Virus I Cannot Find

[paulfr]

I have 4 malware programs keeping my machine clean.

Spysweeper, AdAware, Spybot, AVGFree yet I got this email and have seen similar emails (altho quite infrequently) before.

-------

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

[email protected]

-------

I have no idea who gagnon@london. .... is !

Sure looks like some executable is sending emails from my machine.

Or is there some other explanation ?

What to do ?

Suggestions appreciated.

[bangbuathong]

if you have a firewall, you can check what program is allowed to send mail.

and work from there.

[paulfr]

How do I do that ?

I am using the Firewall internal to IE6.

[lopburi3]

Don't worry about it. It was probably not sent by you. Some spammer is using your return address in hopes of avoiding spam traps. Just got one myself a day or two ago with someone using my gmail address.

[h90]

try to read the header of the email, you find some usefull informations in it, and most probably it was not sent from you!

I get all the time emails that the [email protected] cancled the user [email protected]. What is really suprising for me, as I am the webmaster and this user, but the emailadress webmaster is not used.....

So most probably someone else computer has a virus and uses old emailadresses as sender and recipient. if the recipients emailadress is not valid anymore, it will be returned to the fake sender adress which is yours.

Most probably you don't have a virus yourself

I have 4 malware programs keeping my machine clean.

Spysweeper, AdAware, Spybot, AVGFree yet I got this email and have seen similar emails (altho quite infrequently) before.

-------

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

      [email protected]

-------

I have no idea who gagnon@london. .... is !

Sure looks like some executable is sending emails from my machine.

Or is there some other explanation ?

What to do ?

Suggestions appreciated.

<{POST_SNAPBACK}>

[waldwolf]

paulfr - The firewall built-into Windows XP is not a bi-directional firewall. It only monitors/stops malware attempting to enter your system, but it does not stop viri, trojans, worms, keyloggers, etc. already on your computer, from sending data out, without your knowledge and approval.

To monitor both incoming and outgoing data, you need to install a bi-directional firewall like Zone Alarm.

Would suggest you first run several of the online virus checkers like Trend Micro, Symantec, McAfee, Kaspersky, Panda, etc. (Google listing here) to check your system, as many viri/trojans have the capability of disabling all previously installed antivirus programs.

Once your fairly certain your system is "clean", install one of the bi-directional firewalls, connect to the internet, and monitor ALL outgoing traffic for suspicious activity. (The firewall's built-in log program, if activated, will keep a written account of both incoming and outgoing activity you can review later, offline.)

You may wish to read this earlier post concerning a new trojan/virus threat. Details here.

good luck

(PS - @london.whitecase.com is the email address for White & Case LLP, a Global Law Firm (here)......Is there any conceivable reason a lawyer would want to spy on you? )

Edited June 15, 2005 by waldwolf

[paulfr]

Thanks fellas for the information.

Much appreciated.

I love TV.com

[Boatabike]

Just a thought, if you have activated your account in an internet cafe the likely hood of spyware there is huge. Maybe your account details were picked up there and they now use your addy to send junk. Is this posible?

[paulfr]

I only connect from home via HS Internet.

But it sounds like this problem is not much to worry about as there is a good explanation.

And to Waldwolf, no ..... there is no reason for a lawyer to be spying on me. But it is an interesting thing to know that some might do that.

[Welshman]

How do I do that ?

I am using the Firewall internal to IE6.

<{POST_SNAPBACK}>

Edited June 16, 2005 by Welshman

[Welshman]

Don't worry about it.  It was probably not sent by you.  Some spammer is using your return address in hopes of avoiding spam traps.  Just got one myself a day or two ago with someone using my gmail address.

<{POST_SNAPBACK}>

Ditto, same has happened to me in the past couple of weeks. I had non-delivery notifications on emails I never sent to email adds I'd never heard of.

More worrying, all the emails had a zip attachment which is the favourite way that &lt;deleted&gt; send viruses and other nasties to screw with someone elses computer.

[stumonster]

you might want to run this on you machine

http://www.majorgeeks.com/Microsoft_Malici...Tool_d4471.html

[paulfr]

Well this saga continues ....

Just got this email from my ISP with an attachment and a threat to cancel my service after 10 years with them.

----------------------------

Dear Ix Member,

Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.

If you choose to ignore our request, you leave us no choice but to cancel your membership.

Virtually yours,

The Ix Support Team

-------------------------

I do not dare open the zip file attachment until the service confirms to me they sent it. I am waiting for their reply.

People with a life do not have time for this bs.

Isn't the Internet fun ??

5555555

Edited June 16, 2005 by paulfr

[lopburi3]

While you wait change you password just in case someone is logging in as you. And I would place a phone call to your ISP to resolve issue as sending a zip file would not be a good practice (although I have had attachments sent by Thai ISP

You don't have any "friends" who know your email that might be pulling your chain? If your return email was used on a huge amount of spam one would expect a lot more than one bounce. And more than a few nasty replies.

