Another cunning virus ploy

[ffutures]

Received this tonight (read in mailwasher, needless to say with great care)

Dear user of Ntlworld.com,

Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.

For further details see the attach.

Best wishes,
The Ntlworld.com team http://www.ntlworld.com

Needless to say "the attach" is a .pif file called morinfo, presumably a virus payload of some sort. That or Ntlworld technical support are TRULY stupid, because there is no way I'm opening an attachment of that sort.

Here's the full header, for anyone who's interested or wants to take a crack at tracing the source. I've replaced the usual HTML brackets with curly brackets in what follows and deleted my address:

Return-Path: {czVrldGLqVJAFwia@00.d0.59.f5.d0.2a}
Received: from dispatch ([67.164.248.44]) by mta03-svc.ntlworld.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with SMTP
id {20040304155443.YOMD22458.mta03-svc.ntlworld.com@dispatch}
for {xxxxxxxxxxxxxxxx@ntlworld.com};
Thu, 4 Mar 2004 15:54:43 +0000
Date: Thu, 04 Mar 2004 08:56:56 -0700
To: xxxxxxx@ntlworld.com
Subject: Warning about your e-mail account.
From: support@ntlworld.com
Message-ID: {etchsvwvojumewsoxpq@ntlworld.com}
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------tjbeqniifnaoportlvak"

----------tjbeqniifnaoportlvak
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Comments

[elementalv.livejournal.com]

And with each passing week, my decision to continue using a Mac is justified more and more.

[ffutures.livejournal.com]

I'd still be getting all of this crap if I did have a mac. I'm sure you are too, if your email address is at all in the public eye.

I've never been infected with a virus in all the time I've had a PC; I'm fairly paranoid, was a beta-tester for the first PC anti-virus software in the early eighties, and have done my best to be VERY careful since then. I've got a hardware and a software firewall, anti-virus programs on all machines, and anti-virus and anti-spam software checking and deleting most mail unread. I don't use Outlook, and I don't open attachments unless I am expecting them and they have got through the virus checker.

[elementalv.livejournal.com]

I get surprisingly little of it, actually. During the MyDoom outbreak, I think I received the sum total of 4 messages, all of them directed at my Earthlink address. The worst problem I had was the Sobig (was that the big bad last year? can't remember) virus, when my Earthlink address was being spoofed, and I was receiving 30-40 messages per day, either with the new virus trying to come in or with organizational firewalls rejecting the messages that had spoofed my e-mail address.

What's frustrating to me is having to listen to coworkers come in the next day and complain about how they had to redo everything on their computer because of a virus. They don't necessarily keep up to date with the patches Microsoft puts out, which means they're part of the problem with the virus spreading.

[ffutures.livejournal.com]

The problem is I have to have contact details on my web site, and I post to newsgroups fairly often. As a result my address is on every spammer's list.

[karohemd.livejournal.com]

I received two mails from "ntlworld" accounts today, one from "noreply" and one from "management" both having a similar content of warning me of my "improper use" of my mail account and that it would be cancelled. More info would be in the attachment (.zip).

I use Mozilla Thunderbird so I'm pretty safe against attachments as long as I don't consciously double-click and run them but that would be stupid. ;o)

Still annoying, though. And this one is even more cunning as it builds on the fact that many current viruses mask the sender address.

[silly-dan.livejournal.com]

That seems to be the Beagle virus, which I've recieved a couple dozen copies of (luckily, I check my email on a UNIX machine). See
<http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.k@mm.html>

As an aside, Slashdot reports that the authors of this and other recent viruses have taken to launching flamewars against each other in the source code of their viruses.

[ffutures.livejournal.com]

I think you may have seen this in the few minutes between my posting it and realising that I needed to replace the HTML markup brackets with curly ones - there isn't an error message now, I hope.

[silly-dan.livejournal.com]

No, I think that was me -- putting a web address in angle brackets in my comment caused the error, I think.

[ffutures.livejournal.com]

Oh right, stupid of me.

[armb.livejournal.com]

<a href="http://www.sluggy.com>Sluggy Freelance</a> has a similar warning about warnings sent in their name - apparently the virus picks a website (from bookmarks?) and fills in a template. "Something's wrong, you might be infected, blah blah blah, please click on the mysterious attachment to solve everything! Sincerely, The Sluggy.Com team (http://www.sluggy.com) P.S. I am not a virus. Just open the darn attachment. Well, it didn't actually include the P.S. part, but you get the picture."