Dealing with MyDoom
27 January 2004, 05:12 PM
#1
Scooby Regular
Thread Starter
Join Date: Mar 1999
Location: The Great White North
Posts: 25,080
Likes: 0
Received 0 Likes
on
0 Posts
Mydoom, well, nice name, and it's partly living up to it for me 
I hear rumors that it's DOS'ing SCO, which is nice
Anyway, back to the point of this thread.
I am on a macintosh, so mydoom will not infect me, so that's cool. I'm actually using Panther (10.3.2) and Mail.app, and it's junk email filter is capturing, many, many instances, 200 plus at the moment, of the following email:
-----------------------
This e-mail is generated by the donkey mail server to warn you that the e-mail
sent by <not disclosed> to <not disclosed> is infected with virus: Win32/Mydoom.A@mm.
Please contact your system administrator for further information.
If you are the sender:
-------------------
The scanned e-mail has your address in the <From> header field. Either your
computer is infected or someone's computer having your e-mail address in
the address book has been infected.
(Please note that some viruses are sending e-mails directly from your computer.
Our advise is to check your computer using an up-to-date antivirus product).
If you are the receiver:
---------------------
Please contact the sender: most likely he/she doesn't know he/she has a computer virus.
Actions taken for the infected files:
-------------------------------------
The infected file was saved to quarantine with name: 1075226000-RAV31961.
The file (part0003:data.zip)->data.scr attached to mail (with subject:failure notice) sent by <not disclosed> to <not disclosed>
is infected with virus: Win32/Mydoom.A@mm.
Cannot clean this file.
Cannot delete this file (most probably it's in an archive).
The mail was not delivered because it contained dangerous code.
------------------------
this is a copy of the e-mail header:
RAV AntiVirus for Linux i386 version: 8.4.2 (snapshot-20030212)
Scan engine 8.11 for i386.
Last update: Tue, 27 Jan 2004 03:03:51 +00
Scanning for 89279 malwares (viruses, trojans and worms).
Obvioulsy someone has me in their address book and the virus is hitting this server, and it's replying back to me as it thinks I sent the message, which I did not.
Now, here's the headers (taken out info about my mailserver for secuirty reasons)
From ravms@donkey Tue Jan 27 11:54:26 2004
Received: from donkey.abracad.co.uk ([81.86.4.84])
by **REMOVED** (Merak 6.1.0) with SMTP id EZA37855
for <**REMOVED**>; Tue, 27 Jan 2004 16:51:41 -0000
Received: (qmail 31969 invoked from network); 27 Jan 2004 17:53:20 -0000
Received: from unknown (HELO donkey) (10.0.0.246)
by 10.0.0.246 with SMTP; 27 Jan 2004 17:53:20 -0000
From: "RAV AntiVirus" <ravms@donkey>
Subject: RAV AntiVirus scan results
Date: Tue, 27 Jan 2004 17:53:20 +0000
Importance: high
X-MSMail-Priority: 1
X-Priority: 1
X-Mailer: ravmd/8.4.2
MIME-Version: 1.0
Content-Type: text/plain;
charset=US-ASCII
now, I can't reply as the sender address is invalid.
From the headers I can see donkey.abracad.co.uk ([81.86.4.84])
now, that address does not exist, but if you replace donkey with www, I can find something.
So, now what? send them (postmaster I assume) an email saying "uh, chaps, it's not me! stop it please!"? or something else?
Sorry for the total ******** posting but I've never encoutered this before, usually my personal email address is not effected by things as it's not given out that much, and my corporate one is dealt with by our servers so it's not a problem.
TIA
[Edited by Markus - 1/27/2004 5:15:41 PM]
I hear rumors that it's DOS'ing SCO, which is nice Anyway, back to the point of this thread.
I am on a macintosh, so mydoom will not infect me, so that's cool. I'm actually using Panther (10.3.2) and Mail.app, and it's junk email filter is capturing, many, many instances, 200 plus at the moment, of the following email:
-----------------------
This e-mail is generated by the donkey mail server to warn you that the e-mail
sent by <not disclosed> to <not disclosed> is infected with virus: Win32/Mydoom.A@mm.
Please contact your system administrator for further information.
If you are the sender:
-------------------
The scanned e-mail has your address in the <From> header field. Either your
computer is infected or someone's computer having your e-mail address in
the address book has been infected.
