RE: [RCSE] Virus
Finding who the actual sender of virus code requires a series of tracing steps. The first step is to examine the sending computer, and work backwards. We, in this field, have done this many times. Unfortunately, the infected computer is usually held by an innocent victim. I had one case, for example, where we served search warrants on a home and seized the sending computer. Once we had the sending computer the real suspect, in another county, was traced and arrested. Unfortunately, the owner of the sending computer was detained at gunpoint, his door was kicked in, and he learned a terrible lesson. As an Internet Computer user you must have up-to-date anti-virus software and a firewall system. The user has to be aware of folders and files that are on the user's PC. Turn off your PC or at least physically disconnect from the Internet when your computer session if over. This user did not have any online protection. He sure does now, and literally was quoted as saying later: "Don't use the internet without anti-virus and firewall protection." With the war on terrorism, you don't want a terrorist using your PC remotely, committing acts of war that will bring law enforcement and/or the military to your door to seize your PC. It is a documented fact that terrorists, as well as hackers, use the Internet, and they love remote control access to your PC to avoid a direct trace to them. Remote control access starts with sneaking a virus onto your PC. Kirk Stockham, R/C Pilot Computer Forensics Investigator/Instructor Stockham Computer Forensics and Investigations P.O. Box 578351 Modesto, CA 95357 (209) 521-7379 (Voice/Fax) CA PI License #23914 www.hitechpi.net [EMAIL PROTECTED] -Original Message- From: Michael Neverdosky [mailto:[EMAIL PROTECTED] Sent: Saturday, September 11, 2004 9:00 AM Cc: [EMAIL PROTECTED] Subject: Re: [RCSE] Virus As you are claiming to be an expert in this area, please tell us how to tell who the ACTUAL sender is, in the case of emailed virus code. The point is that the "sender", i.e. the address in the "FROM" field is RARELY the actual person (computer) sending out the virus. Yes, the virus is probably sent out by a 'zombie' but the address that claims to be sending the mail is not very helpful in finding and curing the zombie. michael Juster wrote: > > Someone on this list said the following: > > >>>>>>>>>>>>>.1) Don't bother to inform the "sender" of the emails that they > have a virus -- it is almost always the case that they are an innocent > 3rd-party who just happens to have their address handy in some address book > on the actual virus-infected machine.<<<<<<<<<<<<<<<<<<< > > If someone is sending out virus code then that someone should be told for a > number of common sense reasons! How will they know that it is > happening? How will the other users, the potential new victims know? The > sender can be the victim, and should be advised that some hacker has taken > over their account or their PC. > > As an expert in this field virus code sent via E-mail has to be taken > seriously...Anyone who has had their PC destroyed from a virus knows how > important this is. Virus Code makers need to go to jail and we can help > them get there. > > "If you are connected to the Internet, the Internet is connected to you..." > > Kirk Stockham, R/C Pilot > Computer Forensics Investigator/Instructor > Stockham Computer Forensics and Investigations > P.O. Box 578351 > Modesto, CA 95357 > (209) 521-7379 (Voice/Fax) > > CA PI License #23914 > > www.hitechpi.net > > [EMAIL PROTECTED] > > RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED] Please note that subscribe and unsubscribe messages must be sent in text only format with MIME turned off. RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED] Please note that subscribe and unsubscribe messages must be sent in text only format with MIME turned off. RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED] Please note that subscribe and unsubscribe messages must be sent in text only format with MIME turned off.
Re: [RCSE] Virus
As you are claiming to be an expert in this area, please tell us how to tell who the ACTUAL sender is, in the case of emailed virus code. The point is that the "sender", i.e. the address in the "FROM" field is RARELY the actual person (computer) sending out the virus. Yes, the virus is probably sent out by a 'zombie' but the address that claims to be sending the mail is not very helpful in finding and curing the zombie. michael Juster wrote: > > Someone on this list said the following: > > >.1) Don't bother to inform the "sender" of the emails that they > have a virus -- it is almost always the case that they are an innocent > 3rd-party who just happens to have their address handy in some address book > on the actual virus-infected machine.<<< > > If someone is sending out virus code then that someone should be told for a > number of common sense reasons! How will they know that it is > happening? How will the other users, the potential new victims know? The > sender can be the victim, and should be advised that some hacker has taken > over their account or their PC. > > As an expert in this field virus code sent via E-mail has to be taken > seriously...Anyone who has had their PC destroyed from a virus knows how > important this is. Virus Code makers need to go to jail and we can help > them get there. > > "If you are connected to the Internet, the Internet is connected to you..." > > Kirk Stockham, R/C Pilot > Computer Forensics Investigator/Instructor > Stockham Computer Forensics and Investigations > P.O. Box 578351 > Modesto, CA 95357 > (209) 521-7379 (Voice/Fax) > > CA PI License #23914 > > www.hitechpi.net > > [EMAIL PROTECTED] > > RCSE-List facilities provided by Model Airplane News. Send "subscribe" and > "unsubscribe" requests to [EMAIL PROTECTED] Please note that subscribe and > unsubscribe messages must be sent in text only format with MIME turned off. RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED] Please note that subscribe and unsubscribe messages must be sent in text only format with MIME turned off.
RE: [RCSE] Virus
Someone on this list said the following: >.1) Don't bother to inform the "sender" of the emails that they have a virus -- it is almost always the case that they are an innocent 3rd-party who just happens to have their address handy in some address book on the actual virus-infected machine.<<< If someone is sending out virus code then that someone should be told for a number of common sense reasons! How will they know that it is happening? How will the other users, the potential new victims know? The sender can be the victim, and should be advised that some hacker has taken over their account or their PC. As an expert in this field virus code sent via E-mail has to be taken seriously...Anyone who has had their PC destroyed from a virus knows how important this is. Virus Code makers need to go to jail and we can help them get there. "If you are connected to the Internet, the Internet is connected to you..." Kirk Stockham, R/C Pilot Computer Forensics Investigator/Instructor Stockham Computer Forensics and Investigations P.O. Box 578351 Modesto, CA 95357 (209) 521-7379 (Voice/Fax) CA PI License #23914 www.hitechpi.net [EMAIL PROTECTED] RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED] Please note that subscribe and unsubscribe messages must be sent in text only format with MIME turned off.
Re: [RCSE] Virus
On Friday, September 10, 2004, at 11:03 PM, Sneidley-at-aol.com wrote: > Since I have been told by a few on this list that my computer has been sending out a > virus. Steve -- it is likely not your machine which is sending the emails out. It usually is another virus-infected machine which has your email address in an address book and is using that in the "From" field, pretending to be from you. Viruses these days are sneaky, that way. The virus emails are actually being sent from IP Address 67.123.228.73, which happens to be controlled by Pac Bell in the Los Angeles area. To others on the Soaring Exchange list: 1) Don't bother to inform the "sender" of the emails that they have a virus -- it is almost always the case that they are an innocent 3rd-party who just happens to have their address handy in some address book on the actual virus-infected machine. 2) Another one of you likely *is* the one who is infected, as the email is being sent to RCSE and has Steve's address. If you live in the L.A. area and get your internet services from Pac Bell, double-check your computer for viruses. -- Tim Olson RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED] Please note that subscribe and unsubscribe messages must be sent in text only format with MIME turned off.
RE: [RCSE] Virus
I have received the same virus from your account, however, my Norton Virus Checker and Zone Alarm Firewall stopped it. You don’t have to kill your E-mail listing. Try a few things first. You have what is called a “tag along” virus. Someone has remote control of your PC. You are what the hackers call a ZOMBIE. When you send out E-mail, ANOTHER E-mail is sent out with a virus attachment with the goal of infecting other computers and turning them into remote controlled computers or ZOMBIES. A successful TAG ALONG virus can give a hacker control of hundreds of PC’s without the user’s knowledge. The hacker can be from another country. The hacker might even be reading this after you get this E-mail. Dear Mr. Hacker….you need to go to jail, and I know how to get you there! Get yourself another E-mail address, like from your 7 AOL addresses that you are allowed to have, and send your new address a message from your infected E-mail address to the new one and see what happens. The test may not work since you would be sending from and AOL address to an AOL address. If you don’t have an outside E-mail get one, like from HOTMAIL or DYNAMITEMAIL.com. They are still free, and send to one of those addresses to see what happens. Those are just some of the steps I would take. Send me another one and I will look more closely to the hidden E-mail data. On the DOWN side your PC may be so under control of someone that you may even have NEW FOLDERS on your PC that you don’t know about. You should write down your hard drive capacity and see if it changes. If you are leaving your PC on 24 hours a day…..the hacker who is controlling your PC loves that. While you are sleeping they do all kinds of things…… Since NORTON Anti-Virus software found what you sent me, I would recommend using that product to find and kill that virus code if you are lucky, and the damage is not too great. If the damage is too extensive, and your PC is too far under remote control, then save off all of your important files and documents………before you have to do the last option…..erasing your drive and starting over. Kirk Stockham, R/C Power and Glider Pilot Computer Forensics Investigator/Instructor Stockham Computer Forensics and Investigations CA PI Lic. #23914 P.O. Box 578351 Modesto, CA 95357 (209) 521-7379 (Voice/Fax) www.hitechpi.net [EMAIL PROTECTED]
RE: [RCSE] Virus Recieved! "Hokki=)" thru RCSE
If a virus randomly picks an from address(from the inital victim's address book or saved emails) that is subscribed to the list, and sends itseflt to the list, there is nothing that can be done about it. It's a really small probablity, but it does happen -l -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 4:01 AM To: C. Barker Cc: [EMAIL PROTECTED] Subject: Re: [RCSE] Virus Recieved! "Hokki=)" thru RCSE Yea I got the e-mail as well... I have no clue who it was from so I did not bother opening it... that is the safe way... J -- Jack Strother Granger, IN LSF 2948LSF Level IV LSF Official 1996 - 2004 CSS Gold http://home.comcast.net/~strotherb j/ > I just recieved a virus that was sent through [EMAIL PROTECTED] > Luckily my service provider deleted it in proccess! > The Subject line had "Hokki=)" in it. It contained the beagle virus. > > Chris > RCSE-List facilities provided by Model Airplane News. Send "subscribe" and > "unsubscribe" requests to [EMAIL PROTECTED] Please note that > subscribe and unsubscribe messages must be sent in text only format with MIME > turned off. RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED] Please note that subscribe and unsubscribe messages must be sent in text only format with MIME turned off. RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED] Please note that subscribe and unsubscribe messages must be sent in text only format with MIME turned off.
Re: [RCSE] Virus??
Do not go to the website, it is a new form of virus that hacks your address book and send out messages, just visiting the site can do this if you don't have appropriate firewalls. Mark Mech www.aerofoam.com - Original Message - From: "James V. Bacus" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, November 22, 2002 3:53 PM Subject: Re: [RCSE] Virus?? > Hi Mike, > That first message did not come from the computer you sent this message > from. Unless you have two computers you do email from I think you are safe. > > Some email virii when they spread they fake the email headers so it looks > like it came from someone else. > > Jim > > At 05:23 PM 11/22/2002, [EMAIL PROTECTED] wrote: > >Hi Guys, > > > >Was suprised to see a message to all from me that I did not send. Not sure > >what is is? I would not look or search for it. Have done a Virus scan, but > >nothing turns up. Going to update again. > > > >Not really sure it came from me? How can you tell?? > > > >Mike > > Jim > Downers Grove, IL > Member of the Chicago SOAR club, AMA 592537LSF 7560 Level III > ICQ 6997780R/C Soaring Page at www.jimbacus.net > RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED] Please note that subscribe and unsubscribe messages must be sent in text only format with MIME turned off.
Re: [RCSE] Virus??
That mail's got a couple of small files in it. It was a virus but it got nailed in the outbound mail server by an anti-virus program. These programs work centrally and when they find one of these viral attachments they replace it with a non-program, a placeholder called "DELETED0.TXT" (and DELETED1.TXT and so on if there are multiple attachments). Since the other attachment is MSNCONST.TXT this might be the site that removed it or something like that. This is great news. It means that those irritating EMail viruses are finally getting choked off at their source. Martin Usher
RE: [RCSE] Virus (was Hi,soaring,the Garden of Eden)
