• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Microsoft Support just sent me an email with an atachment, but what the hell is the attachment?

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
The headers tell far more than whatever reply-to address someone put in the mail.
I don't know how you view the full headers in Outlook, but in Mozilla mail you just pick View->Headers->All

Not that it'll do any good, more than likely just you just got it from someone else who also opened it without knowing what it was.
 
It's W32.Sobig.B@mm, a worm that is spreading very quickly. Info from Symantec.
W32.Sobig.B@mm is a mass-mailing worm that sends itself to all the email addresses that it finds in the files with the following extensions:
  • .wab
  • .dbx
  • .htm
  • .html
  • .eml
  • .txt
Refer to the Technical Details section of this writeup for the characteristics of the email message.

The worm is also network aware. It enumerates the network resources and copies itself to the following folders on other computers to which it has access:
  • Windows\All Users\Start Menu\Programs\StartUp
  • Documents and Settings\All Users\Start Menu\Programs\Startup
NOTES:
  • The worm deactivates on May 31, 2003, and therefore, the last day on which the worm will spread is May 30, 2003.
  • Virus definitions dated prior May 19, 2003 may detect this threat as W32.HLLW.Mankx@mm.
Symantec Security Response has created a tool to remove W32.Sobig.B@mm. Click here to obtain the tool.

Also Known As: W32.HLLW.Mankx@mm, W32/Palyh@MM [McAfee], W32/Palyh-A [Sophos], I-Worm.Palyh [KAV], WORM_PALYH.A [Trend], Win32.Palyh.A [CA]
Type: Worm
Infection Length: 52,898 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

When W32.Sobig.B@mm is executed, it performs the following actions:

1. Copies itself as %Windir%\msccn32.exe.

NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

2. Creates the following files:
  • %Windir%\hnks.ini
  • %Windir%\msdbrr.ini
3. Adds the value:

"System Tray"="%Windir%\msccn32.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that W32.Sobig.B@mm runs when you start Windows.

4. If the operating system is Windows NT/2000/XP, then the worm will also add the value:

"System Tray"="%Windir%\msccn32.exe"

to the registry key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

5. Enumerates the Network Resources and copies itself to the following folders:
  • Windows\All Users\Start Menu\Programs\StartUp
  • Documents and Settings\All Users\Start Menu\Programs\Startup
6. Attempts to download data from four different GeoCities Web pages. The addresses of these Web pages are stored in the aforementioned .ini files.

Email Routine Details
W32.Sobig.B@mm uses its own SMTP engine to email itself to all the contacts it finds in the files with the following file extensions:
  • .wab
  • .dbx
  • .htm
  • .html
  • .eml
  • .txt
technical details

The email message has the following characteristics:

From: support@microsoft.com

Subject: The subject line will be one of the following:
  • Your details
  • Approved (Ref: 38446-263)
  • Re: Approved (Ref: 3394-65467)
  • Your password
  • Re: My details
  • Screensaver
  • Cool screensaver
  • Re: Movie
  • Re: My application
Message Body: All information is in the attached file.

Attachment: The attachment name will be one of the following:
  • your_details.pif
  • ref-394755.pif
  • pproved.pif
  • password.pif
  • doc_details.pif
  • screen_temp.pif
  • screen_doc.pif
  • movie28.pif
  • application.pif
Click to expand...
Symantec usually puts out their Live Update on Wednedays, but they had an early one, today because of this. Note the link to a removal tool in the above quote from their page.
 
Just got the same email i belive...Nortons caught it and deleted, from MS Support, probably fake.
file from Norton's
Norton AntiVirus removed the attachment: doc_details.pif.
The attachment was infected with the W32.HLLW.Mankx@mm virus.
Click to expand...
wierd.

Thanx for info Harvey
 
guess the moral here is to constantly keep your antivirus definitions uptodate & don't be opening any attachments from unknown sources!
 
I got both of them and quickly deleted them. I asumed Microsoft would never send files like that and if I don't know who sent them they get deleted. Script files and such can easily get past your antivirus. What I would like to know is how did they get my E-mail addy. Somebody I know with my address in there address book probably opened them, duh.
 
Heres an update for you people.
I ran AVG Anti-Virus Complete test, deleted all virus`s that were found, and deleted everything in the virus vault.
Now, about 30mins ago, a message popped up saying that a file was infected, and to run AVG again, so ran AVG, and it found nothing.
Whats going on here then? Am i still infected or not?
 
HAHAHAHAAHAHA.

Here, I have a syringe filled with glowing yellow stuff. Don't worry, it'll boost your immune system, just go ahead and inject it.
 
Originally posted by: Lord Evermore
HAHAHAHAAHAHA.

Here, I have a syringe filled with glowing yellow stuff. Don't worry, it'll boost your immune system, just go ahead and inject it.
Click to expand...

😛
 
Originally posted by: BoomAM
Heres an update for you people. I ran AVG Anti-Virus Complete test, deleted all virus`s that were found, and deleted everything in the virus vault. Now, about 30mins ago, a message popped up saying that a file was infected, and to run AVG again, so ran AVG, and it found nothing. Whats going on here then? Am i still infected or not?
Click to expand...


Thats very odd. I've been running AVG for quite a while, and that's never happened to me. Try running one of the online virus scanners, like the ones from Symantec, trendmicro or mcafee and see what they say. It'll take a while, but better safe than sorry with this stuff.
 
Originally posted by: Harvey
It's W32.Sobig.B@mm, a worm that is spreading very quickly. [L=Info from Symantec]BULLET][*] The worm deactivates on May 31, 2003, and therefore, the last day on which the worm will spread is May 30, 2003.
Click to expand...

Thats very interesting. Being as it was first reported yesterday/ the day before, it means that the virus has a designed life of only a fortnight. For all you hear of virus writers justifying themselves by saying that they didn't want to cause any damage, they just wanted to see if they could do it, you don't see stuff like this.

A virus writer with a social conscience? Admittedly one on the amoeba level, but its a start.
 
I saw 2 emails coming in from support@microsoft.com, and deleted them straight away. I've never given that email address to MS, so how would they get it!

I'm in the UK, too, so i guess what was reported of it affecting UK email addresses is right.


Confused
 
Originally posted by: BingBongWongFooey
DO NOT OPEN EXECUTABLE EMAIL ATTACHMENTS! (I thought this was common knowledge around here at least?)
Click to expand...


Heh ... I've gotten seevral of these, and opened opened one up to have a look. But then, I'm immune 😀
 
Originally posted by: Confused
I saw 2 emails coming in from support@microsoft.com, and deleted them straight away. I've never given that email address to MS, so how would they get it!

I'm in the UK, too, so i guess what was reported of it affecting UK email addresses is right.


Confused
Click to expand...
Im in the UK as well, I read one one of the previous links, that the UK is the worst hit upto now.
 
Guys, this has just popped up on the screen
Screenshot

But i cant open the System Volume Information Folder, it says access denied, and scanning it with AVG reveals nothing.
How can i access the System Volume Information Folder, so i can scan and remove the virus?
 
BoomAM, you need to do this

Originally posted by: BoomAM
Guys, this has just popped up on the screen
Screenshot

But i cant open the System Volume Information Folder, it says access denied, and scanning it with AVG reveals nothing.
How can i access the System Volume Information Folder, so i can scan and remove the virus?
Click to expand...

 
None of that will work for some reason. I folder is on WinXP Home, using NTFS, and it ony says how to do it with NTFS in WinXP Pro.
Ive tryed the DOS thing and that doesnt work either, heres what im putting in.
cacls "c:\System Volume Information"/e/g BoomAM:f
And it just brings up a list of commands.
 
Managed to get access, theres a space between /e and /g. lol

BTY, i ran the Symantec Online Virus Scanner a at about 3:00/15:00 UK time, and it detected nothing, so as far as i can tell the only remains of the virus is/was in the System Volume Information Folder.

Now, i previously switched off System Restore, and Deleted all recent restore points using disk cleanup, cos the .../_restore/... relates to the system restore.
Ive accessed the folder, and the file A0109422.pif is gone. Ive virus scanned the folder again, and it detects nothing. Am i finally now rid of the annoying little ah heck?
 
Hudster, thanks for the link. Much appriciated.
Thanks also go to everyone else who helped with info and advice on how to get rid of the ah heck.

Now i just hope that everything is finally back to normal.
 
Got the email today as well...

"This mail is probably spam. The original message has been attached along with this report, so you can recognize or block similar unwanted mail in future. See http://spamassassin.org/tag/ for more details.

Content preview: This is a multipart message in MIME format ±This
e-mail in its original form contained one or more attached files that
were infected with a virus or worm, or contained another type of
security threat. The following attachments were infected and have been
repaired: No attachments are in this category. The following
attachments were deleted due to an inability to clean them: 1.
ref-394755.pif: W32.HLLW.Mankx@mm The Following attachments were not
delivered due to inbound mail policy violations: No attachments are in
this category. Road Runner does not contact the sender of the infected
attachment(s) in the event that they were not actually sent from the
indicated party. Please contact the sender directly to alert them of
their issue with infected files if you wish to do so. For more
information on Road Runner's virus filtering initiative, visit our Help
& Member Services pages at http://help.rr.com, or the virus filtering
information page directly at http://help.rr.com/faqs/e_mgsp.html.
Original message text follows All information is in the attached file.
file attachment: ref-394755.pif This e-mail in its original form
contained one or more attached files that were infected with the
W32.HLLW.Mankx@mm virus or worm. They have been removed. For more
information on Road Runner's virus filtering initiative, visit our Help
& Member Services pages at http://help.rr.com, or the virus filtering
information page directly at http://help.rr.com/faqs/e_mgsp.html. [...]

Content analysis details: (4.50 points, 4 required)
NO_REAL_NAME (0.7 points) From: does not include a real name
FORGED_MUA_OUTLOOK (3.3 points) Forged mail pretending to be from MS Outlook
MISSING_MIMEOLE (0.5 points) Message has X-MSMail-Priority, but no X-MimeOLE

The original message did not contain plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor."
 
Originally posted by: drag
The file ran. It just went to quick for you to notice the msdos window. It would of given you a error or ask what you wanted what program you wanted to open up the attatchment in. So whatever it is you've probably already installed it on your computer. Why the hell would MS support mail you a attatchment without explaining what it was is a mistery to me. Open up a dos window and run it from there and see what information it poops out if your interested. I would e-mail microsoft support a copy of the e-mail and attatchment and ask them why they sent it to you. more then likely, you'd best be sure that your virus definitions are kept up to date on a daily basis and make sure that you keep a eye on background proccesses and such.
Click to expand...

I got the _same_ email today. An attachment from MS.com? Yeah, right. The blurb that came with it was very unMS and I deduced it was BS and deleted the file from my ISP's server - I use Mailwasher, so that was easy. Just because this appeared to come from microsoft.com doesn't mean it did. I decided that was a ruse. Total BS. I've been getting other stuff that _appears_ to be associated with MS, but I've spocked it out too. Just more BS. Spammers are just full of tricks. Look, people, when Microsoft wants to update you they do it via Windows Update. It's that simple. They don't send you attachments especially without a cogent explanation.
 
How bad is everyone else getting hit by this? I am getting like 15 emails a day. I imagine some have to be getting hundreds. At least it will be over soon.

Brian
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top