Re: OT: Inundated with bogus(?) warnings I'm infected

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Matthew Saltzman wrote:
On Wed, 13 Sep 2006, Paul Howarth wrote:

fredex wrote:

On Wed, Sep 13, 2006 at 05:33:21AM -0500, Mike McCarty wrote:

I'm getting inundated (like a few tens of e-mails a day) with
messages claiming that my machine has been identified as sending
a multitude of messages and is likely to be infected, or that
some e-mail I don't recognize was undeliverable. Both of them
recommend that I follow the attached instructions.

The attachment is a .zip which unpacks to a file named

text.doc                                      .scr


This is a classic virus/trojan payload technique. If your mailer

Thanks for the reply. I'm aware of that. I don't "open" attachments.
I save them to disk, and use $ file and dump them in hex.

appears to show the attachment as a .doc file, you might be persuaded to open it with MS Word. The .scr extension is there to get past attachment scanners that key on the file type. Odds are, this is a Word macro trojan.

Umm, some of them don't look like that. Some of them are definitely
Windows executables; have the "MZ" signature, and the tell-tale
"This program cannot be run in DOS mode" message in them (strings
is a nice program, too).

[snip]

Would someone please help me in interpreting the headers
from these messages so I can ascertain where they originate,
and possibly get someone (who I presume is infected) either
cleaned or shut down?


It's playing whack-a-mole, really. But you can follow the chain of "Received:" headers back to the last one that makes sense (sometimes the earlier ones are forged too) and mail the postmaster or abuse address at that domain.

Well, I have done that sort of thing once or twice, and accidentally
posted a copy to an e-mail echo. One fellow commented that I had
mis-interpreted the forged headers, but then disappeared and wouldn't
explain what I had done wrong. That's where I want some help.

Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux