Looks like Real msg. from MS, but is real dirty

Discussion in 'Security Software' started by Sherry Rosen, Sep 20, 2003.

  1. Sherry Rosen

    Sherry Rosen Guest

    It looks like a real msg. from MS, but my server caught
    the virus, and deleted. I copied and pasted the entire
    header from "details" on my Outlook. The visible address
    says it is from updates_ms.net but, at the top it says
    . I don't know if I am reading this
    right, but I assume it originated from this guy! This is
    so vicious, I am hoping by publishing this, someone will
    take steps to stop him. The following is the full "header."


    Return-path: <>
    Received: from ms-mta-01.socal.rr.com
    (ms-mta-01-smtp.socal.rr.com [10.10.4.125]) by ms-mss-
    03.socal.rr.com
    (iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13
    2003))
    with ESMTP id <> for
    srosen@ims-ms-daemon; Fri, 19 Sep 2003 22:28:50 -0700
    (PDT)
    Received: from lamx01.mgw.rr.com (lamx01.mgw.rr.com
    [66.75.160.12])
    by ms-mta-01.socal.rr.com
    (iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13
    2003))
    with ESMTP id <> for

    (ORCPT ); Fri, 19 Sep 2003 22:06:22 -
    0700 (PDT)
    Received: from mta01ps.bigpond.com (mta01ps.bigpond.com
    [144.135.25.155])
    by lamx01.mgw.rr.com (8.12.8p1/8.12.8) with ESMTP id
    h8K5SjLW014184 for
    <>; Sat, 20 Sep 2003 01:28:46 -0400
    (EDT)
    Received: from lhfldxc ([144.135.25.81]) by
    mta01ps.email.bigpond.com
    (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18
    2003))
    with SMTP id <>
    for
    ; Sat, 20 Sep 2003 15:27:47 +1000 (EST)
    Received: from wopr-p-144-134-27-237.prem.tmns.net.au
    ([144.134.27.237])
    by psmam05.bigpond.com(MAM REL_3_3_2d 101/24475819); Sat,
    20 Sep 2003 15:27:02 +0000
    Date: Sat, 20 Sep 2003 15:27:04 +1000 (EST)
    Date-warning: Date header was inserted by
    mta01ps.email.bigpond.com
    From: Microsoft Corporation Technical Support
    <tktktmh@updates_ms.net>
    Subject: Last Network Security Patch
    To: "Partner" <>
    Message-id: <>
    MIME-version: 1.0
    Content-type: multipart/mixed; boundary="Boundary_
    (ID_3rZcwS9uiBWYlAUM1ED0xA)"
    X-Virus-Scanned: Symantec AntiVirus Scan Engine
    X-Virus-Scan-Result: Repaired 42036 Worm.Automat.AHB
    Original-recipient: rfc822;
     
    Sherry Rosen, Sep 20, 2003
    #1
    1. Advertisements

  2. Sherry Rosen

    read Guest

    read read read some of the other posts to this site here.
    do not open the attachment.
    do not even open the email.
    send email to delete folder.
    purge the delete folder.
     
    read, Sep 20, 2003
    #2
    1. Advertisements

  3. Hi,

    The address is probably spoofed. The virus "harvested" the
    address and sends infected messages as if they came from
    the address you see.

    It's the W32.Swen virus. Microsoft info:
    http://www.microsoft.com/technet/treeview/default.asp?
    url=/technet/security/virus/alerts/swen.asp

    Symantec Info:
    http://securityresponse.symantec.com/avcenter/venc/data/w32


    Two type of messages are infected:

    1. Spoofed Microsoft update or patch messages with *.exe
    attachment.
    2. Mail delivery failure notices. These don't appear to
    have an attachment, but have html source code that
    attempts to download or run a script. They are infected.

    The latest Norton AntiVirus signature file does not
    recognize this virus. Download the beta signature file at
    this link, which does recognize it.

    ftp://ftp.symantec.com/public/english_us_canada/antivirus_d
    efinitions/norton_antivirus/beta/symcbetadefsi32.exe

    Richard
    Microsoft MVP Scripting and ADSI
     
    Richard Mueller, Sep 20, 2003
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.