Merry Christmas Virus

Mike Finley

Today I got about 2000 bounced back email messages saying they couldn't be delivered. They were being sent to names of a company I have never heard of and the sending email address was one listed as a contact on one of my websites. The sending email address doesn't exist as an email account. This website I own just forwards that email address to a private email account I own.

I think this is the virus: W32.Erkez.D@mm is a mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer.

Would I be correct to assume that Verio's computer that is hosting my site is the one infected? Do you think there is any danger because I looked at a few of the bounced back emails to see what was going on? They all had attachments which I didn't open. Could you get infected by looking at the email on AOL or would have have to open the attachment to get infected?

Neil_K

Unfortunately, its most likely that the problem is not from your web host. The virus (also known as Zafi.d from McAfee) "spoofs" the sender's address. That means that someone else's computer had the address from your website and several other email addresses when the person invoked the virus. These virii don't just use your addressbook like the old days, but scans your temporary internet files for email addresses to use. It can pick up an email address that was just listed on a page. The virus sends out boatloads of emails and makes them look like they came from you. Hence, the underliverable messages all come back to you. The undeliverable message would tell you why it was returned. It could be the user or domain doesn't exist or even that you sent them a virus and their mail system rejected it.


It is safe to open the undeliverable message, but I hope you did not try to open any attachment that had a .zip extension, as that may have been the virus. In this specific virus, a popup would have stated "ERROR IN PACKED FILE" when you try to open the attachment.

Please search your computer for the following to make sure you did not invoke the virus:

winamp 5.7 new!.exe
ICQ 2005a new!.exe


If you did, go to this website and read the manual instructions on how to remove the virus:

http://vil.nai.com/vil/content/v_130371.htm

NAI is Network Associates, who owns McAfee antivirus.

Good luck.

Neil

Mike Finley

So you are saying that because I have emails on my computer that were forwarded to me that have the address listed on my website that that is why my websites email address is listed as the sender?

The undeliverable and the virus found is the message contained in the bounced emails.

I didn't open any attachments and no trace of those 2 files is on my computer.

So you think my AOL account is sending these emails out directly and not Verios mail server that is hosting my website?

Neil_K

How about I give the likely scenario?

Joe Surfer visits your website. Then he gets a christmas card via email from Patricia. He opens it, but its really a virus.

The virus scans his computer for email addresses, then starts sending messages out to the addresses it finds. At least one unfortunate soul (in this case, its the email address on your website) looks like the sender. The recipient list is typically other email addresses found on other websites or from other emails Joe has sent or received.

I have to get geeky for a minute - The infected computer becomes its own SMTP relay (Simple Mail Transfer Protocol). The SMTP relay sends messages to the recipient domain, which typically accepts messages from any outbound relay.

The recipient domain returns the message to the sender (it looks at the email address) and sends you back a message saying the message is undeliverable. Most likely, either because the recipient doesn't exist or because the recipient mail system found a virus and rejected your message.

Did I make things worse?

Teetorbilt

Neil, I was able to follow that and I see you as an invaluable member. Visit often.

Mike Finley

Not worse, It is becoming at least clearer than mud, probably like murky swamp water at this point.

But what I think you are saying is that just because I am getting the bounce backs doesn't mean they are being sent by my computer or my email account with AOL, nor the mail server associated with my website with Verio, is that right?

When will I stop getting them? I'm still getting like 1000 a day.

Neil_K

you are exactly right.

Unfortunately, you won't stop until the infected in-duh-vidual cleans their computer. You could set up a "rule" within your mail that automatically dumps the undeliverable mail straight to the trash can.

Neil_K

That should be you won't stop *receiving the messages* until...

Glasshousebltr

Bravo Teetor, I agree, Neil come on by every time you get the chance.

Bob

Neil_K

I varied off the contstruction trade in college and took a route in computers. I'll gladly add my $.02 whenever possible. :Thumbs:

Neil_K

Hey Mike - have the messages slowed down or subsided?

Mike Finley

Yeah Neil, it took about a week but they finally stopped. Thanks for the help.

Neil_K

anytime, Mike.