[stumonster]

Just got this email from my ISP with an attachment and a threat to cancel my service

it a trojan ( is it 64k in size? ) , I recieved 2 last week claiming to come from an isp I have an email addy with in australia.

I informed the ISP , and recieved a canned message in reply - I cannot see how it would be much of an effort to discard any emails arriving from outside the ISP which have the ISP domain in the header - guaranteed many people would open the zipeed file and infect themselves.

[waldwolf]

paulfr - It will be interesting to hear what your actual ISP has to say about that email warning you received.

Just be aware, the ISP notification you received, if genuine, is a clear warning you probably have a "backdoor" trojan running on your system. One that is replicating itself and sending emails for one or more spammer(s).

If you do have one of those backdoor trojans, it may include a keylogger which is sending data to some unknown server, in the hope of obtaining personal and confidential data. Would strongly recommend you do not use this computer for any banking, credit card or similar usage involving password protected financial transactions. If there is a keylogger at work, even encrypted sites (https) may not be secure.

As you are apparently on broadband (HS?) your Windows XP firewall is basically useless in stopping outgoing malware reports. You need either a good software firewall or a router with a built-in firewall. (Many people run both.)

If time is of the essence, then you will need to backup all your data (not installed programs), then do a full reformat and an OS reinstall, followed by installation of a bi-directional firewall before reconnecting to your ISP.

good luck & keep us posted on your findings.

Edited June 16, 2005 by waldwolf

[paulfr]

My ISP responded within an hour of my email.

Here is their reply ......

----------------

Thank you for contacting us.

We apologize for the confusion. The email you received and its corresponding web site are fraudulent, and are in no way associated with EarthLink.

We were made aware of this site recently and took immediate steps to contact the host of the site, to have it removed from service.

For future reference, EarthLink will never ask you to respond to an email with sensitive information like your full credit card number. We recognize that email may not be a secure way to send such important information.

The only place EarthLink would direct you to update your personal information would be through the My Account page:

http://myaccount.earthlink.net

If you receive notifications like this and are unsure of their validity please contact us before accessing the site or providing your personal information. If you did enter your credit card information at the site, please contact your credit card company to have your account secured.

We do hope the above information will be helpful for you. However, if you have other inquiries, kindly get back to us.

------------------

[waldwolf]

OK, now we know the email reportedly from your ISP, was a "ruse de guerre".

Now back to your original enquiry about the email "kickback". Was that also a ruse or did it actually originate from your account?

As one member suggested earlier, check the header for origination details.

cheers

[h90]

in real urgent case you can also PM me with the header of an email. Before i had some filters, I had arround 1000 spam/fraud/nigerian scam emails per day. so I already one of the most experienced human spamfilter.......

one easy way to detect, are wrong links. Like on fraud email there is a link to (example) www.paypal.com/secure/userexperience.html but if you go with the mouse pointer over this link, or look at the source code of this html email, the real link is something like: 175.184.123.15/web/igor/test.html

So never use such links, and if you really think it is OK, put it manual in your browser and not klick it.

My ISP responded within an hour of my email.

Here is their reply ......

----------------

Thank you for contacting us.

We apologize for the confusion. The email you received and its corresponding web site are fraudulent, and are in no way associated with EarthLink.

We were made aware of this site recently and took immediate steps to contact the host of the site, to have it removed from service.

For future reference, EarthLink will never ask you to respond to an email with sensitive information like your full credit card number. We recognize that email may not be a secure way to send such important information.

The only place EarthLink would direct you to update your personal information would be through the My Account page:

http://myaccount.earthlink.net

If you receive notifications like this and are unsure of their validity please contact us before accessing the site or providing your personal information. If you did enter your credit card information at the site, please contact your credit card company to have your account secured.

We do hope the above information will be helpful for you. However, if you have other inquiries, kindly get back to us.

------------------

<{POST_SNAPBACK}>

[Welshman]

There was a worrying item on the news here (in UK) last week regarding scam emails asking for PIN numbers to bank accounts.

There are various methods of securing bank account details (such as you account number) as there isn't much secrecy or security involved in it (every time you make a transaction, the recipient has your details).

Also, there are instances of imposters passing themselves off as bank staff (on the bank's premises!) intercepting customers and gaining information from them.

Basically, the scam emails are very convincing as all the logos, colour schemes etc have been cloned from the official bank website.

The email sounds innocent enough, but asks you to confirm your pin number.

ALL banks are now warning that they would never under any circumstances ask any customer to divulge their pin numbers.

So, if you get an email from your bank, go carefully.

Edited June 20, 2005 by Welshman

[paulfr]

Have never discovered if the emails are actually being sent from my computer, but the fake note from my ISP with the zip file .......Spysweeper after an update found and identified it as

I-Worm/Mytob.JH virus.

