Do you think this is a virus/worm/trojan?

[DocHeb]

My wife received an email delivery failure message. She never sent an email to the supposed recipient, and there are attachments that have a hidden .zip file. I am running Norton Firewall and Antivirus (up-to-date) and received no warnings. I think this may be an intrusion attempt. What do you think? If it is, they are really getting sneaky.

<font color="red">Received: from mc6.midcoast.com ([69.39.100.16])
by rwcrmxc23.comcast.net (rwcrmxc23) with ESMTP
id <20041204120625r23005kr9ce>; Sat, 4 Dec 2004 12:06:25 +0000
X-Originating-IP: [69.39.100.16]
Received: by mc6.midcoast.com (Postfix)
id EC53919EF7; Sat, 4 Dec 2004 07:05:43 -0500 (EST)
Date: Sat, 4 Dec 2004 07:05:43 -0500 (EST)
From: MAILER-DAEMON@mc6.midcoast.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: Nannygoat@comcast.net
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="C9D1616847.1102161943/mc6.midcoast.com"
Message-Id: <20041204120543.EC53919EF7@mc6.midcoast.com>

This is a MIME-encapsulated message.

--C9D1616847.1102161943/mc6.midcoast.com
Content-Description: Notification
Content-Type: text/plain

This is the Postfix program at host mc6.midcoast.com.

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the message returned below.

The Postfix program

<ron@r.mail.midcoast.com>: host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message
content rejected, id=19727-08 - VIRUS: Worm.Sober.I (in reply to end of
DATA command)

--C9D1616847.1102161943/mc6.midcoast.com
Content-Description: Delivery error report
Content-Type: message/delivery-status

Reporting-MTA: dns; mc6.midcoast.com
Arrival-Date: Sat, 4 Dec 2004 07:05:43 -0500 (EST)

Final-Recipient: rfc822; ron@r.mail.midcoast.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message
content rejected, id=19727-08 - VIRUS: Worm.Sober.I (in reply to end of
DATA command)

--C9D1616847.1102161943/mc6.midcoast.com
Content-Description: Undelivered Message
Content-Type: message/rfc822

Received: from test.dns.midcoast.com (test.dns.midcoast.com [69.39.100.30])
by mc6.midcoast.com (Postfix) with ESMTP id C9D1616847
for <ron@r.mail.midcoast.com>; Sat, 4 Dec 2004 07:05:43 -0500 (EST)
Received: by test.dns.midcoast.com (Postfix)
id 0276D23D385; Sat, 4 Dec 2004 07:07:34 -0500 (EST)
Delivered-To: ron@midcoast.com
Received: from luwak.midcoast.com (luwak.midcoast.com [69.39.100.7])
by test.dns.midcoast.com (Postfix) with ESMTP
id F13E623D18A; Sat, 4 Dec 2004 07:07:33 -0500 (EST)
Received: from glqnc.net (pcp04040536pcs.wbrmfd01.mi.comcast.net [68.43.226.227])
by luwak.midcoast.com (Postfix) with SMTP
id B50062BAF6F; Sat, 4 Dec 2004 07:09:12 -0500 (EST)
From: Nannygoat@comcast.net
To: Your_Account@random-abstract.com
Date: Sat, 04 Dec 2004 11:52:44 GMT
Subject: Details
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Message-ID: <04bc.010160e7ef8@comcast.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="======bac5a05bcff.ccaf9f442c1d5"
Content-Transfer-Encoding: 7bit

This is a multi-part message in MIME format.

--======bac5a05bcff.ccaf9f442c1d5

I was surprised, too!
Who_could_suspect_something_like_that? shityiiiii
--======bac5a05bcff.ccaf9f442c1d5
Content-Type: application/octet-stream; name=thats_hard.zip
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="thats_hard.zip"</font>

 

[thcri]

I am getting the same type of message all the time. In fact I am serioulsly thinking of changing my email address as I am getting so many. I must be on someone's mailing list. But the hidden zip file is what scares me all the time. We have Norton/Symantec Corporate Edition and it does not pick these up at all. It may be intrusion software or adware of some kind, just not sure. I went out to www.trendmicro.com and did an online scan and did fine some virus's on my computer that Norton did not pick up. So I am wondering how good Norton actually is??

murph

 

[California]

Back in January I received similar bounce messages from about two THOUSAND different ISP's stating the intended recipients didn't exist on their servers; with each bounce message listing several nonexistent recipients.

I also got a couple of strongly-worded personal replies from recipients of the spam!

I estimate my email address was used in the 'from' field on 10,000 bounced messages and an unknown number of spams that actually made it through to someone.

Thousands of other peoples names appeared randomly next to my email id, and none of the routing cited was through my ISP, so I am certain that represented a 'joe-job' (misuse of my email address) rather than anything that actually originated here.

In my case it declined from hundreds of bounces per day, to a couple per month now.

Ignore it, somewhere your email id or address is being used in the 'from' field by a spammer.


Background:
Some idiot named 'White Rabbit' wrote a modified version of Forte Agent with all the fields represented by variables, and the ability to fill each of those fields from a large database of names or routing data. It was originally intended to harrass newsgroups. Look up 'Hipcrime' who made extensive use of it.)

Then the spamhauses adapted the program to send untraceable spam. Since each message is unique it is difficult to trap them with spam filters.

If there was a zipfile attached to the spam then there may well have been a malicious payload with your return address on it.

 

[Ozarker]

There is a trojan already on your computer. Your computer was used by someone else to send that e-mail and when it couldn't be delivered it bounced back to you.

 

[DocHeb]

I'm running Norton Antivirus 2005, Norton Personal Firewall 2005, both with up-to-date definitions. I'm behind a Linksys hardwire router (not wireless) with full security. I run up-to-date Ad-Aware and Spybot Search&Destroy scans twice a week. I've tested my computer at Gibson Research Shields Up! and am running in total stealth mode.

What more is a poor boy to do?

 

[Ozarker]

You got me.............................

I run McAfee and have still been infected and/or had my browser hijacked. There are a few speciality programs out there just for trojans and they seem to nail what McAfee misses. But even among the speciality programs you get different results when they scan for infections.

The last time I got hit I had over 200 infections within a couple of days. I finally just backed up my important data and then reformatted my hard drive to wipe everything out.

Then I quit using MS IE and Outlook. Haven't been infected since.

 

[thcri]

</font><font color="blue" class="small">( Then I quit using MS IE and Outlook. Haven't been infected since. )</font>

What programs are out there then for a replacement for Outlook. We use Outlook at our office for calendar sharing. Is there another program out there?

murph

 

[WVBill]

I get them every now and then too.

Your e-mail has been "spoofed". Here's an article (a bit "tecchie") that talks about it.
CERT - e-mail spoofing

Basically, without a lot of effort and tech knowledge on your part, there doesn't seem to be too much you can do.

 

[DocHeb]

Thank you.

 

[JayC]

For alternatives to IE and Outlook Express I would recommend Netscape 7.2. I use it now and I like it a lot better than IE and Outlook. Netscape 7.2 comes bundled with Communicator which is their e-mail client. I think it does a better job than Outlook when filtering junk mail (easier to configure, too). If you don't want to use Netscape (which is Mozilla based) you can download the Mozilla browser and I think that comes with its own e-mail client, too. You can also download Mozilla's other browser Firefox. That seems a bit basic and you will need to install some other things like Flash, Quicktime, Shockwave, or other plugins when needed. It also doesn't come bundled with an e-mail client, but you can download Mozilla's Thunderbird client which is a good client and complements Firefox nicely.