Valhalla Legends Forums Archive | General Discussion | Got my first email worm today!

AuthorMessageTime
iago
By "get" I mean "recieved". Beagle-h or something. I was impressed at the social engineering that went into it. It said, "There have been large numbers of emails going out from your account, blahblahblalh, and it was spoofed from "Umanitoba.ca staff", and was about removing a virus, we're sending you a free virus sender.

Sadly, whoever did it forgot to
a) spoof the reply-to address (so when I looked at the header I found the address of the infected person and warned him)
b) they made several spelling mistakes, which is pretty atypical of an automated administration message.
c) they had it from "Umanitoba.ca", but my school ALWAYS uses "UManitoba.CA".

It was pretty convincing, anyway, but I find it more fun to just virus scan it and laugh.
March 8, 2004, 11:49 PM
hismajesty
My mom received that as well, only it was from administration@cox.net or something like that. Luckily I found it first and deleted it, else she would have downloaded it I'm sure. I'm assuming it was the same thing since it said I had a complaint about a large number of emails; however, I don't recall it offering a free virus scan. Anyway, I'm sure they're related :).
March 9, 2004, 12:10 AM
Myndfyr
[quote author=iago link=board=2;threadid=5676;start=0#msg48450 date=1078789767]
a) spoof the reply-to address (so when I looked at the header I found the address of the infected person and warned him)
[/quote]

The reply-to address probably was spoofed -- what I've found is that when a worm infects your computer, it looks at your address book, claims to be from someone else on your address book, and sends it to other people from there.

My mom got one from adminstration@remax.com.
March 9, 2004, 12:59 AM
iago
[quote author=Myndfyre link=board=2;threadid=5676;start=0#msg48460 date=1078793978]
[quote author=iago link=board=2;threadid=5676;start=0#msg48450 date=1078789767]
a) spoof the reply-to address (so when I looked at the header I found the address of the infected person and warned him)
[/quote]

The reply-to address probably was spoofed -- what I've found is that when a worm infects your computer, it looks at your address book, claims to be from someone else on your address book, and sends it to other people from there.

My mom got one from adminstration@remax.com.
[/quote]

It was in the email header from the server. The "From" header was "Staff@Umanitoba.ca", which was obviously spoofed. Plus, I don't keep an address book, so even if it HAD gotten onto my computer, it wouldn't have been able to make it appear to come from one of my friends (perhaps some email address from temp internet files, but that would be pretty random)
March 9, 2004, 1:36 AM
Grok
[quote author=iago link=board=2;threadid=5676;start=0#msg48450 date=1078789767]
By "get" I mean "recieved". Beagle-h or something. I was impressed at the social engineering that went into it. It said, "There have been large numbers of emails going out from your account, blahblahblalh, and it was spoofed from "Umanitoba.ca staff", and was about removing a virus, we're sending you a free [color=yellow]virus sender[/color].
[/quote]

At least they were honest.
March 9, 2004, 2:55 AM
iago
[quote author=Grok link=board=2;threadid=5676;start=0#msg48471 date=1078800907]
[quote author=iago link=board=2;threadid=5676;start=0#msg48450 date=1078789767]
By "get" I mean "recieved". Beagle-h or something. I was impressed at the social engineering that went into it. It said, "There have been large numbers of emails going out from your account, blahblahblalh, and it was spoofed from "Umanitoba.ca staff", and was about removing a virus, we're sending you a free [color=yellow]virus sender[/color].
[/quote]

At least they were honest.
[/quote]

Scanner* :P
March 9, 2004, 3:04 AM
crashtestdummy
Did your scanner find it?
It might havebeen after variant.H I think it was variant.K that they started coming through in a password protected encrypted attachment. AV programs couldn't open the file to scan it.
March 9, 2004, 6:40 AM
iago
[quote author=crashtestdummy link=board=2;threadid=5676;start=0#msg48496 date=1078814454]
Did your scanner find it?
It might havebeen after variant.H I think it was variant.K that they started coming through in a password protected encrypted attachment. AV programs couldn't open the file to scan it.
[/quote]

Yes, it was in a password protected zip, and it was filtered out at the school's pop3 server. I didn't believe it anyway, but that's not the point :)
March 9, 2004, 2:10 PM
Stealth
[quote author=iago link=board=2;threadid=5676;start=0#msg48450 date=1078789767]
(so when I looked at the header I found the address of the infected person and warned him)
[/quote]

Sources of these e-mails are not always as they seem -- the From address is gleaned by many viruses from Outlook Express' contact list. This becomes especially apparent when your e-mail address is widely available.
March 11, 2004, 11:50 PM

Search