Maybe I Just Almost Fell Victim to a Windows Virus?

by Matthew Russell

Ok, so every once in a while, we (as in you and me) get these funny mail messages that just don't seem quite right...and then it dawns on us -- hey, this must be another one of those Windows viruses/worms/covert operations going around again.

I've pasted in a screen shot below of the latest one I just received. After trying to Google search for some context, I didn't get anything back, so maybe I'm privileged enough one of the first unsuccessful targets?

image

And just in case you're wondering, after copying the attachment to a safe location and unzipping it, the Windows executable "File-packed_dataInfo.exe" was revealed. Hmm. I don't remember e-mailing that to anyone recently.

I'm curious as to what investigative process you use whenever you get junk like this. (As if the token "zip" extension isn't enough to give it away.)

Have you or anyone you know ever fallen victim to one of these things?

How much longer before the first big Mac-based outbreak?


15 Comments

vplewis
2005-11-21 19:10:39
Interesting
I just started getting them today as well. I used basically the same procedure to investigate—Same conclusion. I also got e-mails from the CIA and FBI ordering me to respond to a list of questions residing inside the ZIP document. Clever.
ciao,
Vince
nzumbi
2005-11-21 19:31:36
makes you wonder
this all makes you wonder about the people who actually do open these things.
i havent gotten the FBI one yet though.
richtestani
2005-11-21 20:35:40
I just got a handful today
One of mine actually said -


"You've visited over 30 illegal website, please fill out the questionaire"
attached was a zip file called something like questionaire.zip


It was from cia.gov


I had a good laugh.


THe others were mail-body.zip as well

skot.nelson
2005-11-21 21:12:51
none
none of this stuff has made it through the spam filters at the University of Toronto yet.


Or gmail.

esme
2005-11-22 00:44:08
I got slammed
Okay, I found you "guys" looking for some info on these emails I got blasted with tonight - four in just over an hour. Looks like I'm in good company - a combo of all of the above, incl the CIA one ...


Now, I am a fairly new Mac user, and a bit distressed. How do I know if my email is sending out junk automatically?

harold
2005-11-22 01:02:48
I got slammed
Relax, your mac isn't sending out stuff by itself.
The email is simply worded this way so as to fool people to open the attachment and become infected by the virus. (Which won't work on your mac anyway.)
eableson
2005-11-22 01:06:12
Heh - been around for a while
I've seen variants on those ones for over a year now. Basically it's just a matter of your emil address getting trawled somewhere and getting on the trojan horse distribution lists.


For the new Mac user - don't worry about it. If you don't remember sending the message, then you probably didn't. Nothing to do with your machine at all.


I think you could categorize these as "technical phishing" since they purport to be a mail server instead of a financial entity, but since mail servers don't tend to send out glossy html formatted mails, they're easier to spoof.

CSShawn
2005-11-22 07:38:22
Check the headers
If you ask your mail client to display the full headers of the e-mail message you'll likely see that it's coming from some cable modem or DSL machine somewhere (verizon, comcast, rr.com, etc...). This particular virus is a variant of the Sober worm and just started across the 'net in the last couple of days.


While it can't affect your mac so far, don't get too complacient. The upcoming Intel-based Macs may be more susceptible.

ShrinkyNutsMcAngryPants
2005-11-22 08:18:58
Use the Terminal to get a file list
Instead of actually unzipping the document, use the Terminal to get a file list. Download it to a location of your choice, go to that location in the Terminal, and type:


unzip -l NameOfZipFile.zip

ryan2004
2005-11-22 12:46:01
If you're curious
You can download ClamXav (the open-source antivirus program) at www.clamxav.com


Make sure the definitions are up to date and then scan the attachment, and it should tell you what kind of virus is lurking inside.

String
2005-11-22 13:02:07
Interesting
I'm getting these all the time, Thank God I'm on a Mac.
If you are on windows does this not feel like the enemy continually banging at the gates?
esme
2005-11-22 16:33:21
I got slammed
Whew - that's a relief, especially since I got hit with 8 more this morning! Thanks.
jochenWolters
2005-11-23 00:01:35
Handling these email worms on the Mac
I can't remember ever having received an email bounce message that did not contain the header of the bounced email right in the message body. So, the fact that the email that supposedly could not be delivered is included as an attachment, is a first indication that there is something not quite right.


Second step is to check the headers of the bounce message, as CSShawn already pointed out. If I can't link the (ISP) sender to any of my contacts, that surely means that the bounce was not caused by anything I sent.


Third step is to mumble some curses under my breath about the "level of security" of anything carrying the Windows badge, hit Mail's Delete button, and try to re-focus my concentration on more productive computer uses. *sigh*

pio1
2005-11-23 11:50:59
Interesting
This is bad:



From: Admin@fbi.gov [mailto:Admin@fbi.gov]
Sent: Thursday, 24 November 2005 1:40 AM
To: xxxx
Subject: Your_IP_was_logged


Dear Sir/Madam,


we have logged your IP-address on more than 30 illegal Websites.


Important:
Please answer our questions!
The list of questions are attached.



Yours faithfully,
Steven Allison



Attachment: question_list.zip contains



*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000


Return-Path:
Received: from jlsqip.gov (69.63.65-97.swazi.net [69.63.65.97] (may be forged))
by mail17.mymailserver (8.12.11/8.12.11) with SMTP id jANEhxkX026105;
Thu, 24 Nov 2005 01:44:05 +1100
From: Admin@fbi.gov
To: xxxx
Date: Wed, 23 Nov 2005 14:40:28 GMT
Subject: Your_IP_was_logged
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=fdcabfd035.bd5da096f3ea1"
Content-Transfer-Encoding: 7bit


sjk
2005-11-24 12:48:26
Interesting
At the time my wife got one of those FBI spams a couple years ago I doubt she'd even browsed to more than a dozen sites. That all changed after 1) I gave her a Mac, and 2) she discovered the power of Google.