Hrmmm I just got an email from "anand"

[canadianpsycho]

I just got an email from "anand" (anand@anandtech.com)...

No text... 2 files attached:

1) noad .pif
2) vwp[1].htm

I play video games. This means nothing to me. Does it mean anything to anyone else?

Outlook Express won't even let me save them to disk so I can scan them for a virus.

 

[AndyHui]

Fake address in the header?

 

[klah]

Post the header.

 

[Mill]

post the header please.

 

Don't open them until you are sure where they came from and if they are safe.
As the others have said,post the headers.

I find it hard to believe that Anand would email you these files.
(Unless it was an accident)

 

[kherman]

Umm, why would anand send you anything? DELETE
Why bother even being curious?

 

[murphy55d]

That's not even his address is it?

Site info says its anand.shimpi@anandtech.com

Just delete it.

 

[klah]

delete it... after posting the full header

 

[canadianpsycho]

Sorry, was playing CS.

How do I post the header?

Yeah, I'm a noob.

 

[canadianpsycho]

This it?

Received: from cavite.com ([202.138.140.10]) by mc1-f19.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
Fri, 4 Oct 2002 00:17:34 -0700
Received: from Ltltcxghp [202.138.140.8] by cavite.com
(SMTPD32-7.07) id A4F71C0086; Fri, 04 Oct 2002 15:36:23 +0800
From: anand <anand@anandtech.com>
To: beaucoupfishscarface@hotmail.com
Subject: Of Service
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=BVu9563D41g639v7IvV7uc
Message-Id: <200210041536953.SM00964@Ltltcxghp>
Date: Fri, 4 Oct 2002 15:36:34 +0800
Return-Path: mondy@cavite.com
X-OriginalArrivalTime: 04 Oct 2002 07:17:36.0826 (UTC) FILETIME=[1DB131A0:01C26B76]

 

[PsychoAndy]

Yes, thats a header.

Looks like a good 'ol fashioned spoof.

-PAB

 

[Radiohead]

Ingenious, disguise as Anand and send to an Anandtech memeber

 

[canadianpsycho]

I'm not really too concerned or anything... I typically never open attachments. Also, I didn't think it was from Anand anyways. Just figured I'd post it incase anyone cared. And now I realize exactly what a header is

 

[vi edit]

.pif = BAAAAAAD

 

[MrBond]

Forward those headers to the moderator via PM. Chances are they can match the originating ip to a member here if someone here sent it

 

[canadianpsycho]

Originally posted by: MrBond
Forward those headers to the moderator via PM. Chances are they can match the originating ip to a member here if someone here sent it

Should have thought of that sooner. Mods are aware of the thread.

 

[Garet Jax]

Originally posted by: PsychoAndy
Yes, thats a header.

Looks like a good 'ol fashioned spoof.

-PAB

How could you tell it was a spoof? Is it because the sending domain cavite.com does not match the From address domain?

 

[Deeko]

Originally posted by: Garet Jax

Originally posted by: PsychoAndy
Yes, thats a header.

Looks like a good 'ol fashioned spoof.

-PAB

How could you tell it was a spoof? Is it because the sending domain cavite.com does not match the From address domain?

Likely the part that says "return path= mondy@cavite.com"

 

[klah]

That seems to be sent via an ISP in the Philipines.

 

[Harvey]

I smell virus. From Symantec's homepage

Security Response: W32.Bugbear@mm W32.Bugbear@mm is a mass-mailing worm that is rapidly spreading to Windows users.

The subject and attachment name of incoming emails are randomly chosen. The attachment will have a double extension ending in .exe, .scr, or .pif.

Like Klez, this thing spoofs sender names and subject titles. Info on this virus. This one is serious enough that they have also issued a removal tool, as well.

Norton typically updates their Live Update service weekly, usually on Wednesdays. They also post intermediate alerts and updates between these scheduled releases through their Intelligent Update system. In this system, you download an executable file to update your version or NAV. To use it, go to their home page, and click on any new threat listing to learn which software versions are affected and how to deal with it.