Help with Virus

reicherb

Platinum Member
Nov 22, 2000
2,122
0
0
I've got an E-mail that went from one of my users to one of my users. user1@domain.com to user1@domain.com or atleast thats what the message says. The sending server is outside though. Here is the message header.

MAIL FROM: kquadere@chesaning.k12.mi.us
RCPT TO: kquadere@chesaning.k12.mi.us
Received: from chesaning.k12.mi.us
([198.173.223.122])
by chesaning.k12.mi.us; Thu, 07 Nov 2002 12:05:24 -0500
FROM: <kquadere@chesaning.k12.mi.us>
DATE: Thu, 7 Nov 2002 12:03:21+0000
X-Mailer: EBT Reporter v 2.x
TO: kquadere@chesaning.k12.mi.us
subject:
Mime-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal



The message contained a readme.exe which was infected and the message was

Hello,

Product Name: Microsoft Windows XP
Product Id: 55274-OEM-0011903-00101

Process List:
NtLmSsp NT LM Security Support Provider
ProtectedStorage Protected Storage
SamSs Security Accounts Manager
SharedAccess Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
SysmonLog Performance Logs and Alerts
NtLmSsp NT LM Security Support Provider
ProtectedStorage Protected Storage
SamSs Security Accounts Manager
SharedAccess Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
SysmonLog Performance Logs and Alerts

Thank you.



Any ideas how to tell where this came from? Or how to stop it?

Thanks.
 
Aug 27, 2002
10,043
2
0
10 words.......Virus scan, and you thought I didn't how to add, 1bin+1bin=10 right?
anyway, some viruses are very good and fooling and re-writing themselves to destroy any tracing info. All you can do is use good secure firewalls, change passwords regularly, update virus definitions regurlarly and pray, that's what the fbi and cia do. And if it's good enough for them it's good enough for me.
Aren't you glad you make regular backups?