Virus laden e-mail's

Avast Free Antivirus / Premium Security
1

Hi to all,

Can anyone help me please?
As this problem is driving me mad, with the e-mail’s that i keep getting that are loaded with the Win32.Sobig:F virus.
As over the last 5 days, i have got about 500+ e-mail’s that have the Win32 Sobig F virus attached to them. (All have been deleted)
I am using Windows XP Home (up to date), with Avast Free, SpyBot, a2, Ad-Aware Free and Spyware Blaster.
I have checked my computer with Avast on 3 occasions, the same with the other stuff and nothing found.
I have used a Removal tool twice, still nothing, but still i keep getting the e-mail’s coming.
I have also checked my computer twice, with an online anti-virus scanner, again nothing

I check my e-mail’s with Mailwasher, so that they don’t get near my computer.
And still each time i check my mail, i get loads of these e-mail’s loaded with the virus.

I have also done the same with my son’s computer, as we are sharing a Broadband connection via a Router.

Does anyone have any ideas about my problem, and if i am infected?
As i have had 2 e-mail’s saying that i have sent out 2 infected messages.

A copy of what one contained is below: (which made Avast log an infected message)

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

jr@********.com
This message has been rejected because it has
a potentially executable attachment “your_document.pif”
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.

------ This is a copy of the message, including all the headers. ------

Return-path: <highwaman@****.co.uk>
Received: from [24.61.69.156] (helo=DELL2)
by hades.liveshere.com with esmtp (Exim 4.52)
id 1EzKOj-0005sO-TP
for jr@********.com; Wed, 18 Jan 2006 15:59:21 -0500
From: highwaman@yahoo.co.uk
To: jr@beachcoverealty.com
Subject: Re: Your application
Date: Fri, 21 Dec 2001 0:50:40 --0500
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=“_NextPart_000_018DA414”

This is a multipart message in MIME format

–_NextPart_000_018DA414
Content-Type: text/plain;
charset=“iso-8859-1”
Content-Transfer-Encoding: 7bit

See the attached file for details
–_NextPart_000_018DA414
Content-Type: application/octet-stream;
name=“your_document.pif”
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=“your_document.pif”

Then there is load of characters that might as well be ancient Greek to me!!

I have never seen or used this e-mail address above.
And now i am even beginning to doubt the results that are before me on my own computer, after running the tests.

I have submitted a Hijack This log to another website, but the help i got did not help.
And my questions about the answer i got, have not been replied to.
This is the problem, most of the addresses i do not know, and are totally random to me.
And most of them are new one’s, although some are now getting doubled/tripled or even quadrupled up from the same address.
And it was only when one stood out that i know 3 days ago, that made me contact the person in case they were sending them.
As before that, i had deleted about 150 of these e-mail’s as a virus intrusion onto my computer.
And now that i know this person has scanned their computer, and found nothing.
It makes me think that the problem lies with me, and my computer.

But how can it?
As every test shows that the Win32.Sobig.F virus is not on my machine.
And now the addresses say i am infecting them, but they have the same virus attached to them according to Avast anti-virus.

Please help me, thanks in advance.

2

Hi johnaz

Symantec has a removal tool that might help if you are infected:

http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.removal.tool.html

3

The fact that you are getting loads of infected emails doesn’t mean that you are infected, just that your email address has got into the wild or someone you know or have contacted via email is infected and they are pumping out infected emails to everyone in their addressbook. This infected person/systems email addresses could also have been transmitted back to the virus originator to use for other purposes not withstanding sending more viruses.

From addresses can and are often faked using an email from the addressbook of the infected system. Dumb ISP email servers just bounce the email back to the supposed sender without any check to see that it did in fact come from them. Simple answer delete these too using mailwasher.

It can also be a trick to have you open the attached file to see what all the fuss is about and bingo your infected. There are many devious people out there who will use this method to try and spread the virus.

Unfortunately you can’t take who an email is from at face value, it is simply too easy to forge.

4

This page backs up what David said:

http://www.spywareinfo.com/articles/spoofing/

5

Hi,

Pardon me saying but with using Mailwasher, i am now bouncing the e-mail’s back to the sender.
And for the first time in 7 days, i am getting my normal e-mail on my Yahoo account.
Without, having to wade through loads of virus infected e-mail’s.
And the amount of e-mail’s to me have droped significanly.

Gary

6

I have been using MailWasher Pro for a little over two years, at first I used the novelty bounce function. But soon realised the futility of it with the ease of faking the from address.

It is an absolute waste of time and email traffic to bounce emails as for most parts the from address is faked and all you achieve bounce the email to an innocent bystander.

Delete the emails using mailwasher, but don’t bounce them and increase someones else’s email traffic when it is highly unlikely that they sent the email.

So I suggest you re-read my previous post and the link that Frank posted to see the futility of bouncing emails.

7

i use spamihilator as my main spamkiller!
Are their similarities in the emails address? If that is the case you could set “jr@*” in the “do not download messages but auto-delete” section,…

I would certainly not “bounce” them,…cause then the spammer knows your email is used,…
In a way it does more bad then it does good,…

One thing that bothers me in spamkiller programs is that none actually auto-deletes when an certain attachement is found… you you could say in “auto-delete-messages from server when *.pif is found”,…
This would be more effective cause most emails are at random, and you cannot really find a similarity.

In that case it wouldn’t matter if the sender is: binladen@terrorist.cc or wendyplummer@pif.com or whatever,… if the email has the attachment with a *pif extention,…it is auto deleted anyway,… and in my opinion it would be much safer and more effective,…

good luck