell.net [67.122.222.126]) by smtp.mandrax.org (Postfix) with ESMTP id A01C456A09 for [EMAIL PROTECTED]; Thu, 4 Sep 2003 04:23:47 +0200 (CEST) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Thu, 4 Sep 2003 1:09:24 --0700 X-Mailscanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-Msmail-Priority: Normal X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=_NextPart_000_01DAA9DE Message-Id: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] X-Loop: newbie@ X-Sequence: 1536 Precedence: list X-Validation-BY: [EMAIL PROTECTED] Subject: [newbie] Re: Your application Sender: [EMAIL PROTECTED] X-Text-Classification: ham Status: R X-Status: N X-KMail-EncryptionState: X-KMail-SignatureState: Could someone more experienced look it over for me. Is it really coming in as a false list email, as I first thought, or is it a virused list member affecting us all? I was concerned that it really looked as though it had come through the Mandrake list. What do you think? Anne -- Registered Linux User No.293302 Have you visited http://twiki.mdklinuxfaq.org yet? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Did someone else get this also?????
On Thursday 04 September 2003 06:43 am, Anne Wilson wrote: On Thursday 04 Sep 2003 11:36 am, Charlie wrote: I suppose it was quite harmless but naturally it went in the bin. Yes - I got one for both the expert and the newbie list. I sent this to the newbie list when it was the first to arrive: Looking at the headers, I'm confused. I was looking for something that could categorically say that it had come from the Mandrake lists. This is what I found: ...snipped Received: from smtp.mandrake.org (212.43.244.24) by mk-cpfrontend.uk.tiscali.com (6.7.018) id 3F547F72003A439B for [EMAIL PROTECTED]; Thu, 4 Sep 2003 09:10:51 +0100 ...snipped. Could someone more experienced look it over for me. Is it really coming in as a false list email, as I first thought, or is it a virused list member affecting us all? I was concerned that it really looked as though it had come through the Mandrake list. What do you think? From what I can tell, this did come from the Mandrake list. First received header indicates the IP originating: whois 212.43.244.24 % This is the RIPE Whois server. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 212.43.244.16 - 212.43.244.31 netname: MANDRAKESOFT-NETS descr:Mandrakesoft country: FR admin-c: DC4946-RIPE tech-c: CFH1-RIPE rev-srv: ns3.fr.clara.net rev-srv: ns4.fr.clara.net status: ASSIGNED PA notify: [EMAIL PROTECTED] mnt-by: AS8975-MNT changed: [EMAIL PROTECTED] 20010614 source: RIPE Following the headers further down the chain, if they are to be believed would seem to indicate the origination was a pacbell DSL modem (67.122.222.126) which does belong to Pacbell so is probably accurate. If anyone on the list is using a pacbell DSL modem and has Windows machines attached, you may want to check your machine for infection. I, however, did not receive this original message, so I suspect that it was either not sent to the list or my virus scanning stuff is working well enough that it was trashed before it got to my inbox. -- Bryan Phinney Software Test Engineer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Did someone else get this also?????
On Thu, 4 Sep 2003 20:36:42 +1000 Charlie [EMAIL PROTECTED] wrote: [expert] Re: Approved From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] See the attached file for details Inserted here was:- thank_you.pif I suppose it was quite harmless but naturally it went in the bin. It is probably not harmless .pif is some sort of MS executable format. -Mark -- Mark Belanger LTX Corporation Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Did someone else get this also?????
On Thursday 04 September 2003 06:28 am, Bryan Phinney wrote: On Thursday 04 September 2003 06:43 am, Anne Wilson wrote: On Thursday 04 Sep 2003 11:36 am, Charlie wrote: I suppose it was quite harmless but naturally it went in the bin. Yes - I got one for both the expert and the newbie list. I sent this to the newbie list when it was the first to arrive: Looking at the headers, I'm confused. I was looking for something that could categorically say that it had come from the Mandrake lists. This is what I found: ...snipped Received: from smtp.mandrake.org (212.43.244.24) by mk-cpfrontend.uk.tiscali.com (6.7.018) id 3F547F72003A439B for [EMAIL PROTECTED]; Thu, 4 Sep 2003 09:10:51 +0100 ...snipped. Could someone more experienced look it over for me. Is it really coming in as a false list email, as I first thought, or is it a virused list member affecting us all? I was concerned that it really looked as though it had come through the Mandrake list. What do you think? From what I can tell, this did come from the Mandrake list. First received header indicates the IP originating: whois 212.43.244.24 % This is the RIPE Whois server. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 212.43.244.16 - 212.43.244.31 netname: MANDRAKESOFT-NETS descr:Mandrakesoft country: FR admin-c: DC4946-RIPE tech-c: CFH1-RIPE rev-srv: ns3.fr.clara.net rev-srv: ns4.fr.clara.net status: ASSIGNED PA notify: [EMAIL PROTECTED] mnt-by: AS8975-MNT changed: [EMAIL PROTECTED] 20010614 source: RIPE Following the headers further down the chain, if they are to be believed would seem to indicate the origination was a pacbell DSL modem (67.122.222.126) which does belong to Pacbell so is probably accurate. If anyone on the list is using a pacbell DSL modem and has Windows machines attached, you may want to check your machine for infection. I, however, did not receive this original message, so I suspect that it was either not sent to the list or my virus scanning stuff is working well enough that it was trashed before it got to my inbox. Where did you get the 67.x.y.z. address from? To me the originator looks like being from adelphia.net: Received: from KRIS (ca-dibar-cuda1-c1d-204.anhmca.adelphia.net [24.48.211.204]) by smtp.mandrax.org (Postfix) with ESMTP id C8D4556A1D for [EMAIL PROTECTED]; Thu, 04 Sep 2003 03:53:10 +0200 host 80.67.180.169 (getting name) no name 24.48.211.204 is not an MX for ca-dibar-cuda1-c1d-204.anhmca.adelphia.net host ca-dibar-cuda1-c1d-204.anhmca.adelphia.net (checking ip) = 24.48.211.204 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Did someone else get this also?????
