Just received a rather strange e-mail


This message was created automatically by mail delivery software (Exim).

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
This message has been rejected because it has
an apparently executable attachment Lt.pif
This is a virus prevention measure.
If you meant to send this file then please
package it up as a zip file and resend it.

------ This is a copy of the message, including all the headers. ------
------ The body of the message is 123991 characters long; only the first
------ 65536 or so are included here.

Return-path: <[email protected]>
Received: from modem-806.duckdive.dialup.pol.co.uk ([62.25.155.38] helo=Amrsckco)
by mail5.svr.pol.co.uk with smtp (Exim 3.35 #1)
id 17KOdk-0007lq-00
for [email protected]; Tue, 18 Jun 2002 20:27:45 +0100
From: pprune <[email protected]>
To: [email protected]
Subject: Darling
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=ChQf2crhv00
Message-Id: <[email protected]>
Date: Tue, 18 Jun 2002 20:27:45 +0100

--ChQf2crhv00
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:MEEi31567 height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY></HTML>

--ChQf2crhv00
Content-Type: audio/x-midi;
name=Lt.pif
Content-Transfer-Encoding: base64
Content-ID: <MEEi31567>

<lots of MIME snipped>


Anyone recognise the culprit?

Looks like it came from me, but it is very unlikely that it actually has. I'm running an up to date NAV2002, which finds nothing suspicious on my PC - and I've no idea who terry pullen is :)

FWIW, the e-mail address ([email protected]) is only used for this website.

Although a quick search discovered...


Terry Pullen Eaglescott: PPL 600hr DHC1, PA12, S1S, C206


So he may be a PPRuNer... :)

NAV 2001 says that it picks it up. I think the removal tool is for people who only buy NAV after infection, or who don't subscribe to AutoUpdate.

These trojans pick a random entry from the infected address book and send themself to every other entry.

So the only thing known for sure is that both you and 'Terry' are in the address book of the person who does have the virus. Probably a PPruNer too.

Since it looks like you have been 'selected' as the from address, you can probably expect some more undeliverable mail messages. I got similarly hijacked without ever being infected a while back. Took about a week before the fallout subsided.

Pr!cks !:mad:

I've just spent two days removing W32Klez from my mum's PC - she had not updated her Norton sofware!

V Nasty virus - once it's in it wont let you install or update anti-virus programs. As stated above, the Norton website has comprehensive (10 pages+) information on how to remove the virus. A very long process :mad:

At least all of the e-mail forwarding computers are picking it up now. Mum had 250 returned e-mails that W32Klez had attempted to send out :eek:

Thanks chaps.

My NAV2002 is up to date, but I've checked aisleman's link to be safe and I'm clean - that's a relief. It had me worried for a bit. :)

The Symantec write-up is very interesting. It's a b@st@rd alright...

On the positive side, I've yet to receive any "you've sent me a virus" e-mails. I'm still slightly surprised that it doesn't trigger NAV though - presumably because the message lost the second half of the attachment when it was bounced?

I got that b*****d of a virus too,hope to get it fixed tonight.
Downloaded the patch from symantec at work,anyone else tried it?

THe cheeky bloody virus,it cut off my norton anti virus and anti virus update.

I`m not a happy bunny!!! :mad:

Quoth aisleman:

---8-----
The curious thing is that it appears to be a bounced message from pol.co.uk which belongs to Energis. Does that mean their system is infected?!! Or is that part of the smoke screen.
---8<-----

POL (Planet OnLine) are the company contracted to provide the infrastructure for FreeServe, amongst others, and no their system is not infected.

POL's mail infrastructure is actually quite clever. As the error message says ("the clue is in the question" ;) ):

"This message has been rejected because it has
an apparently executable attachment Lt.pif
This is a virus prevention measure.
If you meant to send this file then please
package it up as a zip file and resend it. "

Their mailservers have been configure to reject messages which contain attachments which could "run" as an application (and thus infect you with a virus), either when you save them as files and double-click, or, in the case of poor unfortunates who have no choice other than to use LookOut!^H^H^H^HOutLook :eek:, if it decides to run the program anyway without asking.

The PIF extension stands for Program Information File, and is a legacy from the DOS/Windows 3.1 days.

HTH

Well I've just found the one advantage of AOL. Because AOL doesn't use smtp (this is a real pain for me) this virus couldn't use my computer to spread itself! Not great, but I knew it had to be there :D

I appear to be a third party victim as well. My system is clean but I've been getting two or three emails a day for the last six weeks or so returned as they contain viruses. I have not sent these emails and do not know any of the recipients. Is there anything I can do... I'm considering changing my email ( which will be a complete pain) just to get away from it!

If your system is really clean (how up-to-date is your virus scanner?) then these messages are actually coming from somebody who happens to have your address in their addressbook, which has been siezed by the virus and used to forge the sender address in outgoing copies of itself.

It may be possible to work out who this is by reading the mail headers (Outlook doesn't display these by default.) Email me if you need further help with this.