As Welshman says ... never give out PINs or Mothers maiden name or other info in an email.

--------------------

Edit ....

Funny coincidence ... just got this from my ISP in an email.

The 10 tips below should help you recognize a phisher email.

1. Generic greetings. Many phisher emails begin with a general greeting, such as: "Dear member." If you do not see your first and last name, be suspicious.

2. A fake sender's address. A phisher email may include a forged email address in the "From" field. This field is easily altered.

3. A false sense of urgency. Many phisher emails try to deceive you with the threat that your account is in jeopardy if you don't update it ASAP. They may also state that an unauthorized transaction has recently occurred on your account, or claim they’re updating their accounts and need your information fast.

4. Fake links. Always check where a link is going before you click. Move your mouse over it and look at the URL in your browser or email status bar. A fraudulent link is dangerous. If you click on one, it could:

- Direct you to a phisher website that tries to collect your personal data.

- Install spyware on your system. Spyware is an application that can enable a hacker to monitor your actions and steal any passwords or credit card numbers you type online.

- Cause you to download a virus that could disable your computer.

5. Emails that appear to be websites. Some emails will look like a website in order to get you to enter personal information.

6. Deceptive URLs. Only enter your EarthLink password on EarthLink pages. These begin with https://www.earthlink.net/, ...my.earthlink.net, ...webmail.earthlink.net, etc.

- Even if a URL contains the word "EarthLink," it may not be an EarthLink site. Examples of deceptive URLs include: www.earthlinksupport.com, www.earth1ink.com, www.accounts-earthlink.com, and www.earthlinkcom.net.

7. Misspellings and bad grammar. phisher emails often contain misspellings, incorrect grammar, missing words, and gaps in logic. Mistakes also help fraudsters avoid spam filters.

8. Unsafe sites. The term "https" should always precede any website address where you enter personal information. The "s" stands for secure. If you don't see "https," you're not in a secure web session, and you should not enter data.

9. Pop-up boxes in an email are not secure. Don’t enter personal information into them.

10. Attachments. Like fake links, attachments are frequently used in spoof emails and are dangerous. Never click on an attachment unless you know the person that sent it to you. Most people become infected by clicking on some sort of attachment that causes them to download spyware or a virus.

Edited June 20, 2005 by paulfr

[francois]

hi'

the best way to receive your mail in a safe way is to see the header first and possiby having a text preview of it ...

so, a little prog do this for free

here : magic mail monitor

and if you are interested, you can download it here :

download magic mail monitor

I use it for quite a long time now, and it's the best pre-mail program that I found, small, light onthe system and giving excellent results

give it a try

francois

[waldwolf]

6. Deceptive URLs. Only enter your EarthLink password on EarthLink pages. These begin with https://www.earthlink.net/, ...my.earthlink.net, ...webmail.earthlink.net, etc.

- Even if a URL contains the word "EarthLink," it may not be an EarthLink site. Examples of deceptive URLs include: www.earthlinksupport.com, www.earth1ink.com, www.accounts-earthlink.com, and www.earthlinkcom.net.

<{POST_SNAPBACK}>

First question I would ask Earthlink is, what are you doing to close down URLs who are using your trademark Earthlink in an illegal and fraudlent mannor.

8. Unsafe sites. The term "https" should always precede any website address where you enter personal information. The "s" stands for secure. If you don't see "https," you're not in a secure web session, and you should not enter data.

<{POST_SNAPBACK}>

Even seeing the "https" address does not guarantee you are actually communicating with the party you think you are, nor does it prevent your data being captured at either end of the encrypted transmission chain.

If one uses a computer on any type of internet connection, one must assume as with a telephone comunication, someone else is "listening". If someone can hack into and record a phone conversation between the White House and Presidential Air Force One (which occured several years ago), or the FBI and Atomic Energy Commission computers, your "swiss-cheese" Windows system should be a piece-of-cake.

As the popularity of mobile systems grows, so do the vunerability factors. In recognition of this, Microsoft and other government contractors have joined forces to develop stronger and safer mobile communication software for the military, which should, in time, filter down to the general public. (More here)

We all hear about Routers and software Firewalls, but are they really effective? The answer is yes and no. Like most "locks", they're really designed to keep honest people out. Take for example your broadband router and the firewall incorporated into Windows XP. Both are oneway streets, so to speak. They only stop malware from entering your sytem. They do not monitor nor prevent data from exiting your system. So, if by chance you open an infected email or view an infected picture on some website, you system can become compromised and immediately begin transmitting data to an outside source. It is unlikely you will be aware this is happening, until the damage has already been done.

It's easy and relatively inexpensive to protect yourself. Study your options. Ask questions. Be pro-active.

Lecture is now over for the day.

cheers