Mainly because the email ID for the list is 'soaring' as in [EMAIL PROTECTED] -- *** Steven Bixby San Francisco Bay Area *** [EMAIL PROTECTED] [EMAIL PROTECTED] > -Original Message- > From: Tom Watson [mailto:[EMAIL PROTECTED]] > Sent: Friday, May 03, 2002 7:24 AM > To: James Osborn > Cc: Soaring Exchange > Subject: Re: [RCSE] Virus (was Hi,soaring,the Garden of Eden) > > > This is at least the second instance of this virus attacking the list and > both times the subject line is different, but includes the word > 'Soaring' in > it. Weird. > > Tom > > - Original Message - > From: "James Osborn" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, May 02, 2002 11:30 PM > Subject: Re: [RCSE] Hi,soaring,the Garden of Eden > > > > > > Now how did that virus KNOW it was posting to the Soaring exchange and > > therefore ought to use a soaring related subject line? > > > > RCSE-List facilities provided by Model Airplane News. Send > "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED] RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED]
Re: [RCSE] Virus Alert---HOAX
it has something to do with converting long filenames and so on. Check out http://www.antivirus.com/vinfo/hoaxes/hoax5.asp?HName=SULFNBK+Hoax for the full story. In my many years of being on the net, I have never actually seen a true virus alert that says you have to do this and that. Always check it you recieve mails that look suspicious. And yes, virus alerts are suspicious. Cheers Kjelli - Original Message - From: "Rudy Siegel" <[EMAIL PROTECTED]> To: "Kjell Fjelde" <[EMAIL PROTECTED]>; "rsiegel" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, December 17, 2001 6:54 AM Subject: RE: [RCSE] Virus Alert---HOAX > What does this file do? > > Rudy > > -Original Message- > From: Kjell Fjelde [mailto:[EMAIL PROTECTED]] > Sent: Monday, December 17, 2001 7:14 AM > To: rsiegel; Rudy Siegel; [EMAIL PROTECTED] > Subject: Re: [RCSE] Virus Alert---HOAX > > > DO NOT DO THIS. THIS EMAIL IS A HOAX. > The SULFNBK.EXE is a file that is used by windows and should not be deleted. > > If you searched for it, you all found it. Beacause it´s a windows file and > not a virus. > > Cheers > Kjelli > > > - Original Message - > From: "rsiegel" <[EMAIL PROTECTED]> > To: "Rudy Siegel" <[EMAIL PROTECTED]> > Sent: Monday, December 17, 2001 1:05 PM > Subject: [RCSE] Virus Alert > > > > I received this virus alert from my brother. It was on my home system, so > > please follow the directions below to eliminate the problem. Thanks, Rudy > > > > - Original Message - > > From: "James Siegel" Sent: Sunday, December 09, 2001 11:24 PM > > Subject: Fwd: Virus alert from Bev Ottemann > > > >Subject: Virus alert from Bev Ottemann > > > >Date: Sat, 8 Dec 2001 11:50:44 EST > > > > > > > >I am so sorry to be sending you this alert. Unfortunately, I have been > > the > > > >unknowing recipient of an email with a computer virus. Thankfully, the > > > >person who detected the virus is alerting everyone in her address list > > and > > > >recommends I do the same. I used the following directions to remove > the > > > >infected file from my computer pretty easily. > > > > > > > >Instructions: > > > >"This virus supposedly is programmed to activate after being on your C > > > >drive > > > >for a while. Because of the delay in activation, it does not get > picked > > up > > > >by the antivirus programs such as McAfee and Norton. No one knows how > > long > > > >this virus has been on the system. It is possible that it has been > > around > > > >for several months. When it does become active, it will erase all files > > and > > > >folders on your hard drive. The virus gets spread when you send out > > > >e-mails > > > >and filters into C:\WINDOWS\COMMAND.&nbs=; In order to find this virus, > > > >follow the instructions below: > > > >Click on "start" > > > >Choose "find" > > > >Choose "files and folders" > > > >Select "find" > > > >Select "C drive" > > > >Name of file to search for: SULFNBK.EXE > > > > > > > >If you find this file, DO NOT OPEN IT! Select by right clicking on > your > > > >mouse and DELETE it. Then close the window and empty your RECYCLE BIN. > > The > > > >good news is that YOU HAVE ELIMINATED THE VIRUS ON YOUR COMPUTER. The > > bad > > > >news is that you have transmitted this virus to anyone you may have > sent > > > >e-mails to in the last month. Thus the reason for this message. I'm > > truly > > > >sorry! Please contact everyone in your address book and pass this > > message > > > >along." > > > > > > > > > > RCSE-List facilities provided by Model Airplane News. Send "subscribe" > and "unsubscribe" requests to [EMAIL PROTECTED] > > > > RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED]
Re: [RCSE] Virus
I receive 3 more (up to 5 now) all with different titles and different sized attachments. Only the message text is the same. Something big in the world of viruses is going on. Dave RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED]
Re: [RCSE] virus alert!!
im not a computer nerd get a grip! luis - Original Message - From: "David Cole" <[EMAIL PROTECTED]> To: "Louis Gonzalez" <[EMAIL PROTECTED]>; "soaring" <[EMAIL PROTECTED]> Sent: Wednesday, March 28, 2001 10:21 AM Subject: Re: [RCSE] virus alert!! > It Takes Guts NOT To Forward A Hoax!! Please check on the validity of > virus warnings and other such stuff before you pass it on -- almost all > are hoaxes. As an example, go to Google.com and search for "guts jesus" > and you will immediately see lots of hits which clearly designate this > as a hoax. > > The intentions are good, but the result is not. Don't pass stuff on to > RCSE or your friends until you take 30 seconds to verify it! You save > yourself the embarrassment and your friends the worry and wasted time. > > > careful guys... > > > > if you recieve a mail subject "it takes guts to say jesus" do not open > it. > > it will earase your hard drive. there is no cure as of today according > to > > IBM on febuary 20. > RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED]
Re: [RCSE] Virus alerts. Don't Panic. Do your Homework
>Don't make yourself look like an ass. Do the research first. The best site that I've seen is from the US Dept. of Energy. I've been referring folks to it for about 5 years now. http://hoaxbusters.ciac.org/ Regarding the original post: Don't feel bad about passing it along though, hoaxes and Internet chain-letters have been around since 1988. Why People Send Chain Letters and Hoax Messages -- Only the original writer knows the real reason, but some possibilities are: - To see how far a letter will go. - To harass another person (include an e-mail address and ask everyone to send mail) - To bilk money out of people using a pyramid scheme. - To kill some other chain letter (e.g. Make Money Fast). - To damage a person's or organization's reputation. --- David RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED]
Re: [RCSE] Virus????
Sorry Charlie, the email headers point to you. The happy99 virus is not smart enough to fake the email headers. Are you sure you did a complete scan with updated virus signature files? At 08:47 AM 12/18/2000 -0800, Charles Miller wrote: >Hey Guys >I didin't mean to send that out,,, According to my server.. The virus >was sent by the original person that sent the landings, a waste of >time I got that this morning... I am useing my office computer >today no Virus here.. I forget the name of the guy who sent the >original Landings,, a waste of time. Steve Meyer http://SOARchicago.com/stmeyer/ [EMAIL PROTECTED] S.O.A.R. Web Page http://SOARchicago.com/ Now with Message Boards http://SOARchicago.com/discus/ RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED]
Re: [RCSE] VIRUS, info, howto
Good advice to never, ever open an executable sent via email. he other day I got as report that one of my messages here generated a "virus alert", but a v-scan was negative. This List software should be configured not pass along ANY attachments. IMO, FWIW. Good holidays to all! --Bill On Mon, 18 Dec 2000 09:26:11 -0600 Steven Meyer <[EMAIL PROTECTED]> wrote: FREE Antivirus software. http://antivirus.cai.com/ I have been getting hit by the W95.Hybris.gen. Also known as, W32.Hybris.gen, W32.Hybris.22528.dr, W32/Hybris.gen@M, I-Worm.Hybris http://www.symantec.com/avcenter/venc/data/w95.hybris.gen.html I like Symantec's site for Virus information. It appears it may be propagating from several people on this exchange! No wonder since it masks itself as "porno" material. :-) People it is very wise NOT to execute any attachment to email. This will include but not limited to files with extensions, EXE, VBS, SCR, COM. Even if you know the person, a lot of virus code will send out mail without the original senders knowledge. If you don't run a virus scanner get one. But remember this is not a guarantee. Hopefully it will just prevent you from spreading it. CA is giving theirs away. Go here. http://antivirus.cai.com/ Steve Meyer http://SOARchicago.com/stmeyer/ [EMAIL PROTECTED] S.O.A.R. Web Page http://SOARchicago.com/ Now with Message Boards http://SOARchicago.com/discus/ RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED] RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED]
Re: [RCSE] Virus alert!
Yeah, my scanner trapped it too. I warned Lee about the virus immediately. - Original Message - From: "Geoff Sokoll" <[EMAIL PROTECTED]> To: "Patrick Sloan" <[EMAIL PROTECTED]> Cc: "RCSE" <[EMAIL PROTECTED]> Sent: Tuesday, July 04, 2000 6:57 AM Subject: Re: [RCSE] Virus alert! > > Norton keeps trying to quarantine my inbox file and I can > > not tell which email contained the virus. > > hmmm, that'll be Lee Estingoy's post about kevlar. RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED]
Re: [RCSE] Virus alert!
> Norton keeps trying to quarantine my inbox file and I can > not tell which email contained the virus. hmmm, that'll be Lee Estingoy's post about kevlar. Coincidently, the same one that Tord complained about getting lots of HTML garbage in ("lots of info about your regedit.exe, autoexe.bat and other Windows nonsense")... look at http://www.symantec.com/avcenter/venc/data/wscript.kakworm.html if you're interested. Only affects Outlook Express. Regards, Geoff RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED]