support@microsoft.com e-mails

[ojai00]

I've been getting these really weird e-mails from support@microsoft.com. Here's how one of them goes:

---------------------------
From: support@microsoft.com Add to Address Book
Date: Mon, 19 May 2003 13:52:09 --0500
To: (edited)
Subject: Cool screensaver
Attachment: ref-394755.pif

All information is in the attached file.
---------------------------

Now I know better than to open it since Microsoft doesn't send e-mails with one line bodies. Notice the .pif extension. My Outlook disables that file, calling it potentially harmful. Anyone else getting these? I think I should shoot an e-mail out to Microsoft.

 

[DnetMHZ]

That is a virus.. check out this article

 

[Aceshigh]

It's probably not coming from Microsoft. The email address is spoofed.

 

[Kevin]

I got one today as well. Interestingly enough, mine came with a note from RoadRunner explaining it was a virus and could not be cleaned. According to them its W32.HLLW.Mankx@mm...

 

I have been getting hammered by them all weekend. Over 100 so far.

 

[KeyserSoze]

AT OS Thread

The Reg Article (Ripped from the above thread.)





KeyserSoze

 

[conjur]

Spam Assassin nabbed it as Spam for me. Thank you, Ripplehost!

 

[KeyserSoze]

Someone PM a MOD, and ask them to make this a sticky. Seems like a few people have been getting these, and I suspect that a few more will fall victim to this.


MODS!!!! Do something with your lives





KeyserSoze

 

[Azraele]

I got one as well.

 

[kermalou]

add me to the list, i was like what file is this?

 

[acidvoodoo]

yea, i got four, had no idea what it was, so i stupidly opened it. hotmail didn't say anything about it, and so far, nothing has happened to my comp, but i'll scan anyway

 

[ojai00]

Thanks everyone. I got an e-mail from McAfee about this but didn't bother to read it. Should've done so before posting...

 

[P.O.W.]

Originally posted by: acidvoodoo
yea, i got four, had no idea what it was, so i stupidly opened it. hotmail didn't say anything about it, and so far, nothing has happened to my comp, but i'll scan anyway

I've got a test box that I used to open it. It does not have antivirus. Adaware picked up a data mining program. I did go ahead and install norton antivirus since and there is only one executable that it found. I don't have email on this computer so I imagine that it does more damage if you have outlook.

 

[KeyserSoze]

I PM'ed a Mod, and asked them to make this a sticky. We'll see.





KeyserSoze

 

[skim milk]

yea i got one too

but there wasn't an attachment with it... hmmm

 

[V00DOO]

I got one over the weekend too, but NAV took care of it.

 

[Wolverine27]

Just got one too. Subject line was "cool screensaver".

 

[Harvey]

It's W32.Sobig.B@mm, a worm that is spreading very quickly. Info from Symantec.

W32.Sobig.B@mm is a mass-mailing worm that sends itself to all the email addresses that it finds in the files with the following extensions:

• .wab
• .dbx
• .htm
• .html
• .eml
• .txt

Refer to the Technical Details section of this writeup for the characteristics of the email message.

The worm is also network aware. It enumerates the network resources and copies itself to the following folders on other computers to which it has access:

• Windows\All Users\Start Menu\Programs\StartUp
• Documents and Settings\All Users\Start Menu\Programs\Startup

NOTES:

• The worm deactivates on May 31, 2003, and therefore, the last day on which the worm will spread is May 30, 2003.
• Virus definitions dated prior May 19, 2003 may detect this threat as W32.HLLW.Mankx@mm.

Symantec Security Response has created a tool to remove W32.Sobig.B@mm. Click here to obtain the tool.

Also Known As: W32.HLLW.Mankx@mm, W32/Palyh@MM [McAfee], W32/Palyh-A [Sophos], I-Worm.Palyh [KAV], WORM_PALYH.A [Trend], Win32.Palyh.A [CA]
Type: Worm
Infection Length: 52,898 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

When W32.Sobig.B@mm is executed, it performs the following actions:

1. Copies itself as %Windir%\msccn32.exe.

NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

2. Creates the following files:

• %Windir%\hnks.ini
• %Windir%\msdbrr.ini

3. Adds the value:

"System Tray"="%Windir%\msccn32.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that W32.Sobig.B@mm runs when you start Windows.

4. If the operating system is Windows NT/2000/XP, then the worm will also add the value:

"System Tray"="%Windir%\msccn32.exe"

to the registry key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

5. Enumerates the Network Resources and copies itself to the following folders:

• Windows\All Users\Start Menu\Programs\StartUp
• Documents and Settings\All Users\Start Menu\Programs\Startup

6. Attempts to download data from four different GeoCities Web pages. The addresses of these Web pages are stored in the aforementioned .ini files.

Email Routine Details
W32.Sobig.B@mm uses its own SMTP engine to email itself to all the contacts it finds in the files with the following file extensions:

• .wab
• .dbx
• .htm
• .html
• .eml
• .txt

technical details

The email message has the following characteristics:

From: support@microsoft.com

Subject: The subject line will be one of the following:

• Your details
• Approved (Ref: 38446-263)
• Re: Approved (Ref: 3394-65467)
• Your password
• Re: My details
• Screensaver
• Cool screensaver
• Re: Movie
• Re: My application

Message Body: All information is in the attached file.

Attachment: The attachment name will be one of the following:

• your_details.pif
• ref-394755.pif
• pproved.pif
• password.pif
• doc_details.pif
• screen_temp.pif
• screen_doc.pif
• movie28.pif
• application.pif

Symantec usually puts out their Live Update on Wednedays, but they had an early one, today because of this. Note the link to a removal tool in the above quote from their page.

 

[TallBill]

I dont get why it would deactivate. Whats the goal of this virus?

 

[conjur]

Originally posted by: KeyserSoze
I PM'ed a Mod, and asked them to make this a sticky. We'll see.





KeyserSoze

It's stickified!

 

[KeyserSoze]

Originally posted by: conjur

Originally posted by: KeyserSoze
I PM'ed a Mod, and asked them to make this a sticky. We'll see.


KeyserSoze

It's stickified!

Thanks Mods.




KeyserSoze

 

[GeekDrew]

Yeah I've gotten quite a few viruses (eliminated thanks to Symantec NAV) that appear to have come from support@RR.com or something like that... I didn't pay much attention... norton says virus, I say delete. I remember that they were addresses that viruses shouldn't originate from though

Drew

 

[kt]

ojai00, i suggest you remove your email address from your post unless you like being spammed.

 

[MaxDepth]

I got one in my scubadiving account. The mail system is too backward to handle the virus, but it may have gotten into the host system(s). I emailed the webhead to let him know it was floating around their server.

 

[ojai00]

Originally posted by: kt
ojai00, i suggest you remove your email address from your post unless you like being spammed.

lol. thanks kt. i thought about it when i posted, but i didn't think people would stoop that low :evil: