Nennayan

I've been getting a lot of emails lately, with a subject line of Mod on EQinterface, with attachments named things like vert.zip align.zip or author.zip, always the same size, from multiple addresses.

I've been getting at least one a day, and there's never any message other than the subject line. I was just wondering, has anyone else has been recieving this pathetic attempt to infect them with a virus?

__________________

guice

Interesting .. I hadn't been receiving any, thankfully.

You're just too loved.

__________________
Sithr, 65th Transcendent
Officer/Leader of Chronology
Mithaniel Marr
http://www.chronology-guild.org/

Sylviania

*wonders how someone can hope virusing a skeleton...*

*grins evilly at Nennayan*

*turns into a wolf*

*jumps on Nennayan*

*crunch, slurp*

*burps loudly*

that's much more efficient

__________________
Sylviania Delaforet
Ranger of Tunare , The Mother Of All
Seeker of Divinity
Rallos Zek Server

Nennayan

Well, I finally got one with a different subject line.

--------------------------------------------------------------------------------
Subj: Officer of NVIDIA.
Date: 8/29/02 1:59:59 PM Central Daylight Time
From: [email protected] (Dolby didn't send this. Scroll down to the headers to see the return path.)
To: [email protected]

File: border.zip (56547 bytes)
DL Time (115200 bps): < 1 minute

<HEAD></HEAD>
<iframe src=cid:Vu638z656L06 height=0 width=0>
</iframe>



----------------------- Headers --------------------------------
Return-Path: <[email protected]>
Received: from rly-zd03.mx.aol.com (rly-zd03.mail.aol.com [172.31.33.227]) by air-zd01.mail.aol.com (v88.20) with ESMTP id MAILINZD11-0829145959; Thu, 29 Aug 2002 14:59:59 2000
Received: from sm12.texas.rr.com (sm12.texas.rr.com [24.93.35.43]) by rly-zd03.mx.aol.com (v88.20) with ESMTP id MAILRELAYINZD310-0829145937; Thu, 29 Aug 2002 14:59:37 -0400
Received: from Aogl (cs24243180-13.hot.rr.com [24.243.180.13])
by sm12.texas.rr.com (8.12.1/8.12.0.Beta16) with SMTP id g7TItNmE014557
for <[email protected]>; Thu, 29 Aug 2002 13:55:23 -0500
Date: Thu, 29 Aug 2002 13:55:23 -0500
Message-Id: <[email protected]>
From: dolby <[email protected]>
To: [email protected]
Subject: Officer of NVIDIA.
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=B2AtU3Du2C0Q74V470Fa0iIQ

Kudane

I got one from [email protected] called "IE 6.0 patch"

I get about 20-30 emails like this a day...

its the KLEZ virus.. and damn freakin sneaky.. the "sender" is never who sent it.. (as you can see) and the REAL sender has no idea he is sending a ton of mail... evertime it sends it out, it puts a differnet person as the sender...

all i can say is... dont download attachements around 110-130k if you were not expecting them, and if you SCAN FOR VIRUSES... even yahoo now catches it..

good luck..

Kudane

guice

Where there's no way to tell for sure, sometimes you can narrow it down a bit. Look inside of the full headers. There should be a section from where the email was originally Recieved from.

Emails like that are always sent from the person's home system, never from Yahoo, etc. So, it will always be an ISP's SMTP server.
Next step is to look at the domain and see if you know anybody with that domain name for an email.

It's not guarenteed, but it can narrow it down. I mean, if you see thunder3.gpcentre.net in the original Recieved header, it's me. No questions about that.
(although it won't be me sending you the email. These virus exploits used are 99% Outlook made)

PS: It also tells you the Email client used on the other side. (normally)