(Please note that some viruses are sending e-mails directly from your computer.
Our advise is to check your computer using an up-to-date antivirus product).
If you are the receiver:
---------------------
Please contact the sender: most likely he/she doesn't know he/she has a computer virus.
Actions taken for the infected files:
-------------------------------------
The infected file was saved to quarantine with name: 1075226000-RAV31961.
The file (part0003:data.zip)->data.scr attached to mail (with subject:failure notice) sent by <not disclosed> to <not disclosed>
is infected with virus: Win32/Mydoom.A@mm.
Cannot clean this file.
Cannot delete this file (most probably it's in an archive).
The mail was not delivered because it contained dangerous code.
------------------------
this is a copy of the e-mail header:
RAV AntiVirus for Linux i386 version: 8.4.2 (snapshot-20030212)
Scan engine 8.11 for i386.
Last update: Tue, 27 Jan 2004 03:03:51 +00
Scanning for 89279 malwares (viruses, trojans and worms).
Obvioulsy someone has me in their address book and the virus is hitting this server, and it's replying back to me as it thinks I sent the message, which I did not.
Now, here's the headers (taken out info about my mailserver for secuirty reasons)
From ravms@donkey Tue Jan 27 11:54:26 2004
Received: from donkey.abracad.co.uk ([81.86.4.84])
by **REMOVED** (Merak 6.1.0) with SMTP id EZA37855
for <**REMOVED**>; Tue, 27 Jan 2004 16:51:41 -0000
Received: (qmail 31969 invoked from network); 27 Jan 2004 17:53:20 -0000
Received: from unknown (HELO donkey) (10.0.0.246)
by 10.0.0.246 with SMTP; 27 Jan 2004 17:53:20 -0000
From: "RAV AntiVirus" <ravms@donkey>
Subject: RAV AntiVirus scan results
Date: Tue, 27 Jan 2004 17:53:20 +0000
Importance: high
X-MSMail-Priority: 1
X-Priority: 1
X-Mailer: ravmd/8.4.2
MIME-Version: 1.0
Content-Type: text/plain;
charset=US-ASCII
now, I can't reply as the sender address is invalid.
From the headers I can see donkey.abracad.co.uk ([81.86.4.84])
now, that address does not exist, but if you replace donkey with www, I can find something.
So, now what? send them (postmaster I assume) an email saying "uh, chaps, it's not me! stop it please!"? or something else?
Sorry for the total ******** posting but I've never encoutered this before, usually my personal email address is not effected by things as it's not given out that much, and my corporate one is dealt with by our servers so it's not a problem.
TIA
[Edited by Markus - 1/27/2004 5:15:41 PM]
27 January 2004, 05:41 PM
#2
Scooby Regular
You could spend time trying to tell people about these things but where would you draw the line? Just ignore them, this obviously isn't the first virus and it sure as hell won't be the last. Ignore all spam, don't talk about spam, and ignore all spam 
As regards SCO, well they're not my cup of tea either but I certainly don't condone or agree with the DDoS. It won't do any good, and it doesn't just affect SCO, those packets have to travel over other networks to get there.
As regards SCO, well they're not my cup of tea either but I certainly don't condone or agree with the DDoS. It won't do any good, and it doesn't just affect SCO, those packets have to travel over other networks to get there.
27 January 2004, 05:49 PM
#3
Scooby Regular
Thread Starter
Join Date: Mar 1999
Location: The Great White North
Posts: 25,080
Likes: 0
Received 0 Likes
on
0 Posts
Have since emailed the postmaster saying "oi!"
I'm happy to ignore it and can, just funny seeing my mailbox fill up, as I've not seen that before, as in, a virus be that effective.
As for SCO, it is a little underhand to say the least, but I think people have been expecting this kind of thing for a little while now.
I'm happy to ignore it and can, just funny seeing my mailbox fill up, as I've not seen that before, as in, a virus be that effective.
As for SCO, it is a little underhand to say the least, but I think people have been expecting this kind of thing for a little while now.
Thread
Thread Starter
Forum
Replies
Last Post
fatboy_coach
General Technical
15
18 June 2016 03:48 PM
Uncle Creepy
Other Marques
43
27 December 2015 04:02 PM
crazyspeedfreakz
Wanted
17
05 October 2015 07:19 PM