Elliott C. Back: Internet & Technology

The Latest Rash of Virii

Posted in Spam by Elliott Back on May 4th, 2005.

I’ve just gotten about 70 of the following MIME encoded virii in the last … 10 minutes. For anyone else who’s interested, here’s the reference:

From – Wed May 04 22:26:53 2005
X-Account-Key: account1
X-UIDL: 1064554056.82965
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: postoffice7.mail.cornell.edu ([unix socket])
by postoffice7.mail.cornell.edu (Cyrus v2.1.11) with LMTP; Wed, 04 May 2005 21:41:59 -0400
Received: from hermes31.mail.cornell.edu (hermes31.mail.cornell.edu [132.236.56.56])
by postoffice7.mail.cornell.edu (8.12.10/8.12.6) with ESMTP id j451fsKN013432
for ; Wed, 4 May 2005 21:41:55 -0400 (EDT)
Received: from soapstone1.mail.cornell.edu (soapstone1.mail.cornell.edu [128.253.83.143])
by hermes31.mail.cornell.edu (8.12.10/8.12.6) with ESMTP id j451fqrJ014690
for ; Wed, 4 May 2005 21:41:52 -0400 (EDT)
Received: (from daemon@localhost)
by soapstone1.mail.cornell.edu (8.12.10/8.12.6) id j451fr0H016031
for ecb29@postoffice7.mail.cornell.edu; Wed, 4 May 2005 21:41:53 -0400 (EDT)
Received: from giotto.archiworld.it ([217.220.33.131])
by soapstone1.mail.cornell.edu (8.12.10/8.12.6) with SMTP id j451fgZQ015801
for ; Wed, 4 May 2005 21:41:43 -0400 (EDT)
Message-Id: <200505050141.j451fgZQ015801@soapstone1.mail.cornell.edu>
Received: (qmail 20517 invoked for bounce); 5 May 2005 01:41:41 -0000
Date: 5 May 2005 01:41:41 -0000
X-PH: V4.1@soapstone1
From: MAILER-DAEMON@giotto.archiworld.it
To: ecb29@cornell.edu
Subject: [spam] failure notice
X-PMX-Version: 4.6.1.107272, Antispam-Core: 4.6.1.106808, Antispam-Data: 2005.5.4.14
X-PMX-Version: 4.7.1.128075, Antispam-Engine: 2.0.3.0, Antispam-Data: 2005.5.3.31
X-Text-Classification: spam
X-POPFile-Link: 127.0.0.1:8080/jump_to_message?view=119

Hi. This is the qmail-send program at giotto.archiworld.it.
I’m afraid I wasn’t able to deliver your message to the following addresses.
This is a permanent error; I’ve given up. Sorry it didn’t work out.

fe-mail04.albacom.net (HELO FE-mail04.sfg.albacom.net) (213.217.149.74)
by 217.220.33.131 with SMTP; 5 May 2005 01:41:34 -0000
Received: from mailin01.albacom.net (217.220.34.15) by FE-mail04.sfg.albacom.net (7.0.009)
id 419590FE00FC8469 for francesca.gariazzo@archiworld.it; Thu, 5 May 2005 03:41:06 +0200
Received: (qmail 11404 invoked from network); 5 May 2005 01:41:03 -0000
Received: from unknown (HELO marasu.edu) (81.118.214.122)
by mailin01.albacom.net with SMTP; 5 May 2005 01:41:03 -0000
From: ecb29@cornell.edu
To: g.ciceri@archiworld.it
Date: Wed, 04 May 2005 21:58:57 UTC
Subject: Re:
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: -->

This entry was posted on Wednesday, May 4th, 2005 at 10:29 pm and is tagged with failure notice, unix socket, text classification, mailer daemon, qmail send program, message view, virii, localhost, mail, antispam, return path, cornell, message id, rash, lt, bounce, giotto, unix. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback.

5 Responses to “The Latest Rash of Virii”

  1. Dean says:
    5/5/2005 at 12:46 am

    This is the latest variant of Sober (Sober.O) that’s been running around CU campus for a few days now. Updated Symantec definitions catch it. Cornell’s PureMessage filters should be catching it shortly.

    Reply
  2. Elliott Back says:
    5/5/2005 at 1:38 am

    I got one sent from on campus that had the sender’s IP in the headers and I emailed CIT. The exchange is amusing to me:

    This PC just sent me a virus:
    r253147107.resnet.cornell.edu

    CIT replied with:

    Thank you for emailing the Contact Center! I am writing in response to your message regarding a virus sent to you from a ResNet computer. Were you able to clean it off your computer? If you need any assistance with this, please call us and select option 2 to speak with a PC consultant.

    I replied:

    I said that a particular resnet user (r253147107.resnet.cornell.edu) sent me a virus via email: it doesn’t follow that my computer was affected. Your response should be to deal with the source of the infection.

    Funny how they assume I’m a complete ******

    Reply
  3. Dean says:
    5/5/2005 at 1:48 am

    In all fairness, if that is all you sent them the first time, that’s not much to go on. I work over at the HelpDesk (albeit on the Mac team), and *many* of the people I talk to really don’t have any clue what they are doing. If you were to say something to the effect of “I just got this virus. It didn’t affect my computer, but you should do something about it.” The response would have been much better. CIT is aware of the problem and is working on updating the PureMessage filters to catch the virus. In the mean time, if people don’t update their virus definitions (and many people don’t), then the virus is going to continue to spread. There is nothing CIT can do about stupid people.

    Reply
  4. Elliott Back says:
    5/5/2005 at 1:53 am

    I do admit the original email was a little sparse… but their response assumes I don’t know what I’m talking about. I dunno–as someone qualified to tell when a virus slips up and gives away where it’s sitting, it just bugs me :-D

    Reply
  5. JWK says:
    5/6/2005 at 2:50 am

    So I probably shouldn’t have opened all those .ZIPs to see what the mail headers and errors they told me I had, huh.

    Reply

Leave a Reply

Powered by WP Hashcash