OK, I’m a bit spooked. In the past 24 hours every E-mail account to which I am currently subscribed has begun filling up with messages from random other accounts, stating that they are returning messages rejected because they contain a virus or worm.
The majority of the ‘returns’ quote one of the following subjects lines:
Thank You!
Approved
Details
Your Application
Most say they were delivered to the recipients with a file attached, the most common file name is:
document_all.pif
The truly weird thing is that these are coming in via all four of the completely unrelated accounts to which I have subscriptions, and of which only one uses Outlook, AFAIK the most common virus remailer target, as an E-mail client. The accounts affected including a Hotmail account, a Compuserve account, my company E-mail, and another company E-mail account in which my name does not appear. According to their headers the rejected messages originated from my accounts.
It’s most likely the klez worm virus or a variant of it trying to spread itself. It tries to spoof your email address and sends it to harvested email addresses. I get a bunch of these too.
The headers on the trojan-carrying messages were probably spoofed. If your username is pretty common, it can happen with greater frequency than most people experience.
Mail servers are incredibly naive, believing the header information despite the fact that most spammers and malware authors do not use their real return addresses when sending their junk. So they’ll bounce a message back to you even if you did not in fact send it, just because your address was listed as the return address. The other option is for the mail server to delete the message without bouncing, but the risk of false positives is sometimes too great to warrant deletion without notification as the default behavior.
I had to talk my officemate down for this problem this morning. He was freaking out, man.
So as far as I can tell, it pulls the forged From address header from your address book. So someone who’s mailed you has the virus, not you. For four different accounts, it could be four different people infected.
The trick is to pay attention to where the messages are being bounced from, and ask yourself “who do I know that also knows these people?”
Then make sure the person is alerted to the problem. This happened to me, and I was eventually able to work out who had the bug by the types of mailing-lists they were on, and send them an e-mail with removal instructions.
It sounds to me like Sobig.f is the likely culprit in your case. Info here
This happened to me this morning. Not our fault, and I can’t track down who’s actually got the bug (since it’s my company’s info@ address that’s being referenced, and thousands of people have that). It’s a bit embarrassing for our company, though.
I checked my e-mail at work on the web. I got a ton of those messages, which I deleted without opening. I don’t get them at home because they are filtered out by my spam blocker. (I still get too much spam, though.)
I have been running Norton Anti-Virus for a long time. I have Live Update, so it stays current. It ran every Sunday. Yesterday I manually downloaded the latest code (i.e., I manually ran Live Update) and changed my virus checker scheduler to run every day.
Question: Will Norton catch these? (I heard that some viruses are hidden in ZIP files that virus checkers don’t catch. FWIW, I don’t open attachments.)
Just checking, - you are running a Firewall aren’t you? (if you’re not behind a company one) Zone Alarm is free and stops untrusted programs emailing out or acting as servers.
Won’t help if the virus is on someone else’s box and your address is being spoofed of course.
Sorry if this is a Granny/Egg-sucking thing but the Blaster RPC Worm shows that a lot of people still aren’t behind firewalls
I’ve received about 350 of these messages since yesterday evening at my personal e-mail address. I checked the Symantec site first thing I saw them last night, and it tells you what the Sobig worm puts on your system - a file in the Windows folder, and an entry in the registry. My computer had neither of these, so I think I’m not to blame for any of it.
Interestingly, not one of the messages I received had an attachment - they were all just one line of text, saying something like “Please look at the attached file.” I guess my mail server stripped the attachment.
And no, Norton AV probably won’t help you avoid these, because they come out so quickly. You just need to be very careful not to run e-mail attachments.
We’ve been getting them here through the school e-mail (web based) as well, since yesterday. I do run a firewall, I’ve updated Norton last night, ran a scan and it found nothing.
There are fewer so far this morning, but it still concerns me that my e-mail address is being used somehow. After my first class (starts in half an hour), I’m going to pop over to the computer center on campus and see what they can tell me - just to make sure that it’s not my computer.
The sobig.f worm has exploded over the last two days, and has even made the major news services. I had been resisting use of a filter, but when the number of bad emails sent to me reached 55 per hour (and at 80KB per, that’s over 4MB!) I felt I had to activate the virus filter.
But the tools the ISPs use are one step behind the virus writers. The virus filter mine uses, “postini,” lets all “returned mail” messages through, and a spoofed returned mail is just one of the sobig’s tricks.
Also, even tho many ISPs scan email sent to/from their customers, the scanners return the bad mail TO THE ADDRESS IN THE HEADER, which in 100% of these cases, IS NOT THE ADDRESS IT CAME FROM!!
So the filters are responsible for perpetuating the mess. You can’t win.
The first several hundred of these that I got were just one line, something like “Please see the attached file,” with no attachment, so they downloaded quickly and I could delete them easily. Then last night, they suddenly started coming in with a 70-odd Kbyte attachment on each one. It took a couple of hours to download my e-mail because of that (I had 200 more last night).
What could explain that? It would seem that a filter used by my ISP’s mail server might let the first ones through, then delete the attachment from later ones, not the other way around. The first one that came through with an actual attachment was probably number 400 that I received.