Man I was getting a ton of those from addresses I dont even know. It could be either W32.Elkern or the W32.Klez.E virus spreading again! I had to actually block the email server that was sending out these emails with my firewall. On Star Date Thursday 04 September 2003 06:00 am, Mark Belanger sent this sub-space message. On Thu, 4 Sep 2003 20:36:42 +1000 Charlie [EMAIL PROTECTED] wrote: [expert] Re: Approved From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] See the attached file for details Inserted here was:- thank_you.pif I suppose it was quite harmless but naturally it went in the bin. It is probably not harmless .pif is some sort of MS executable format. -Mark Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Did someone else get this also?????
On Thursday 04 September 2003 08:55 am, stefmit wrote: Following the headers further down the chain, if they are to be believed would seem to indicate the origination was a pacbell DSL modem (67.122.222.126) which does belong to Pacbell so is probably accurate. If anyone on the list is using a pacbell DSL modem and has Windows machines attached, you may want to check your machine for infection. I, however, did not receive this original message, so I suspect that it was either not sent to the list or my virus scanning stuff is working well enough that it was trashed before it got to my inbox. Where did you get the 67.x.y.z. address from? To me the originator looks like being from adelphia.net: Received: from KRIS (ca-dibar-cuda1-c1d-204.anhmca.adelphia.net [24.48.211.204]) by smtp.mandrax.org (Postfix) with ESMTP id C8D4556A1D for [EMAIL PROTECTED]; Thu, 04 Sep 2003 03:53:10 +0200 host 80.67.180.169 (getting name) no name 24.48.211.204 is not an MX for ca-dibar-cuda1-c1d-204.anhmca.adelphia.net host ca-dibar-cuda1-c1d-204.anhmca.adelphia.net (checking ip) = 24.48.211.204 As I stated, I did not receive the original. The 67. address was in the original headers posted by Anne who was asking for some assistance in figuring out if the message was actually forwarded through the Mandrake mailing list. The complete chain of headers that she posted is here: Return-Path: [EMAIL PROTECTED] Received: from smtp.mandrake.org (212.43.244.24) by mk-cpfrontend.uk.tiscali.com (6.7.018) id 3F547F72003A439B for [EMAIL PROTECTED]; Thu, 4 Sep 2003 09:10:51 +0100 Received: from smtp.mandrax.org (smtp.mandrax.org [80.67.180.169]) by smtp.mandrake.org (Postfix) with ESMTP id 940C94A916C; Thu, 4 Sep 2003 10:17:58 +0200 (CEST) Received: by smtp.mandrax.org (Postfix, from userid 500) id 78D7956A07; Thu, 4 Sep 2003 04:25:21 +0200 (CEST) Delivered-To: [EMAIL PROTECTED] Received: from TOSHIBA-LT (adsl-67-122-222-126.dsl.snfc21.pacbell.net [67.122.222.126]) by smtp.mandrax.org (Postfix) with ESMTP id A01C456A09 for [EMAIL PROTECTED]; Thu, 4 Sep 2003 04:23:47 +0200 (CEST) Note the last header on the chain, the one that was sending to smtp.mandrax.org. -- Bryan Phinney Software Test Engineer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Did someone else get this also?????
Following the headers further down the chain, if they are to be believed would seem to indicate the origination was a pacbell DSL modem(67.122.222.126) which does belong to Pacbell so is probably accurate. If anyone on the list is using a pacbell DSL modem and has Windows machines attached, you may want to check your machine for infection. Where did you get the 67.x.y.z. address from? To me the originator looks like being from adelphia.net: There were at least 2 of these today: 1. Received: from KRIS (ca-dibar-cuda1-c1d-204.anhmca.adelphia.net [24.48.211.204]) 2. Received: from TOSHIBA-LT (adsl-67-122-222-126.dsl.snfc21.pacbell.net [67.122.222.126]) -- Mandrake HowTo's More: http://twiki.mdklinuxfaq.org Join the organization discussion: http://mandrake.vmlinuz.ca/bin/view/Main/NewIndex Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Did someone else get this also?????
On Thursday 04 Sep 2003 2:00 pm, Mark Belanger wrote: On Thu, 4 Sep 2003 20:36:42 +1000 Charlie [EMAIL PROTECTED] wrote: [expert] Re: Approved From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] See the attached file for details Inserted here was:- thank_you.pif I suppose it was quite harmless but naturally it went in the bin. It is probably not harmless .pif is some sort of MS executable format. -Mark Program Information File, iirc. Harmless to linux boxes, but not to those who read their mail on windows boxes. Anne -- Registered Linux User No.293302 Have you visited http://twiki.mdklinuxfaq.org yet? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Did someone else get this also?????
On Thu, 2003-09-04 at 06:25, Bill wrote: Man I was getting a ton of those from addresses I dont even know. It could be either W32.Elkern or the W32.Klez.E virus spreading again! I had to actually block the email server that was sending out these emails with my firewall. On Star Date Thursday 04 September 2003 06:00 am, Mark Belanger sent this sub-space message. On Thu, 4 Sep 2003 20:36:42 +1000 Charlie [EMAIL PROTECTED] wrote: [expert] Re: Approved From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] See the attached file for details Inserted here was:- thank_you.pif I suppose it was quite harmless but naturally it went in the bin. It is probably not harmless .pif is some sort of MS executable format. -Mark The part I liked in the header was where the hotmail servers said that it passed a virus filter. X-Priority: 3 (Normal) X-MSMail-priority: Normal Precedence: list X-Loop: expert@ Delivered-to: [EMAIL PROTECTED] X-Mailscanner: Found to be clean X-Sequence: 1040 X-Validation-BY: [EMAIL PROTECTED] James Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Did someone else get this also?????
On Thu, 4 Sep 2003 08:17:52 -0700 Eric Huff [EMAIL PROTECTED] wrote: Following the headers further down the chain, if they are to be believed would seem to indicate the origination was a pacbell DSL modem(67.122.222.126) which does belong to Pacbell so is probably accurate. If anyone on the list is using a pacbell DSL modem and has Windows machines attached, you may want to check your machine for infection. Where did you get the 67.x.y.z. address from? To me the originator looks like being from adelphia.net: There were at least 2 of these today: 1. Received: from KRIS (ca-dibar-cuda1-c1d-204.anhmca.adelphia.net [24.48.211.204]) 2. Received: from TOSHIBA-LT (adsl-67-122-222-126.dsl.snfc21.pacbell.net [67.122.222.126]) Classic W32/[EMAIL PROTECTED] virus. Read about it here: http://vil.nai.com/vil/content/v_100561.htm -- Michael Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Did someone else get this also?????
On Thu, 4 Sep 2003 11:00 pm, many eyes noted that Mark Belanger wrote: On Thu, 4 Sep 2003 20:36:42 +1000 Charlie [EMAIL PROTECTED] wrote: [expert] Re: Approved From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] See the attached file for details Inserted here was:- thank_you.pif I suppose it was quite harmless but naturally it went in the bin. It is probably not harmless .pif is some sort of MS executable format. -Mark Certainly the ToBig virus came through in .pif attachments. -- I am not afraid of storms, because I am learning to sail my ship. Louise May Alcot. This email is guaranteed to be wholly Linux Mandrake 9.1, Kmail v1.5 and OpenOffice.org1Beta Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Did someone else get this also?????
On Fri, 5 Sep 2003 04:50 am, many eyes noted that Anne Wilson wrote: On Thursday 04 Sep 2003 2:00 pm, Mark Belanger wrote: On Thu, 4 Sep 2003 20:36:42 +1000 Charlie [EMAIL PROTECTED] wrote: [expert] Re: Approved From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] See the attached file for details Inserted here was:- thank_you.pif I suppose it was quite harmless but naturally it went in the bin. It is probably not harmless .pif is some sort of MS executable format. -Mark Program Information File, iirc. Harmless to linux boxes, but not to those who read their mail on windows boxes. Anne IIRC also doesn't infect win98 and Millennium boxes. [or is there just no patch for these from M$ because they no longer support those O/S's?] Charlie -- I am not afraid of storms, because I am learning to sail my ship. Louise May Alcot. This email is guaranteed to be wholly Linux Mandrake 9.1, Kmail v1.5 and OpenOffice.org1Beta Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com